Skip to content

Firewall Management

Joshua Hiller edited this page Dec 10, 2024 · 20 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Firewall Management service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
aggregate_events
PEP 8 aggregate_events
Aggregate events for customer
aggregate_policy_rules
PEP 8 aggregate_policy_rules
Aggregate rules within a policy for customer
aggregate_rule_groups
PEP 8 aggregate_rule_groups
Aggregate rule groups for customer
aggregate_rules
PEP 8 aggregate_rules
Aggregate rules for customer
get_events
PEP 8 get_events
Get events entities by ID and optionally version
get_firewall_fields
PEP 8 get_firewall_fields
Get the firewall field specifications by ID
get_network_locations_details
PEP8 get_network_locations_details
Get network locations entities by ID
update_network_locations_metadata
PEP8 update_network_locations_metadata
Updates the network locations metadata such as polling_intervals for the cid
update_network_locations_precedence
PEP8 update_network_locations_precedence
Updates the network locations precedence according to the list of ids provided.
get_network_locations
PEP8 get_network_locations
Get a summary of network locations entities by ID
upsert_network_locations
PEP8 upsert_network_locations
Updates the network locations provided, and return the ID.
create_network_locations
PEP8 create_network_locations
Create new network locations provided, and return the ID.
delete_network_locations
PEP8 delete_network_locations
Delete network location entities by ID.
update_network_locations
PEP8 update_network_locations
Updates the network locations provided, and return the ID.
get_platforms
PEP 8 get_platforms
Get platforms by ID, e.g., windows or mac or droid
get_policy_containers
PEP 8 get_policy_containers
Get policy container entities by policy ID
update_policy_container_v1
PEP 8 update_policy_container_v1
DEPRECATED
Update an identified policy container
update_policy_container
PEP 8 update_policy_container
Update an identified policy container
get_rule_groups
PEP 8 get_rule_groups
Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
create_rule_group
PEP 8 create_rule_group
Create new rule group on a platform for a customer with a name and description, and return the ID
delete_rule_groups
PEP 8 delete_rule_groups
Delete rule group entities by ID
update_rule_group
PEP 8 update_rule_group
Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
create_rule_group_validation
PEP8 create_rule_group_validation
Validates the request of creating a new rule group on a platform for a customer with a name and description
update_rule_group_validation
PEP8 update_rule_group_validation
Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
get_rules
PEP 8 get_rules
Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
validate_filepath_pattern
PEP8 validate_filepath_pattern
Validates that the test pattern matches the executable filepath glob pattern.
query_events
PEP 8 query_events
Find all event IDs matching the query with filter
query_firewall_fields
PEP 8 query_firewall_fields
Get the firewall field specification IDs for the provided platform
query_network_locations
PEP8 query_network_locations
Get a list of network location IDs
query_platforms
PEP 8 query_platforms
Get the list of platform names
query_policy_rules
PEP 8 query_policy_rules
Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groups
PEP 8 query_rule_groups
Find all rule group IDs matching the query with filter
query_rules
PEP 8 query_rules
Find all rule IDs matching the query with filter

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

aggregate_events

Aggregate events for customer

PEP8 method name

aggregate_events

Endpoint

Method Route
POST /fwmgr/aggregates/events/GET/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body list of dictionaries Full body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
body string Elements to exclude.
field
Service Class Support

No Uber Class Support
body string The field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
body string FQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
body integer Starting position.
include
Service Class Support

No Uber Class Support
body string Elements to include.
interval
Service Class Support

No Uber Class Support
body string Time interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
body string Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
body string Name of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
body string Full text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
body integer The max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
body list of dictionaries A nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
body string FQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
body string Time zone for bucket results.
type
Service Class Support

No Uber Class Support
body string Type of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_events(date_ranges=date_ranges,
                                   exclude="string",
                                   field="string",
                                   filter="string",
                                   from=integer,
                                   include="string",
                                   interval="string",
                                   max_doc_count=integer,
                                   min_doc_count=integer,
                                   missing="string",
                                   name="string",
                                   q="string",
                                   ranges=ranges,
                                   size=integer,
                                   sort="string",
                                   time_zone="string",
                                   type="string"
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("aggregate_events", body=BODY)

print(response)

