Skip to main content

Overview

Falcon Flight Control enables Managed Security Service Providers (MSSPs) to efficiently manage multiple customer instances (CIDs) from a single parent CID. You can organize customers into groups, create user groups with specific access permissions, and control which users can access which customer environments.
All Flight Control operations require Flight Control: Read or Flight Control: Write permissions.

Architecture

Flight Control uses three core concepts:

CID Groups

Collections of child CIDs organized by criteria (region, service tier, etc.)

User Groups

Collections of users who need similar access permissions

Group Roles

Assignments that link user groups to CID groups with specific roles

CID Group Management

Create CID Groups

Organize your child CIDs into logical groups.
Create CID Group
New-FalconCidGroup -Name 'Enterprise Customers' -Description 'Large enterprise accounts with 1000+ endpoints'
Name
string
required
CID group name
Description
string
required
CID group description

Get CID Groups

Retrieve CID group information.
List All CID Groups
Get-FalconCidGroup -Detailed
Get Specific Group
Get-FalconCidGroup -Id '12345678901234567890123456789012'
Search by Name
Get-FalconCidGroup -Name 'Enterprise Customers' -Detailed
Id
string[]
CID group identifier(s) - 32-character hexadecimal string
Name
string
Filter by CID group name
Sort
string
Sort by: last_modified_timestamp.asc, last_modified_timestamp.desc, name.asc, name.desc
Limit
integer
Maximum results per request (1-5000)
Offset
integer
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all results are retrieved
Total
switch
Display total result count

Modify CID Groups

Update Group
Edit-FalconCidGroup -Id '12345678901234567890123456789012' -Name 'Premium Enterprise' -Description 'Updated description'
Name
string
New CID group name
Description
string
New CID group description
Id
string
required
CID group identifier to modify

Delete CID Groups

Remove Group
Remove-FalconCidGroup -Id '12345678901234567890123456789012'
Id
string[]
required
CID group identifier(s) to remove

CID Group Members

Add Members to CID Groups

Assign child CIDs to a group.
Add Single CID
Add-FalconCidGroupMember -Id '12345678901234567890123456789012' -Cid 'abcdef1234567890abcdef1234567890'
Add Multiple CIDs
Add-FalconCidGroupMember -Id '12345678901234567890123456789012' -Cid @('abcdef1234567890abcdef1234567890', '1234567890abcdef1234567890abcdef')
Id
string
required
CID group identifier
Cid
string[]
required
Child CID(s) to add to the group

Get CID Group Members

List Members
Get-FalconCidGroupMember -Cid 'abcdef1234567890abcdef1234567890' -Detailed
Get by Group ID
Get-FalconCidGroupMember -Id '12345678901234567890123456789012'
Id
string[]
CID group identifier(s)
Cid
string
Child CID to search for
Sort
string
Sort by: last_modified_timestamp.asc, last_modified_timestamp.desc
Limit
integer
Maximum results per request (1-5000)
Offset
integer
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all results are retrieved
Total
switch
Display total result count

Remove Members from CID Groups

Remove CID from Group
Remove-FalconCidGroupMember -Id '12345678901234567890123456789012' -Cid 'abcdef1234567890abcdef1234567890'
Id
string
required
CID group identifier
Cid
string[]
required
Child CID(s) to remove from the group

User Group Management

Create User Groups

Create groups for users with similar access needs.
Create User Group
New-FalconUserGroup -Name 'Tier 1 Analysts' -Description 'SOC analysts with basic access'
Name
string
required
User group name
Description
string
required
User group description

Get User Groups

List All User Groups
Get-FalconUserGroup -Detailed
Get by Name
Get-FalconUserGroup -Name 'Tier 1 Analysts' -Detailed
Id
string[]
User group identifier(s)
Name
string
Filter by user group name
Sort
string
Sort by: last_modified_timestamp.asc, last_modified_timestamp.desc, name.asc, name.desc
Limit
integer
Maximum results per request (1-5000)
Offset
integer
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all results are retrieved
Total
switch
Display total result count

Modify User Groups

Update User Group
Edit-FalconUserGroup -Id '12345678901234567890123456789012' -Name 'Senior Analysts' -Description 'Experienced SOC analysts'
Name
string
New user group name
Description
string
New user group description
Id
string
required
User group identifier

Delete User Groups

Remove User Group
Remove-FalconUserGroup -Id '12345678901234567890123456789012'
Id
string[]
required
User group identifier(s) to remove

