For Agents
Query endpoint alerts, investigate incidents, manage host containment, and retrieve threat intelligence from CrowdStrike Falcon's endpoint detection and response platform across multiple regional clouds.
Get started with CrowdStrike Falcon API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"detect and respond to endpoint security threats"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with CrowdStrike Falcon API API.
Query and triage endpoint security alerts with severity filtering and aggregate analytics
Investigate incidents by retrieving associated behaviors, host details, and timeline data
Contain compromised hosts or lift containment through device action commands
Search and scroll through managed endpoints with filtering by hostname, OS, and online state
GET STARTED
Use for: I need to check which endpoints have critical unresolved alerts, Retrieve details about a specific security incident and its associated behaviors, Contain a compromised host immediately to prevent lateral movement, List all devices running Windows that are currently offline
Not supported: Does not handle network traffic inspection, email security, or cloud workload protection — use for endpoint detection, response, and host management only.
Jentic publishes the only available OpenAPI document for CrowdStrike Falcon API, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for CrowdStrike Falcon API, keeping it validated and agent-ready. Detect, investigate, and respond to endpoint threats across 74 API endpoints covering host management, alert triage, incident response, IOC management, and real-time response sessions. The Falcon platform provides access to threat intelligence feeds, prevention policy configuration, spotlight vulnerability data, and event streaming for security operations centers managing thousands of endpoints. OAuth 2.0 authentication with regional cloud support (US-1, US-2, EU-1) ensures secure, multi-tenant access.
Push custom indicators of compromise (IOCs) for detection and blocking across the fleet
Initiate real-time response sessions to collect forensic artifacts from live endpoints
Stream security events in real-time for SIEM ingestion and automated response workflows
Patterns agents use CrowdStrike Falcon API API for, with concrete tasks.
★ AI Agent Threat Triage
An AI agent uses the CrowdStrike Falcon API through Jentic to automatically triage endpoint alerts by querying aggregate alert data, retrieving incident details, and correlating behaviors across affected hosts. The agent prioritizes critical alerts, checks host containment status, and can trigger containment actions — all without manually configuring OAuth 2.0 client credentials or discovering the correct regional API endpoint.
Query POST /alerts/aggregates/alerts/v2 to get a count of critical alerts in the last 24 hours, then retrieve the top 5 alert details via POST /alerts/entities/alerts/v3
Automated Incident Investigation
Investigate security incidents programmatically by querying the incidents API for behavior details, affected host information, and timeline sequences. The Falcon API provides full incident context including process trees, network connections, and file modifications associated with each detection, enabling security teams to build automated investigation playbooks that reduce mean-time-to-respond from hours to minutes.
Retrieve an incident via POST /incidents/entities/incidents/GET/v1 using an incident ID, then fetch associated behaviors via POST /incidents/entities/behaviors/GET/v1
Host Containment and Response
Isolate compromised endpoints from the network through the device actions API while maintaining Falcon sensor connectivity for continued investigation. The containment workflow queries host details, applies network containment to stop lateral movement, and initiates real-time response sessions for forensic collection — all achievable through API calls that execute in seconds versus manual console operations.
Look up a host by hostname via GET /devices/queries/devices/v1, verify its online state via GET /devices/entities/online-state/v1, then contain it via POST /devices/entities/devices-actions/v2 with action_name 'contain'
Real-Time Event Streaming for SIEM
Stream detection events, authentication events, and platform audit logs from the Falcon platform into SIEM systems for centralized security monitoring. The Event Streams API provides a continuous feed of security-relevant events that can trigger automated response playbooks, populate threat dashboards, and satisfy compliance requirements for log retention and real-time monitoring across all managed endpoints.