Back to Table of Contents

aggregate_policy_rules

Aggregate rules within a policy for customer

PEP8 method name

aggregate_policy_rules

Endpoint

Method Route
POST /fwmgr/aggregates/policy-rules/GET/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body list of dictionaries Full body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
body string Elements to exclude.
field
Service Class Support

No Uber Class Support
body string The field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
body string FQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
body integer Starting position.
include
Service Class Support

No Uber Class Support
body string Elements to include.
interval
Service Class Support

No Uber Class Support
body string Time interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
body string Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
body string Name of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
body string Full text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
body integer The max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
body list of dictionaries A nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
body string FQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
body string Time zone for bucket results.
type
Service Class Support

No Uber Class Support
body string Type of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_policy_rules(date_ranges=date_ranges,
                                         exclude="string",
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=ranges,
                                         size=integer,
                                         sort="string",
                                         time_zone="string",
                                         type="string"
                                         )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("aggregate_policy_rules", body=BODY)

print(response)

Back to Table of Contents

aggregate_rule_groups

Aggregate rule groups for customer

PEP8 method name

aggregate_rule_groups

Endpoint

Method Route
POST /fwmgr/aggregates/rule-groups/GET/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body list of dictionaries Full body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
body string Elements to exclude.
field
Service Class Support

No Uber Class Support
body string The field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
body string FQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
body integer Starting position.
include
Service Class Support

No Uber Class Support
body string Elements to include.
interval
Service Class Support

No Uber Class Support
body string Time interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
body string Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
body string Name of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
body string Full text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
body integer The max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
body list of dictionaries A nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
body string FQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
body string Time zone for bucket results.
type
Service Class Support

No Uber Class Support
body string Type of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_rule_groups(date_ranges=date_ranges,
                                        exclude="string",
                                        field="string",
                                        filter="string",
                                        from=integer,
                                        include="string",
                                        interval="string",
                                        max_doc_count=integer,
                                        min_doc_count=integer,
                                        missing="string",
                                        name="string",
                                        q="string",
                                        ranges=ranges,
                                        size=integer,
                                        sort="string",
                                        time_zone="string",
                                        type="string"
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("aggregate_rule_groups", body=BODY)

print(response)

Back to Table of Contents

aggregate_rules

Aggregate rules for customer

PEP8 method name

aggregate_rules

Endpoint

Method Route
POST /fwmgr/aggregates/rules/GET/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body list of dictionaries Full body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
body string Elements to exclude.
field
Service Class Support

No Uber Class Support
body string The field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
body string FQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
body integer Starting position.
include
Service Class Support

No Uber Class Support
body string Elements to include.
interval
Service Class Support

No Uber Class Support
body string Time interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
body string Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
body string Name of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
body string Full text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
body integer The max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
body list of dictionaries A nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
body string FQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
body string Time zone for bucket results.
type
Service Class Support

No Uber Class Support
body string Type of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_rules(date_ranges=date_ranges,
                                  exclude="string",
                                  field="string",
                                  filter="string",
                                  from=integer,
                                  include="string",
                                  interval="string",
                                  max_doc_count=integer,
                                  min_doc_count=integer,
                                  missing="string",
                                  name="string",
                                  q="string",
                                  ranges=ranges,
                                  size=integer,
                                  sort="string",
                                  time_zone="string",
                                  type="string"
                                  )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("aggregate_rules", body=BODY)

print(response)

Back to Table of Contents

get_events

Get events entities by ID and optionally version

PEP8 method name

get_events

Endpoint

Method Route
GET /fwmgr/entities/events/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The events to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_events(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_events", ids=id_list)

print(response)

Back to Table of Contents

get_firewall_fields

Get the firewall field specifications by ID

PEP8 method name

get_firewall_fields

Endpoint

Method Route
GET /fwmgr/entities/firewall-fields/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The rule types to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_firewall_fields(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_firewall_fields", ids=id_list)

print(response)

