A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.
The CrowdStrike API is how an app or AI agent works with a Falcon tenant: searching alerts, reading host details and containing a compromised machine, managing custom indicators, and running commands on a live endpoint. Access is granted through an API client with a secret and a fixed set of scopes, each read or write, so an agent is limited to the areas and actions that client was given. Falcon can also stream detections and audit events to a connection it holds open, rather than the agent repeatedly asking.
How an app or AI agent connects to CrowdStrike Falcon determines what it can reach. An API client is created in the Falcon console with a client ID and secret, and the API scopes ticked on that client, each set to read or write, fix what every call is allowed to do.
The REST API answers at a region-specific host, such as https://api.crowdstrike.com for US-1 or https://api.eu-1.crowdstrike.com for EU-1. Each endpoint carries its own path version, like v1 or v2.
CrowdStrike's Falcon MCP server lets an agent call Falcon through the Model Context Protocol, exposing detections, incidents, hosts, vulnerabilities, and threat intelligence. It is maintained by CrowdStrike and is in public preview, so production use is not yet advised. The source is at github.com/CrowdStrike/falcon-mcp.
Event Streams holds a long-lived connection open and pushes detections, audit records, authentication activity, and incident updates as they happen, resuming from an offset after a drop. It is started from the datafeed listing endpoint.
Falcon Fusion SOAR workflows can post chosen alerts and detections to a receiver URL through a webhook plugin, and can call Falcon APIs from within the workflow without separate credentials.
An API client is created in the Falcon console with a client ID and secret, and the API scopes ticked on it, each set to read or write. The client posts its ID and secret to the token endpoint to receive a bearer token that lasts about 30 minutes, then sends that token on each call.
The Falcon API is split into areas an agent can act on, such as alerts, hosts, incidents, custom indicators, vulnerabilities, and Real Time Response. Each area maps to its own API scope, and some grant the ability to act on a live machine rather than only read data.
Query alert IDs by filter, aggregate alerts, pull full alert details, and update an alert's status or assignment. This is the unified surface that replaced the older Detects API.
Search managed devices by filter, read full device details, and run a containment action that cuts a host off from the network or lifts that containment.
Search incidents and their behaviours, read incident details, and perform incident actions like tagging, commenting, or renaming.
Query, read, create, update, and delete custom indicators of compromise, the hashes, domains, and addresses Falcon watches for and acts on.
Query vulnerability IDs by filter, read vulnerability details combined with affected hosts, and pull remediation records.
Open a remote session to a live host, run read-only or active-responder commands such as listing or deleting files, and manage scripts and put-files for those sessions.
Query and read prevention policies, create and update them, assign or unassign host groups, and set policy precedence.
Query user IDs, read user records, and create, update, or delete users and their role assignments.
List the available event feeds for the tenant and refresh an active streaming session so it stays open.
Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.
| Method | Endpoint | What it does | Access | Permission | Version | |
|---|---|---|---|---|---|---|
Alerts & detectionsQuery alert IDs by filter, aggregate alerts, pull full alert details, and update an alert's status or assignment. This is the unified surface that replaced the older Detects API.4 | ||||||
| GET | /alerts/queries/alerts/v2 | Search alerts and return the IDs that match a Falcon Query Language filter. | read | Alerts: read | Current | |
Falcon Query Language is CrowdStrike's filter syntax, used here to narrow alerts by fields like status, severity, or tactic. Console scope: Alerts (read). Acts onalert Permission (capability) Alerts: readVersionAvailable since the API’s base version Webhook event DetectionSummaryEventRate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /alerts/aggregates/alerts/v2 | Return aggregate counts and breakdowns for alerts across all customer IDs. | read | Alerts: read | Current | |
Returns counts grouped by a chosen field rather than individual alerts. Console scope: Alerts (read). Acts onalert Permission (capability) Alerts: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /alerts/entities/alerts/v2 | Read full details for a set of alerts by their IDs. | read | Alerts: read | Current | |
The IDs come from the alerts query endpoint. This is a POST because the ID list travels in the request body. Console scope: Alerts (read). Acts onalert Permission (capability) Alerts: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| PATCH | /alerts/entities/alerts/v3 | Update alerts, such as changing status, assignment, or verdict. | write | Alerts: write | Current | |
Actions are applied to the listed alert IDs, for example setting status to in_progress or assigning an owner. Console scope: Alerts (write). Acts onalert Permission (capability) Alerts: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
Hosts & devicesSearch managed devices by filter, read full device details, and run a containment action that cuts a host off from the network or lifts that containment.3 | ||||||
| GET | /devices/queries/devices/v1 | Search managed devices by filter and return the device IDs that match. | read | Hosts: read | Current | |
Filters on device fields like hostname, platform, or last seen. Console scope: Hosts (read). Acts ondevice Permission (capability) Hosts: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /devices/entities/devices/v2 | Read full details for a set of devices by their IDs. | read | Hosts: read | Current | |
