CrowdStrike is developing its Falcon Platform as an “API first Platform”, meaning a lot of the features that are available through the Falcon User Interface (UI) are also available via a web based API. In some cases you have even more access and control through the API than you would have through the UI (for example the IOC import function gives you more flexibility via the API). CrowdStrike customers and partners can visit our Falcon Connect page to learn more about integration and customization options.
There are two different types of APIs in the Crowdstrike Falcon Platform:
- CrowdStrike Falcon Streaming API
- CrowdStrike Falcon Query API
For both of these APIs a different set of credentials is needed for access.
Customers, partners and evaluators can to contact firstname.lastname@example.org to get access to one or both APIs.
CrowdStrike Falcon Streaming API
The Streaming API provides event data as a continues stream of data. Similar to push notifications in email.
The Crowdstrike Falcon SIEM Connector uses this API (See how to setup the SIEM connector here).
The streaming API requires a UUID and API key for authentication. Once email@example.com has enabled the streaming API for your account, you can obtain the UUID and API key from the Falcon UI (https://falcon.crowdstrike.com).
To obtain an API key and UUID, you must have admin privileges in the Falcon UI.
- Sign in to the Falcon UI and navigate to the People App > Customer tab. Note that the People App is only visible to admins.
- Click “Reset API Key” (Note that any previous API key will be invalidated).
- Copy the API key and UUID for safe keeping.
CrowdStrike Falcon Query API
The CrowdStrike Falcon Query API is a “query/response” based web API. This means you can send commands (queries) with specific instructions like “Add this IOC hash” or “Show me all the systems that ran this file” and the API will respond back with a result set. This is an “on demand” API compared to the “push based” Streaming API.
Example of available Query APIs:
IOC Management APIs: These APIs deal with the creation and management of Indicators of Compromise (IOCS).
- Get IOCs API
- Upload IOCs API
- Update IOCs API
- Delete IOCs API
- Search IOCs API
Device Management APIs: This API deals with the management of the Falcon Sensor.
- Get Device Details API
IOC Search APIs: These APIs deal with investigating IOCs in your environment.
- Get Device Count API
- Get Devices Ran On API
- Get Processes Ran On API
- Get Process Detail API
- Resolve Detection API: This API allows you to change the status of a detection in Falcon.
The Query API requires a special set of username and password credentials (not the same credentials that you use for the Falcon UI) which can only be created by firstname.lastname@example.org)
Now that you have a general idea what the different APIs can do and you have obtained credentials to access them, you can get started with some examples on how to use them.