Back to Table of Contents

get_network_locations_details

Get network locations entities by ID

PEP8 method name

get_network_locations_details

Endpoint

Method Route
GET /fwmgr/entities/network-locations-details/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID of the network location to retrieve.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format, not required if using ids keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_network_locations_details(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_network_locations_details", ids=id_list)

print(response)

Back to Table of Contents

update_network_locations_metadata

Updates the network locations metadata such as polling_intervals for the cid

PEP8 method name

update_network_locations_metadata

Endpoint

Method Route
POST /fwmgr/entities/network-locations-metadata/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
cid
Service Class Support

Uber Class Support
body string CID for the location.
comment
Service Class Support

Uber Class Support
query string Audit log comment for this action.
dns_resolution_targets_polling_interval
Service Class Support

Uber Class Support
body integer Change the DNS resolution target polling interval.
https_reachable_hosts_polling_interval
Service Class Support

Uber Class Support
body integer Change the HTTPS reachable hosts polling interval.
icmp_request_targets_polling_interval
Service Class Support

Uber Class Support
body integer Change the ICMP request targets polling interval.
location_precedence
Service Class Support

Uber Class Support
body list of strings Reorder location precedence of network locations based upon the order of the list of network location IDs provided.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format, not required if using the comment keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

location_precedence = ["string", "string", "string"]

response = falcon.update_network_locations_metadata(cid="string",
                                                    comment="string",
                                                    dns_resolution_targets_polling_interval=integer,
                                                    https_reachable_hosts_polling_interval=integer,
                                                    icmp_request_targets_polling_interval=integer,
                                                    location_precedence=location_precedence
                                                    )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "cid": "string",
    "dns_resolution_targets_polling_interval": integer,
    "https_reachable_hosts_polling_interval": integer,
    "icmp_request_targets_polling_interval": integer,
    "location_precedence": [
        "string"
    ]
}

response = falcon.command("update_network_locations_metadata", comment="string", body=BODY)

print(response)

Back to Table of Contents

update_network_locations_precedence

Updates the network locations precedence according to the list of ids provided.

PEP8 method name

update_network_locations_precedence

Endpoint

Method Route
POST /fwmgr/entities/network-locations-precedence/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
cid
Service Class Support

Uber Class Support
body string CID for the location.
comment
Service Class Support

Uber Class Support
query string Audit log comment for this action.
location_precedence
Service Class Support

Uber Class Support
body list of strings Reorder location precedence of network locations based upon the order of the list of network location IDs provided.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format, not required if using the comment keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

location_precedence = ["string", "string", "string"]

response = falcon.update_network_locations_precedence(cid="string",
                                                      comment="string",
                                                      location_precedence=location_precedence
                                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "cid": "string",
    "location_precedence": [
        "string"
    ]
}

response = falcon.command("update_network_locations_precedence", comment="string", body=BODY)

print(response)

Back to Table of Contents

get_network_locations

Get a summary of network locations entities by ID

PEP8 method name

get_network_locations

Endpoint

Method Route
GET /fwmgr/entities/network-locations/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID of the network location to retrieve.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format, not required if using ids keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_network_locations(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_network_locations", ids=id_list)

print(response)

Back to Table of Contents

upsert_network_locations

Updates the network locations provided, and return the ID.

PEP8 method name

upsert_network_locations

Endpoint

Method Route
PUT /fwmgr/entities/network-locations/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
comment
Service Class Support

Uber Class Support
query string Audit log comment for this action.
connection_types
Service Class Support

Uber Class Support
body dictionary Connections available at this location.
created_by
Service Class Support

Uber Class Support
body string User UUID that created the change.
created_on
Service Class Support

Uber Class Support
body string Datetime formatted string reflecting the time of the change.
default_gateways
Service Class Support

Uber Class Support
body list of strings List of available gateways at this location.
description
Service Class Support

Uber Class Support
body string Description for the location.
dhcp_servers
Service Class Support

Uber Class Support
body list of strings List of available DHCP servers at this location.
dns_resolution_targets
Service Class Support

Uber Class Support
body dictionary Dictionary containing a list of DNS resolution targets for the location.
dns_servers
Service Class Support

Uber Class Support
body list of strings List of available DNS servers at this location.
enabled
Service Class Support