Returns each device's operating system, agent version, network details, and policy state. Console scope: Hosts (read). Acts ondevice Permission (capability) Hosts: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /devices/entities/devices-actions/v2 | Run an action on devices, including network containment and lifting containment. | write | Hosts: write | Current | |
The action_name parameter selects contain or lift_containment. Containment cuts the host off from the network while keeping the Falcon agent connected. Console scope: Hosts (write). Acts ondevice Permission (capability) Hosts: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
IncidentsSearch incidents and their behaviours, read incident details, and perform incident actions like tagging, commenting, or renaming.3 | ||||||
| GET | /incidents/queries/incidents/v1 | Search incidents by a Falcon Query Language filter and return their IDs. | read | Incidents: read | Sunset | |
The legacy incident API is deprecated and CrowdStrike plans to remove it in March 2026, with incidents surfacing through the Alerts API instead. Console scope: Incidents (read). Acts onincident Permission (capability) Incidents: readVersionDeprecated 2024-10-01 · Sunset 2026-03-31 Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /incidents/entities/incidents/GET/v1 | Read full details for a set of incidents by their IDs. | read | Incidents: read | Sunset | |
Part of the deprecated incident API, planned for removal in March 2026. Console scope: Incidents (read). Acts onincident Permission (capability) Incidents: readVersionDeprecated 2024-10-01 · Sunset 2026-03-31 Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /incidents/entities/incident-actions/v1 | Perform actions on incidents, such as adding tags or comments or updating the name or description. | write | Incidents: write | Sunset | |
Part of the deprecated incident API, planned for removal in March 2026. Console scope: Incidents (write). Acts onincident Permission (capability) Incidents: writeVersionDeprecated 2024-10-01 · Sunset 2026-03-31 Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
Custom indicators (IOCs)Query, read, create, update, and delete custom indicators of compromise, the hashes, domains, and addresses Falcon watches for and acts on.5 | ||||||
| GET | /indicators/queries/iocs/v1 | Search custom indicators of compromise by filter and return their IDs. | read | IOC Management: read | Current | |
An indicator of compromise is a hash, domain, IP address, or URL that Falcon watches for. Console scope: IOC Manager (read). Acts onindicator Permission (capability) IOC Management: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| GET | /indicators/entities/iocs/v1 | Read full details for custom indicators by their IDs. | read | IOC Management: read | Current | |
Console scope: IOC Manager (read). Acts onindicator Permission (capability) IOC Management: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /indicators/entities/iocs/v1 | Create custom indicators of compromise, with an action such as detect or prevent. | write | IOC Management: write | Current | |
The action set on an indicator decides whether Falcon only alerts on it or blocks it across the estate. Console scope: IOC Manager (write). Acts onindicator Permission (capability) IOC Management: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| PATCH | /indicators/entities/iocs/v1 | Update custom indicators, such as changing their action, severity, or expiry. | write | IOC Management: write | Current | |
Console scope: IOC Manager (write). Acts onindicator Permission (capability) IOC Management: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| DELETE | /indicators/entities/iocs/v1 | Delete custom indicators by their IDs. | write | IOC Management: write | Current | |
Removing an indicator stops Falcon detecting or blocking on it. Console scope: IOC Manager (write). Acts onindicator Permission (capability) IOC Management: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
Spotlight vulnerabilitiesQuery vulnerability IDs by filter, read vulnerability details combined with affected hosts, and pull remediation records.3 | ||||||
| GET | /spotlight/queries/vulnerabilities/v1 | Search vulnerabilities by filter and return their IDs. | read | Vulnerabilities: read | Current | |
Spotlight is Falcon's vulnerability-management module. Console scope: Vulnerabilities (read). Acts onvulnerability Permission (capability) Vulnerabilities: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| GET | /spotlight/combined/vulnerabilities/v1 | Query vulnerabilities and return their full details together with affected host data in one call. | read | Vulnerabilities: read | Current | |
Combines the query and detail steps, and can enrich each vulnerability with its affected host. Console scope: Vulnerabilities (read). Acts onvulnerability Permission (capability) Vulnerabilities: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| GET | /spotlight/entities/remediations/v2 | Read remediation details, the fixes that resolve a set of vulnerabilities. | read | Vulnerabilities: read | Current | |
Console scope: Vulnerabilities (read). Acts onremediation Permission (capability) Vulnerabilities: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
Real Time ResponseOpen a remote session to a live host, run read-only or active-responder commands such as listing or deleting files, and manage scripts and put-files for those sessions.4 | ||||||
| POST | /real-time-response/entities/sessions/v1 | Open a Real Time Response session to a single host. | write | Real time response: write | Current | |
Real Time Response opens a remote shell to a live machine. A session is the precondition for running any command. Console scope: Real time response (write). Acts onsession Permission (capability) Real time response: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /real-time-response/entities/command/v1 | Run a read-only Real Time Response command in a session, such as listing files or processes. | write | Real time response: write | Current | |