Discover available event streams via GET /sensors/entities/datafeed/v2 and consume detection events from the returned stream URL
74 endpoints — jentic publishes the only available openapi specification for crowdstrike falcon api, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/alerts/entities/alerts/v3
Retrieve detailed alert entities by composite IDs
/alerts/aggregates/alerts/v2
Aggregate alert statistics with filtering
/incidents/entities/incidents/GET/v1
Retrieve incident details by IDs
/devices/entities/devices-actions/v2
Perform actions on devices (contain, lift containment)
/devices/queries/devices/v1
Search for device IDs by filter criteria
/devices/entities/online-state/v1
Check device online/offline state
/incidents/entities/behaviors/GET/v1
Retrieve behavior details for incidents
/intel/combined/indicators/v1
Query threat intelligence indicators
/alerts/entities/alerts/v3
Retrieve detailed alert entities by composite IDs
/alerts/aggregates/alerts/v2
Aggregate alert statistics with filtering
/incidents/entities/incidents/GET/v1
Retrieve incident details by IDs
/devices/entities/devices-actions/v2
Perform actions on devices (contain, lift containment)
/devices/queries/devices/v1
Search for device IDs by filter criteria
Three things that make agents converge on Jentic-routed access.
Credential isolation
CrowdStrike OAuth 2.0 client credentials are stored encrypted in the Jentic vault (MAXsystem). Agents receive scoped bearer tokens — raw client_id and client_secret values never enter the agent's context window.
Intent-based discovery
Agents search by intent (e.g., 'contain a compromised endpoint') and Jentic returns matching Falcon API operations with their input schemas, so the agent can call the right endpoint without navigating CrowdStrike's documentation or determining the correct regional cloud.
Time to first call
Direct CrowdStrike integration: 3-5 days for OAuth setup, regional endpoint discovery, and pagination handling. Through Jentic: under 1 hour — search, load schema, execute.
Alternatives and complements available in the Jentic catalogue.
Cortex XSOAR API
SOAR platform for orchestrating response playbooks that can ingest CrowdStrike detections
Choose Cortex XSOAR when you need to orchestrate multi-tool response workflows across security products rather than querying a single EDR platform
Splunk API
SIEM platform for correlating CrowdStrike events with other security data sources
Choose Splunk when you need cross-source log correlation and long-term event storage rather than endpoint-specific detection and response
Snyk API
Vulnerability scanning for code dependencies, complementing CrowdStrike's runtime endpoint protection
Choose Snyk when the task is about pre-deployment dependency vulnerability scanning rather than runtime endpoint threat detection
Specific to using CrowdStrike Falcon API API through Jentic.
Why is there no official OpenAPI spec for CrowdStrike Falcon API?
CrowdStrike does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call CrowdStrike Falcon API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the CrowdStrike Falcon API use?
The Falcon API uses OAuth 2.0 client credentials flow. You exchange a client_id and client_secret at POST /oauth2/token for a bearer token. Through Jentic, your OAuth credentials are stored encrypted in the MAXsystem vault and agents receive scoped bearer tokens without raw secrets entering agent context.
Can I contain a compromised endpoint with the Falcon API?
Yes. Use POST /devices/entities/devices-actions/v2 with action_name set to 'contain' and provide the device ID. This isolates the host from the network while maintaining Falcon sensor connectivity. To lift containment later, use the same endpoint with action_name 'lift_containment'.
What are the rate limits for the CrowdStrike Falcon API?
CrowdStrike applies per-endpoint rate limits that vary by operation type. Alert queries and device lookups typically allow several hundred requests per minute. The API returns 429 status codes when limits are exceeded, with Retry-After headers indicating when to resume requests.
How do I query alerts for a specific severity level through Jentic?
Search Jentic for 'check endpoint alerts by severity', which returns the POST /alerts/aggregates/alerts/v2 and POST /alerts/entities/alerts/v3 operations. Use aggregates to count alerts by severity bucket, then retrieve full alert details filtered by severity. Install with pip install jentic and sign up at https://app.jentic.com/sign-up.
Which regional cloud endpoints does the Falcon API support?
The Falcon API supports multiple regional clouds: US-1 (api.crowdstrike.com), US-2 (api.us-2.crowdstrike.com), and EU-1 (api.eu-1.crowdstrike.com). Your OAuth credentials determine which cloud your tenant resides in. All endpoints function identically across regions.
Can I stream detection events in real time from the Falcon API?
Yes. Use the Event Streams endpoints to discover available data feeds via GET /sensors/entities/datafeed/v2, then consume events from the returned streaming URL. Events include detections, authentication activity, and platform audit logs suitable for SIEM ingestion.
/devices/entities/online-state/v1
Check device online/offline state
/incidents/entities/behaviors/GET/v1
Retrieve behavior details for incidents
/intel/combined/indicators/v1
Query threat intelligence indicators