Uber Class Support
body boolean Flag indicating if this location is enabled.
host_addresses
Service Class Support

Uber Class Support
body list of strings List of available host address ranges for this location.
https_reachable_hosts
Service Class Support

Uber Class Support
body dictionary Dictionary containing a list of hostnames reachable via HTTPS at this location.
icmp_request_targets
Service Class Support

Uber Class Support
body dictionary Dictionary containing targets for ICMP monitoring requests at this location.
id
Service Class Support

Uber Class Support
body string Network location ID to upsert.
modified_by
Service Class Support

Uber Class Support
body string User UUID performing this change.
modified_on
Service Class Support

Uber Class Support
body string UTC formatted date string when this location was modified.
name
Service Class Support

Uber Class Support
body string Name for this location.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format, not required if using the comment keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

response = falcon.upsert_network_locations(comment="string",
                                           connection_types=connection_types,
                                           created_by="string",
                                           created_on="string",
                                           default_gateways=default_gateways,
                                           description="string",
                                           dhcp_servers=dhcp_servers,
                                           dns_resolution_targets=dns_resolution_targets,
                                           dns_servers=dns_servers,
                                           enabled=boolean,
                                           host_addresses=host_addresses,
                                           https_reachable_hosts=https_reachable_hosts,
                                           icmp_request_targets=icmp_request_targets,
                                           name="string",
                                           id="string",
                                           modified_by="string",
                                           modified_on="string"
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

BODY = {
    "connection_types": connection_types,
    "created_by": "string",
    "created_on": "string",
    "default_gateways": default_gateways,
    "description": "string",
    "dhcp_servers": dhcp_servers,
    "dns_resolution_targets": dns_resolution_targets,
    "dns_servers": dns_servers,
    "enabled": boolean,
    "host_addresses": host_addresses,
    "https_reachable_hosts": https_reachable_hosts,
    "icmp_request_targets": icmp_request_targets,
    "name": "string",
    "id": "string",
    "modified_by": "string",
    "modified_on": "string"
}

response = falcon.command("upsert_network_locations", comment="string", body=BODY)

print(response)

Back to Table of Contents

create_network_locations

Create new network locations provided, and return the ID.

PEP8 method name

create_network_locations

Endpoint

Method Route
POST /fwmgr/entities/network-locations/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
add_fw_rules
Service Class Support

Uber Class Support
query boolean Flag to indicate that the cloned location needs to be added to the same firewall rules that encompass the original location.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
clone_id
Service Class Support

Uber Class Support
query string A rule group ID from which to copy rules. If this keyword is provided then all other keywords excluding add_fw_rules and comment are ignored.
comment
Service Class Support

Uber Class Support
query string Audit log comment for this action.
connection_types
Service Class Support

Uber Class Support
body dictionary Connections available at this location.
default_gateways
Service Class Support

Uber Class Support
body list of strings List of available gateways at this location.
description
Service Class Support

Uber Class Support
body string Description for the location.
dhcp_servers
Service Class Support

Uber Class Support
body list of strings List of available DHCP servers at this location.
dns_resolution_targets
Service Class Support

Uber Class Support
body dictionary Dictionary containing a list of DNS resolution targets for the location.
dns_servers
Service Class Support

Uber Class Support
body list of strings List of available DNS servers at this location.
enabled
Service Class Support

Uber Class Support
body boolean Flag indicating if this location is enabled.
host_addresses
Service Class Support

Uber Class Support
body list of strings List of available host address ranges for this location.
https_reachable_hosts
Service Class Support

Uber Class Support
body dictionary Dictionary containing a list of hostnames reachable via HTTPS at this location.
icmp_request_targets
Service Class Support

Uber Class Support
body dictionary Dictionary containing targets for ICMP monitoring requests at this location.
name
Service Class Support