This is the read-only command tier of Real Time Response, covering commands that inspect a host without changing it. Console scope: Real time response (write). Acts onsession Permission (capability) Real time response: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /real-time-response/entities/active-responder-command/v1 | Run an active-responder Real Time Response command in a session, such as putting or deleting a file. | write | Real time response: write | Current | |
The active-responder tier runs commands that change a live host, like deleting a file or killing a process. Console scope: Real time response (write). Acts onsession Permission (capability) Real time response: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /real-time-response/entities/admin-command/v1 | Run an administrator Real Time Response command in a session, the most privileged command tier. | write | RTR admin: write | Current | |
The admin tier covers the most powerful commands, including running custom scripts, and uses a separate scope from the other two tiers. Console scope: Real time response admin (write). Acts onsession Permission (capability) RTR admin: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
Prevention policiesQuery and read prevention policies, create and update them, assign or unassign host groups, and set policy precedence.4 | ||||||
| GET | /policy/queries/prevention/v1 | Search prevention policies by filter and return their IDs. | read | Prevention policies: read | Current | |
A prevention policy is the set of protection settings applied to a group of hosts. Console scope: Prevention Policies (read). Acts onprevention policy Permission (capability) Prevention policies: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| GET | /policy/entities/prevention/v1 | Read full details for prevention policies by their IDs. | read | Prevention policies: read | Current | |
Console scope: Prevention Policies (read). Acts onprevention policy Permission (capability) Prevention policies: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| PATCH | /policy/entities/prevention/v1 | Update prevention policies, changing the protection settings they apply. | write | Prevention policies: write | Current | |
Changing a policy changes how every host group assigned to it is protected. Console scope: Prevention Policies (write). Acts onprevention policy Permission (capability) Prevention policies: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /policy/entities/prevention-actions/v1 | Act on a prevention policy, such as assigning or unassigning host groups or enabling and disabling it. | write | Prevention policies: write | Current | |
The action_name parameter selects add-host-group, remove-host-group, enable, or disable. Console scope: Prevention Policies (write). Acts onprevention policy Permission (capability) Prevention policies: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
UsersQuery user IDs, read user records, and create, update, or delete users and their role assignments.5 | ||||||
| GET | /user-management/queries/users/v1 | Return the IDs of users in the tenant. | read | User management: read | Current | |
Console scope: User Management (read). Acts onuser Permission (capability) User management: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /user-management/entities/users/GET/v1 | Read user records by their IDs. | read | User management: read | Current | |
Returns names, email addresses, and role assignments. Console scope: User Management (read). Acts onuser Permission (capability) User management: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /user-management/entities/users/v1 | Create a user in the tenant. | write | User management: write | Current | |
Creating a user grants someone access to the Falcon console. Console scope: User Management (write). Acts onuser Permission (capability) User management: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| PATCH | /user-management/entities/users/v1 | Update a user's details. | write | User management: write | Current | |
Console scope: User Management (write). Acts onuser Permission (capability) User management: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| DELETE | /user-management/entities/users/v1 | Delete a user from the tenant. | write | User management: write | Current | |
Removing a user revokes their access to the Falcon console. Console scope: User Management (write). Acts onuser Permission (capability) User management: writeVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
Event streamsList the available event feeds for the tenant and refresh an active streaming session so it stays open.2 | ||||||
| GET | /sensors/entities/datafeed/v2 | List the event feeds available to the tenant, with the URLs and tokens needed to start streaming. | read | Event streams: read | Current | |
This is the entry point to the Event Streams feed. The returned feed URL is held open to receive detections, audit records, and incident updates as they happen. Console scope: Event streams (read). Acts onstream Permission (capability) Event streams: readVersionAvailable since the API’s base version Webhook event DetectionSummaryEventRate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
| POST | /sensors/entities/datafeed-actions/v1/{action_name} | Refresh an active streaming session so the feed connection stays open. | write | Event streams: read | Current | |
A streaming session has to be refreshed periodically or it closes. This uses the same Event streams scope as listing the feeds. Console scope: Event streams (read). Acts onstream Permission (capability) Event streams: readVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗ | ||||||
CrowdStrike can stream events to an app or AI agent instead of the app repeatedly asking. The Event Streams feed holds a long-lived connection open and pushes detections, audit records, and incident updates as they happen, and Falcon Fusion SOAR workflows can post chosen alerts to a receiver URL.