User Group Members

Add Users to Groups

Add User
Add-FalconUserGroupMember -Id '12345678901234567890123456789012' -UserId 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Add Multiple Users
Add-FalconUserGroupMember -Id '12345678901234567890123456789012' -UserId @('a1b2c3d4-e5f6-7890-abcd-ef1234567890', 'b2c3d4e5-f6a7-8901-bcde-f12345678901')
Id
string
required
User group identifier
UserId
string[]
required
User identifier(s) to add (UUID format)

Get User Group Members

List Members of Group
Get-FalconUserGroupMember -Id '12345678901234567890123456789012' -Detailed
Find Groups for User
Get-FalconUserGroupMember -UserId 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Id
string[]
User group identifier(s) to get members from
UserId
string
User identifier to find group membership for
Sort
string
Sort by: last_modified_timestamp.asc, last_modified_timestamp.desc
Limit
integer
Maximum results per request (1-5000)
Offset
integer
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all results are retrieved
Total
switch
Display total result count

Remove Users from Groups

Remove User
Remove-FalconUserGroupMember -Id '12345678901234567890123456789012' -UserId 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Id
string
required
User group identifier
UserId
string[]
required
User identifier(s) to remove from group

Group Role Assignment

Assign Roles Between Groups

Link user groups to CID groups with specific roles to grant permissions.
Assign Role
Add-FalconGroupRole -CidGroupId '12345678901234567890123456789012' -UserGroupId '98765432109876543210987654321098' -RoleId 'event_viewer'
Assign Multiple Roles
Add-FalconGroupRole -CidGroupId '12345678901234567890123456789012' -UserGroupId '98765432109876543210987654321098' -RoleId @('event_viewer', 'detection_responder')
CidGroupId
string
required
CID group identifier
UserGroupId
string
required
User group identifier
RoleId
string[]
required
Role identifier(s) to assign

Get Group Roles

Get All Group Roles
Get-FalconGroupRole -CidGroupId '12345678901234567890123456789012' -Detailed
Get by User Group
Get-FalconGroupRole -UserGroupId '98765432109876543210987654321098' -Detailed
Get Specific Assignment
Get-FalconGroupRole -Id '12345678901234567890123456789012:98765432109876543210987654321098'
Id
string[]
Combined group identifier in format <cid_group_id>:<user_group_id>
CidGroupId
string
CID group identifier to filter by
UserGroupId
string
User group identifier to filter by
RoleId
string
Role identifier to filter by
Sort
string
Sort by: last_modified_timestamp.asc, last_modified_timestamp.desc
Limit
integer
Maximum results per request (1-5000)
Offset
integer
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all results are retrieved
Total
switch
Display total result count

Remove Group Roles

Remove Specific Roles
Remove-FalconGroupRole -CidGroupId '12345678901234567890123456789012' -UserGroupId '98765432109876543210987654321098' -RoleId 'temp_access'
Remove Entire Association
Remove-FalconGroupRole -CidGroupId '12345678901234567890123456789012' -UserGroupId '98765432109876543210987654321098'
CidGroupId
string
required
CID group identifier
UserGroupId
string
required
User group identifier
RoleId
string[]
Role identifier(s) to remove. If omitted, removes the entire user group/CID group association.

Member CID Management

Get Member CIDs

Retrieve information about child CIDs.
List All Member CIDs
Get-FalconMemberCid -Detailed
Get Specific CID
Get-FalconMemberCid -Id 'abcdef1234567890abcdef1234567890'
Filter Member CIDs
Get-FalconMemberCid -Filter "name:*'Contoso'" -Detailed
Id
string[]
Member CID identifier(s)
Filter
string
Falcon Query Language expression to filter results
Sort
string
Sort by: last_modified_timestamp.asc, last_modified_timestamp.desc
Limit
integer
Maximum results per request (1-5000)
Offset
integer
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all results are retrieved
Total
switch
Display total result count

MSSP Workflow Examples

Complete MSSP Setup

Here’s how to set up a complete Flight Control configuration:
Full MSSP Configuration
# Step 1: Create CID groups by region
$UsWest = New-FalconCidGroup -Name 'US West Customers' -Description 'Customers in western United States'
$UsEast = New-FalconCidGroup -Name 'US East Customers' -Description 'Customers in eastern United States'

# Step 2: Add child CIDs to groups
Add-FalconCidGroupMember -Id $UsWest.id -Cid @('cid1111111111111111111111111111', 'cid2222222222222222222222222222')
Add-FalconCidGroupMember -Id $UsEast.id -Cid @('cid3333333333333333333333333333', 'cid4444444444444444444444444444')