Uber Class Support
body string Name for this location.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format, not required if using the add_fw_rules, clone_id or comment keywords.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}
response = falcon.create_network_locations(add_fw_rules=boolean,
                                           clone_id="string",
                                           comment="string",
                                           connection_types=connection_types,
                                           default_gateways=default_gateways,
                                           description="string",
                                           dhcp_servers=dhcp_servers,
                                           dns_resolution_targets=dns_resolution_targets,
                                           dns_servers=dns_servers,
                                           enabled=boolean,
                                           host_addresses=host_addresses,
                                           https_reachable_hosts=https_reachable_hosts,
                                           icmp_request_targets=icmp_request_targets,
                                           name="string",
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

BODY = {
    "connection_types": connection_types,
    "default_gateways": default_gateways,
    "description": "string",
    "dhcp_servers": dhcp_servers,
    "dns_resolution_targets": dns_resolution_targets,
    "dns_servers": dns_servers,
    "enabled": boolean,
    "host_addresses": host_addresses,
    "https_reachable_hosts": https_reachable_hosts,
    "icmp_request_targets": icmp_request_targets,
    "name": "string"
}

response = falcon.command("create_network_locations",
                          add_fw_rules=boolean,
                          clone_id="string",
                          comment="string",
                          body=BODY
                          )

print(response)

Back to Table of Contents

delete_network_locations

Delete network location entities by ID.

PEP8 method name

delete_network_locations

Endpoint

Method Route
DELETE /fwmgr/entities/network-locations/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID of the network location to delete.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format, not required if using ids keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_network_locations(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("delete_network_locations", ids=id_list)

print(response)

Back to Table of Contents

update_network_locations

Updates the network locations provided, and return the ID.

PEP8 method name

update_network_locations

Endpoint

Method Route
PATCH /fwmgr/entities/network-locations/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
comment
Service Class Support

Uber Class Support
query string Audit log comment for this action.
connection_types
Service Class Support

Uber Class Support
body dictionary Connections available at this location.
created_by
Service Class Support

Uber Class Support
body string User UUID that created the change.
created_on
Service Class Support

Uber Class Support
body string Datetime formatted string reflecting the time of the change.
default_gateways
Service Class Support

Uber Class Support
body list of strings List of available gateways at this location.
description
Service Class Support

Uber Class Support
body string Description for the location.
dhcp_servers
Service Class Support

Uber Class Support
body list of strings List of available DHCP servers at this location.
dns_resolution_targets
Service Class Support

Uber Class Support
body dictionary Dictionary containing a list of DNS resolution targets for the location.
dns_servers
Service Class Support

Uber Class Support
body list of strings List of available DNS servers at this location.
enabled
Service Class Support

Uber Class Support
body boolean Flag indicating if this location is enabled.
host_addresses
Service Class Support

Uber Class Support
body list of strings List of available host address ranges for this location.
https_reachable_hosts
Service Class Support

Uber Class Support
body dictionary Dictionary containing a list of hostnames reachable via HTTPS at this location.
icmp_request_targets
Service Class Support

Uber Class Support
body dictionary Dictionary containing targets for ICMP monitoring requests at this location.
id
Service Class Support

Uber Class Support
body string Network location ID to upsert.
modified_by
Service Class Support

Uber Class Support
body string User UUID performing this change.
modified_on
Service Class Support

Uber Class Support
body string UTC formatted date string when this location was modified.
name
Service Class Support

Uber Class Support
body string Name for this location.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format, not required if using the comment keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

response = falcon.update_network_locations(comment="string",
                                           connection_types=connection_types,
                                           created_by="string",
                                           created_on="string",
                                           default_gateways=default_gateways,
                                           description="string",
                                           dhcp_servers=dhcp_servers,
                                           dns_resolution_targets=dns_resolution_targets,
                                           dns_servers=dns_servers,
                                           enabled=boolean,
                                           host_addresses=host_addresses,
                                           https_reachable_hosts=https_reachable_hosts,
                                           icmp_request_targets=icmp_request_targets,
                                           name="string",
                                           id="string",
                                           modified_by="string",
                                           modified_on="string"
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