| Event | What it signals | Triggered by |
|---|---|---|
DetectionSummaryEvent | Carried on the Event Streams feed when Falcon raises a new detection, with the detection's severity, tactic, technique, and the host involved. | /alerts/queries/alerts/v2/sensors/entities/datafeed/v2 |
IncidentSummaryEvent | Carried on the Event Streams feed when an incident is created or updated, grouping related detections. | /sensors/entities/datafeed/v2 |
AuthActivityAuditEvent | Carried on the Event Streams feed for authentication activity, such as a console sign-in or an API token request. | /sensors/entities/datafeed/v2 |
UserActivityAuditEvent | Carried on the Event Streams feed for administrative changes inside Falcon, such as a policy edit or a user being added. | /sensors/entities/datafeed/v2 |
CrowdStrike limits how fast an app or AI agent can call, per API client and per endpoint, and reports the current state in response headers. Going over returns a 429, and the token endpoint itself is held to a much lower rate than ordinary calls.
CrowdStrike rate-limits per API client and per endpoint rather than across the whole API, and does not publish a single fixed number for every endpoint. Each response carries X-RateLimit-Limit, the ceiling per minute, and X-RateLimit-Remaining, the calls left in the current window. When a limit is exceeded the call returns 429 and an X-RateLimit-RetryAfter header gives a UTC timestamp for when the pool will have capacity again. The token endpoint is held to a much lower limit than ordinary calls, so a token should be reused across requests until it expires rather than fetched per call.
List endpoints use offset-based pagination through the offset and limit parameters, with a default page size of 100 and a maximum of 500 on most endpoints. Some high-volume endpoints, such as the combined alerts feed, use an after token instead, where each page returns the token for the next page until no token is returned. The total count of matches is returned in the response metadata.
Requests and responses are JSON. Many list and detail endpoints take IDs in batches, commonly up to a few hundred or a thousand IDs per call, and exceeding a batch limit returns a 400 with the limit named in the errors array. Specific per-endpoint batch ceilings are documented on each endpoint.
The status codes an agent should handle, and what to do about each.
| Status | Code | Meaning | What to do |
|---|---|---|---|
| 400 | Bad Request | The request was malformed, such as an invalid Falcon Query Language filter or a missing required field. The body holds an errors array, where each entry has a code and a message. | Read the message in the errors array, correct the named field or filter, and resend. |
| 401 | Unauthorized | The bearer token is missing, invalid, or expired. Tokens last about 30 minutes. | Request a fresh token from the token endpoint with the client ID and secret, then retry. |
| 403 | Forbidden | The token is valid but the API client does not hold the scope the endpoint needs, for example calling a write endpoint with only read ticked. | Add the required scope to the API client in the Falcon console, then request a new token. |
| 404 | Not Found | The resource does not exist, or the requested ID is not visible to this API client. | Confirm the ID and the path, and that the client has access to the resource. |
| 429 | Too Many Requests | A rate limit was exceeded. The X-RateLimit-RetryAfter header gives a UTC timestamp for when the request pool will have capacity again. The token endpoint has a much lower limit than ordinary calls. | Wait until the X-RateLimit-RetryAfter time, then retry with exponential backoff. |
| 500 | Internal Server Error | Falcon hit an unexpected error handling the request. The body still carries an errors array with a code and message. | Retry with backoff, and if it persists, contact CrowdStrike support with the trace ID from the response. |
The Falcon API is not versioned as one whole. Each endpoint carries its own version in its path, such as v1 or v2, and a new version ships as a new path while the old one is deprecated on a published timeline before it is removed.
The Falcon API is not versioned as one whole. Each endpoint carries its own version in its path, most commonly v1 with newer v2 and v3 endpoints alongside, and a new version ships as a new path while the old one is deprecated before removal. There is no single account-wide version to pin.
The legacy Detects API was decommissioned on 30 September 2025, having been deprecated on 1 October 2024. Its detection search, aggregate, and detail operations were merged into the unified Alerts API. Integrations had to update their API client scopes and endpoint paths from the detects paths to the alerts paths to avoid a break in data.
CrowdStrike published the Falcon MCP server, letting AI agents reach Falcon over the Model Context Protocol for detections, incidents, hosts, vulnerabilities, and threat intelligence. It entered public preview, governed by the same API client scopes as the REST API, with production use advised against until a stable release.
CrowdStrike announced that the legacy incident API, covering CrowdScore, incidents, and behaviours, is deprecated and planned for removal in March 2026, with incident data surfacing through the Alerts API. Integrations on the /incidents endpoints need to move before then.
An integration pins each endpoint by its path version and moves up as newer ones ship.
CrowdStrike Developer Center ↗Bollard AI sits between a team's AI agents and CrowdStrike Falcon. Grant each agent exactly the access it needs, read or write, scope by scope, and every call is checked and logged.