How to retrieve the total number of events, event volume, and the number of active agents for any given period through the API

[torirori-1]

I want to link information related to CrowdStrike's license costs to SOAR.
I checked the documentation but couldn't find the information.
I am considering running a playbook once a day to retrieve the total number of events, event volume, and the number of active agents from the previous day.

[jshcodes]

Hi @torirori-1 -

I took a guess at what we wanted to use for event volume. Check this code out and let us know if you have any problems.

from datetime import datetime, timezone, timedelta
# Import the necessary FalconPy Service Classes
from falconpy import Alerts, Hosts

# This example demonstrates Environment Authentication
# To leverage direct authentication, pass your credentials
# to the client_id and client_secret keywords here.
alerts = Alerts(pythonic=True)
hosts = Hosts(auth_object=alerts)  # Object authentication

# Retrieve our totals for alerts and hosts
total_alerts = alerts.query_alerts_v2(limit=10000).total
total_hosts = hosts.query_devices_by_filter_scroll(limit=10000).total

# Calculate volume by looking at number of alerts per day (last 31) and taking the average
today = datetime.now(tz=timezone.utc)
totals = []
worst_total = 0
worst_day = ""
for days in range(0, 30):
    check_date = (today - timedelta(days=days))
    check_date_str = check_date.strftime("%Y-%m-%dT00:00:01Z")
    end_check_date = (today - timedelta(days=days)).strftime("%Y-%m-%dT23:59:59Z")
    date_filter = f"created_timestamp:>='{check_date_str}'+created_timestamp:<='{end_check_date}'"
    day_total = alerts.query_alerts_v2(limit=10000, filter=date_filter).total
    totals.append(day_total)
    worst_total = max(worst_total, day_total)
    if worst_total == day_total:
        worst_day = check_date

average = sum(totals) / len(totals)
today = today.strftime("%Y-%m-%d")
worst_day = worst_day.strftime("%Y-%m-%d")

# Display our results
print(f"Today is: {today}")
print(f"Total Hosts: {total_hosts:,d}")
print(f"Total Alerts: {total_alerts:,d}")
print(f"Average alerts per day (Past 31 days): {average:,.2f}")
print(f"Most alerts generated on: {worst_day} ({worst_total:,d})")

Thank you for the question! 😄

[jshcodes]

Tip

To drop today's alerts from our calculated average, change the range statement in our for loop to start from 1 instead of 0.

[torirori-1]

@jshcodes

I apologize for the delayed response.
I tried the code you provided and was able to get the information I wanted!
Thank you very much!