BODY = {
    "connection_types": connection_types,
    "created_by": "string",
    "created_on": "string",
    "default_gateways": default_gateways,
    "description": "string",
    "dhcp_servers": dhcp_servers,
    "dns_resolution_targets": dns_resolution_targets,
    "dns_servers": dns_servers,
    "enabled": boolean,
    "host_addresses": host_addresses,
    "https_reachable_hosts": https_reachable_hosts,
    "icmp_request_targets": icmp_request_targets,
    "name": "string",
    "id": "string",
    "modified_by": "string",
    "modified_on": "string"
}

response = falcon.command("update_network_locations", comment="string", body=BODY)

print(response)

Back to Table of Contents

get_platforms

Get platforms by ID, e.g., windows or mac or droid

PEP8 method name

get_platforms

Endpoint

Method Route
GET /fwmgr/entities/platforms/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The platforms to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_platforms(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_platforms", ids=id_list)

print(response)

Back to Table of Contents

get_policy_containers

Get policy container entities by policy ID

PEP8 method name

get_policy_containers

Endpoint

Method Route
GET /fwmgr/entities/policies/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The policy container(s) to retrieve, identified by policy ID.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_policy_containers(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_policy_containers", ids=id_list)

print(response)

Back to Table of Contents

update_policy_container_v1

Update an identified policy container.

PLEASE NOTE: This endpoint is deprecated in favor of update_policy_container (also known as update_policy_container_v2). Using this legacy endpoint could potentially disable your local logging setting.

PEP8 method name

update-policy-container-v1

Endpoint

Method Route
PUT /fwmgr/entities/policies/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
default_inbound
Service Class Support

Uber Class Support
body string Default inbound.
default_outbound
Service Class Support

Uber Class Support
body string Default outbound.
enforce
Service Class Support

Uber Class Support
body boolean Enforcement flag.
is_default_policy
Service Class Support

Uber Class Support
body boolean Default policy flag.
local_logging
Service Class Support

Uber Class Support
body boolean Local logging flag.
platform_id
Service Class Support

Uber Class Support
body string ID of the platform this policy container.
policy_id
Service Class Support

Uber Class Support
body string Policy ID to apply to this container.
rule_group_ids
Service Class Support

Uber Class Support
body string or list of strings Rule group IDs to include in this container.
test_mode
Service Class Support

Uber Class Support
body boolean Flag indicating if this container is in test mode.
tracking
Service Class Support

Uber Class Support
body string Tracking.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rule_groups = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.update_policy_container_v1(default_inbound="string",
                                             default_outbound="string",
                                             enforce=boolean,
                                             is_default_policy=boolean,
                                             local_logging=boolean,
                                             platform_id="string",
                                             policy_id="string",
                                             rule_group_ids=rule_groups,
                                             test_mode=boolean,
                                             tracking="string"
                                             )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rule_groups = ['ID1', 'ID2', 'ID3']

BODY = {
    "default_inbound": "string",
    "default_outbound": "string",
    "enforce": boolean,
    "is_default_policy": boolean,
    "local_logging": boolean,
    "platform_id": "string",
    "policy_id": "string",
    "rule_group_ids": rule_groups,
    "test_mode": boolean,
    "tracking": "string"
}

response = falcon.command("update_policy_container_v1", body=BODY)

print(response)

Back to Table of Contents

update_policy_container

Update an identified policy container

PEP8 method name

update_policy_container

Endpoint

Method Route
PUT /fwmgr/entities/policies/v2

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
default_inbound
Service Class Support

Uber Class Support
body string Default inbound.
default_outbound
Service Class Support

Uber Class Support
body string Default outbound.
enforce
Service Class Support

Uber Class Support
body boolean Enforcement flag.
is_default_policy
Service Class Support

Uber Class Support
body boolean Default policy flag.
local_logging
Service Class Support

Uber Class Support
body boolean Local logging flag.
platform_id
Service Class Support

Uber Class Support
body string ID of the platform this policy container.
policy_id
Service Class Support

Uber Class Support
body string Policy ID to apply to this container.
rule_group_ids
Service Class Support

Uber Class Support
body string or list of strings Rule group IDs to include in this container.
test_mode
Service Class Support

Uber Class Support
body boolean Flag indicating if this container is in test mode.
tracking
Service Class Support