# Step 3: Create user groups by role
$Tier1 = New-FalconUserGroup -Name 'Tier 1 SOC' -Description 'First-level SOC analysts'
$Tier2 = New-FalconUserGroup -Name 'Tier 2 SOC' -Description 'Senior SOC analysts'

# Step 4: Add users to groups
$Analysts = Get-FalconUser -Filter "first_name:*'Analyst'"
Add-FalconUserGroupMember -Id $Tier1.id -UserId $Analysts[0..4].uuid
Add-FalconUserGroupMember -Id $Tier2.id -UserId $Analysts[5..9].uuid

# Step 5: Assign roles to link user groups with CID groups
Add-FalconGroupRole -CidGroupId $UsWest.id -UserGroupId $Tier1.id -RoleId 'event_viewer'
Add-FalconGroupRole -CidGroupId $UsWest.id -UserGroupId $Tier2.id -RoleId @('event_viewer', 'detection_responder')
Add-FalconGroupRole -CidGroupId $UsEast.id -UserGroupId $Tier1.id -RoleId 'event_viewer'
Add-FalconGroupRole -CidGroupId $UsEast.id -UserGroupId $Tier2.id -RoleId @('event_viewer', 'detection_responder')

# Step 6: Verify configuration
Get-FalconGroupRole -CidGroupId $UsWest.id -Detailed

Regional Access Management

Regional Team Setup
# Create regional CID groups
$Emea = New-FalconCidGroup -Name 'EMEA Customers' -Description 'Europe, Middle East, and Africa'
$Apac = New-FalconCidGroup -Name 'APAC Customers' -Description 'Asia-Pacific region'

# Create regional user groups
$EmeaTeam = New-FalconUserGroup -Name 'EMEA SOC Team' -Description 'Security analysts for EMEA region'
$ApacTeam = New-FalconUserGroup -Name 'APAC SOC Team' -Description 'Security analysts for APAC region'

# Assign regional users
$EmeaUsers = Get-FalconUser -Filter "uid:*'@emea.company.com'"
$ApacUsers = Get-FalconUser -Filter "uid:*'@apac.company.com'"

Add-FalconUserGroupMember -Id $EmeaTeam.id -UserId $EmeaUsers.uuid
Add-FalconUserGroupMember -Id $ApacTeam.id -UserId $ApacUsers.uuid

# Link teams to their regions
Add-FalconGroupRole -CidGroupId $Emea.id -UserGroupId $EmeaTeam.id -RoleId 'detection_responder'
Add-FalconGroupRole -CidGroupId $Apac.id -UserGroupId $ApacTeam.id -RoleId 'detection_responder'

Service Tier Management

Service Tier Organization
# Create CID groups by service tier
$Premium = New-FalconCidGroup -Name 'Premium Support' -Description '24/7 premium support customers'
$Standard = New-FalconCidGroup -Name 'Standard Support' -Description 'Business hours support customers'

# Create specialized user groups
$PremiumTeam = New-FalconUserGroup -Name 'Premium Support Team' -Description '24/7 on-call analysts'
$StandardTeam = New-FalconUserGroup -Name 'Standard Support Team' -Description 'Business hours analysts'

# Assign different permission levels
Add-FalconGroupRole -CidGroupId $Premium.id -UserGroupId $PremiumTeam.id -RoleId @('detection_responder', 'real_time_responder')
Add-FalconGroupRole -CidGroupId $Standard.id -UserGroupId $StandardTeam.id -RoleId 'event_viewer'

Best Practices

1

Organize by Business Logic

Create CID groups that match your business structure (region, service tier, industry) for easier management.
2

Use Descriptive Names

Choose clear, descriptive names for groups that indicate their purpose and scope.
3

Implement Role Separation

Create distinct user groups for different job functions and responsibility levels.
4

Regular Audits

Periodically review group memberships and role assignments to ensure they remain appropriate.
5

Document Assignments

Maintain documentation of your Flight Control configuration for compliance and knowledge transfer.
6

Test Before Deploying

Test permission configurations with a small set of CIDs before rolling out to production.

Common Patterns

Organize by geography with regional CID groups (US, EMEA, APAC) and regional user groups, ensuring teams only access their designated regions.
Create CID groups by service level (Premium, Standard, Basic) and user groups by support tier (Tier 1, 2, 3), assigning escalating permissions.
Group customers by industry (Healthcare, Finance, Retail) with specialized analyst teams who understand industry-specific threats.
Create CID groups for each partner organization and user groups for their analysts, maintaining strict separation between partners.

User Management

Create and manage individual user accounts

Identity Protection

Configure identity-based threat detection policies

Build docs developers (and LLMs) love

Get started for freeTalk to us