CrowdStrike Falcon APIs FAQ

CrowdStrike® offers five primary APIs with several subfunctions that can support a wide range of use cases. Based on use case and need, customers can either stream or query data from the CrowdStrike cloud for proactive threat intelligence, independent investigation, or relationship visualization.

CrowdStrike provides a suite of powerful APIs to enable customers of the CrowdStrike Falcon® platform to enhance their triage workflow and leverage their existing security investments. CrowdStrike recognizes that customers may be using a variety of security products to protect their environment, and the Falcon platform has been designed to be as open and extensible as possible. These APIs offer customers the opportunity to leverage the Falcon platform alongside their existing security investments to ensure complete integration from endpoint security to workflow automation.

CrowdStrike offers five primary APIs:

• Falcon Streaming —  Stream detections and audit security events
  

  With this API, users can monitor real-time events and receive alerts from their instances as they occur within a single data session, providing a low-latency, high-throughput data delivery mechanism.

• Falcon Data Replicator —  Ingest and correlate data
  

  Falcon Data Replicator gives security teams the ability to export complete endpoint data from the Falcon agent to their environment for independent analysis. It provides customers with the means to ingest the data from the Falcon platform into their local data warehouse and correlate it with logs collected from other sources.

• Falcon Threat Graph™ — Accelerate investigation by visualizing relationships
  

  The Falcon Threat Graph API leverages CrowdStrike's multi-petabyte graph database to reveal the underlying relationships between indicators of compromise (IOCs), devices, processes, and other forensic data and events, such as files written, module loads, or network connections. Integration with visualization tools such as Maltego allows you to traverse the graph to investigate relationships between events.

• Falcon Query — Manage, investigate, and respond
  

  The Falcon Query API allows you to upload IOCs for monitoring; obtain device information about systems with the Falcon agent installed; search for processes by indicators of attack (IOAs), IOCs and related processes; and manage detection status.

• Falcon Intelligence™ — Stay ahead of emerging threats
  

  The Falcon Intelligence API enables customers to benefit from a rich feed of information spanning indicators, adversaries, news, and customized threat alerts. Visualization tool integration allows you to see the correlation between adversaries, indicators, malware families and campaigns.

All CrowdStrike Falcon platform customers can access Falcon APIs, however API use is contingent on which products have been purchased. The table below outlines which APIs are available to Falcon platform customers. Please contact [email protected] for more information.

Falcon API keys are provisioned by CrowdStrike support, depending on your subscription (see above for more information).

• The Falcon Streaming API provides data through a streaming HTTP connection. An HTTPS connection is opened between a consumer client and the Falcon Streaming API, and new events are sent as they occur. Crowdstrike offers the SIEM connector client to simplify ingestion and enable conversion into syslog formats.
• The Falcon Data Replicator provides customer alerts via SQS when a new batch of endpoint data is available for download in S3. From there, customers can ingest event data into their own environments for storage and analysis.
• The Falcon Query and Intelligence APIs are a series of HTTPS REST APIs that operate according to a standard request-response model. Responses are formatted in JSON.
• The Falcon Threat Graph API calls the Threat Graph to determine which endpoints have seen indicators.

Customers do not need to deploy any additional infrastructure. Falcon APIs use the Falcon platform, which is built on 100 percent cloud architecture. This allows customers to be protected faster and drives down total cost of ownership (TCO) by eliminating on-premises hardware acquisition, deployment and maintenance. Crowdstrike’s cloud-based security also makes it impossible for the attacker to acquire CrowdStrike’s technology in an attempt to tamper with or discover bypasses for it.

All Crowdstrike customers have access to APIs; specific API access depends on subscriptions. To get started, email CrowdStrike support at [email protected] and obtain your API credentials, which will allow you to configure and start using the Falcon APIs.

CrowdStrike offers customers and researchers several publicly available tools to help automate workflow and case management functions, as well as to improve their security forensics and remediation actions, complementing the capabilities of the Falcon platform. These tools can be accessed via the CrowdStrike Community Tools website.

Yes, the Falcon Streaming API can connect to a locally hosted consumer client via HTTPS, and will send new events as they occur. Crowdstrike offers the SIEM connector client to simplify ingestion and enable conversion into syslog formats.

Falcon Orchestrator is an open source tool built on CrowdStrike’s APIs and is available to the general public. However, those wishing to enhance automation and execute real-time security forensics and remediation actions must be Falcon platform users. For more information and access to this tool, visit the Falcon Orchestrator website.

For instructions on how to operate the Falcon SIEM Connector, please refer to the SIEM Connector Feature Guide in the platform (login required).

Falcon Intelligence APIs are divided into four key subfunctions, defined below. Standard  subscribers have access to two subfunctions, while Premium subscribers have access to all four. See the descriptions and chart below.

Both Standard and Premium Falcon Intelligence Subscribers have access to the following subfunctions:

• Actors — The Falcon Intelligence Actors API allows subscribers to query and search for specific actors that CrowdStrike is tracking. It is a REST API that operates on a standard request-response model.
• Indicators — The Indicator API allows subscribers to query for indicators found in their environments such as those related to various actors, indicators of a specific confidence level, and those associated with Falcon Intelligence reports. The data can be sorted and filtered to more quickly locate the information you need.

Falcon Intelligence Premium Only

• Reports —  These reports query CrowdStrike Intelligence publications. You can receive additional information about these publications or simply download a PDF version.

The publications include:

• Intelligence Reports (CSIR)

• Threat Assessments (CSTA)

• Alerts (CSA)

• Periodic Reports (CSMR)

• Tippers (CSIT)

• Tailored Intelligence —  This API allows Falcon Intelligence Premium customers to maintain situational awareness on topics of interest. For example, you can track if your company's name is mentioned, or spot new developments with a particular malware family that interests you. This API will return the latest results when there's a match between your watchlist and the various sources monitored by CrowdStrike.

This table shows the APIs available with each level of your Falcon Intelligence subscription:

Please Note: All Falcon Intelligence APIs are REST APIs that operate on the standard request-response model. Requests are made with HTTPS and request/response data formatted as JSON.