Uber Class Support
body string Tracking.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rule_groups = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.update_policy_container(default_inbound="string",
                                          default_outbound="string",
                                          enforce=boolean,
                                          is_default_policy=boolean,
                                          local_logging=boolean,
                                          platform_id="string",
                                          policy_id="string",
                                          rule_group_ids=rule_groups,
                                          test_mode=boolean,
                                          tracking="string"
                                          )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rule_groups = ['ID1', 'ID2', 'ID3']

BODY = {
    "default_inbound": "string",
    "default_outbound": "string",
    "enforce": boolean,
    "is_default_policy": boolean,
    "local_logging": boolean,
    "platform_id": "string",
    "policy_id": "string",
    "rule_group_ids": rule_groups,
    "test_mode": boolean,
    "tracking": "string"
}

response = falcon.command("update_policy_container", body=BODY)

print(response)

Back to Table of Contents

get_rule_groups

Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.

PEP8 method name

get_rule_groups

Endpoint

Method Route
GET /fwmgr/entities/rule-groups/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the rule group to retrieve.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_groups(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rule_groups", ids=id_list)

print(response)

Back to Table of Contents

create_rule_group

Create new rule group on a platform for a customer with a name and description, and return the ID

PEP8 method name

create_rule_group

Endpoint

Method Route
POST /fwmgr/entities/rule-groups/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action
Service Class Support

Uber Class Support
body
rules
string Rule action to perform. String. Overridden if rules keyword is provided.
address_family
Service Class Support

Uber Class Support
body
rules
string Address type, String. Either IP4, IP6 or NONE.
Overridden if rules keyword is provided.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
clone_id
Service Class Support

Uber Class Support
query string A rule group ID from which to copy rules. If this is provided then the 'rules' property of the body is ignored.
comment
Service Class Support

Uber Class Support
query string Comment for this rule group.
description
Service Class Support

Uber Class Support
body string Rule group description.
direction
Service Class Support

Uber Class Support
body
rules
string Traffic direction for created rule. String. Either IN, OUT or BOTH.
Overridden if rules keyword is provided.
enabled
Service Class Support

Uber Class Support
body boolean Flag indicating if the rule group is enabled.
fields
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionaries Fields to impact. Dictionary or list of dictionaries.
Overridden if rules keyword is provided.
icmp
Service Class Support

Uber Class Support
body
rules
dictionary ICMP protocol options.
Overridden if rules keyword is provided.
library
Service Class Support

Uber Class Support
query string If this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewal Rule Groups Library.
local_address
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionaries Local address and netmask detail.
Overridden if rules keyword is provided.
local_port
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionaries Local port range.
Overridden if rules keyword is provided.
log
Service Class Support

Uber Class Support
body
rules
boolean Log rule matches.
Overridden if rules keyword is provided.
name
Service Class Support

Uber Class Support
body string Rule group name.
monitor
Service Class Support

Uber Class Support
body
rules
dictionary Monitor count / period.
Overridden if rules keyword is provided.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
platform
Service Class Support

Uber Class Support
query string Common name for the OS platform this rule applies to. Should be provided instead of platform_ids.
platform_ids
Service Class Support

Uber Class Support
body
rules
string or list of strings OS platform(s) covered by rule. Supports comma delimited strings.
Overridden if rules keyword is provided.

DEPRECATED
protocol
Service Class Support

Uber Class Support
body
rules
integer Protocol specified by rule (Integer identifier).
Overridden if rules keyword is provided.
remote_address
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionaries Remote address and netmask detail.
Overridden if rules keyword is provided.
remote_port
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionaries Remote port range.
Overridden if rules keyword is provided.
rule_description
Service Class Support

Uber Class Support
body
rules
string Rule description.
Overridden if rules keyword is provided.
rule_enabled
Service Class Support

Uber Class Support
body
rules
boolean Enablement status for the new rule.
Overridden if rules keyword is provided.
rule_name
Service Class Support

Uber Class Support
body
rules
string Rule name.
Overridden if rules keyword is provided.
rules
Service Class Support

Uber Class Support
body dictionary or list of dictionaries Rule(s) in JSON format.
temp_id
Service Class Support

Uber Class Support
body
rules
string String to use for temporary rule ID.
Overridden if rules keyword is provided.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

new_rule = {
    "action": "string",
    "address_family": "string",
    "description": "string",
    "direction": "string",
    "enabled": boolean,
    "fields": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                "string"
            ]
        }
    ],
    "icmp": {
        "icmp_code": "string",
        "icmp_type": "string"
    },
    "local_address": [
        {
            "address": "string",
            "netmask": integer
        }
    ],
    "local_port": [
        {
            "end": integer,
            "start": integer
        }
    ],
    "log": boolean,
    "monitor": {
        "count": "string",
        "period_ms": "string"
    },
    "name": "string",
    "platform_ids": [
        "string"
    ],
    "protocol": "string",
    "remote_address": [
        {
            "address": "string",
            "netmask": integer
        }
    ],
    "remote_port": [
        {
            "end": integer,
            "start": integer
        }
    ],
    "temp_id": "string"
}

response = falcon.create_rule_group(clone_id="string",
                                    library="string",
                                    comment="string",
                                    description="string",
                                    enabled=boolean,
                                    name="string",
                                    platform="string",
                                    rules=new_rule
                                    )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

new_rule = {
    "action": "string",
    "address_family": "string",
    "description": "string",
    "direction": "string",
    "enabled": boolean,
    "fields": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                "string"
            ]
        }
    ],
    "icmp": {
        "icmp_code": "string",
        "icmp_type": "string"
    },
    "local_address": [
        {
            "address": "string",
            "netmask": integer
        }
    ],
    "local_port": [
        {
            "end": integer,
            "start": integer
        }
    ],
    "log": boolean,
    "monitor": {
        "count": "string",
        "period_ms": "string"
    },
    "name": "string",
    "platform_ids": [
        "string"
    ],
    "protocol": "string",
    "remote_address": [
        {
            "address": "string",
            "netmask": integer
        }
    ],
    "remote_port": [
        {
            "end": integer,
            "start": integer
        }
    ],
    "temp_id": "string"
}

BODY = {
    "description": "string",
    "enabled": boolean,
    "name": "string",
    "platform": "string",
    "rules": [new_rule]
}

response = falcon.command("create_rule_group",
                          body=BODY,
                          clone_id="string",
                          library="string",
                          comment="string"
                          )

print(response)

Back to Table of Contents

delete_rule_groups

Delete rule group entities by ID

PEP8 method name

delete_rule_groups

Endpoint

Method Route
DELETE /fwmgr/entities/rule-groups/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
comment
Service Class Support

Uber Class Support
query string or list of strings Audit log comment for this operation.
ids
Service Class Support

Uber Class Support
query string or list of strings The rules to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("delete_rule_groups", comment="string", ids=id_list)

print(response)

Back to Table of Contents

update_rule_group

Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules

PEP8 method name

update_rule_group

Endpoint

Method Route
PATCH /fwmgr/entities/rule-groups/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
comment
Service Class Support

Uber Class Support
query string Audit log comment for this action.
diff_from
Service Class Support

Uber Class Support
body
diff_operations
string From value for the diff.
Overridden if diff_operations keyword is provided.
diff_op
Service Class Support

Uber Class Support
body
diff_operations
string Operation for the diff.
Overridden if diff_operations keyword is provided.
diff_operations
Service Class Support

Uber Class Support
body dictionary or list of dictionaries Differential operations to perform against the rule group.
diff_path
Service Class Support

Uber Class Support
body
diff_operations
string Path for the diff.
Overridden if diff_operations keyword is provided.
diff_type
Service Class Support

Uber Class Support
body string Type of diff to apply.
id
Service Class Support

Uber Class Support
body string ID of the rule group to update.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
rule_ids
Service Class Support

Uber Class Support
body list of strings Rule ID(s) to add to the rule group.
rule_versions
Service Class Support

Uber Class Support
body list of integers Rule group versions.
tracking
Service Class Support

Uber Class Support
body string Tracking.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
    "from": "string",
    "op": "string",
    "path": "string"
}

response = falcon.update_rule_group(comment="string",
                                    diff_operations=diffs,
                                    diff_type="string",
                                    id="string",
                                    rule_ids=rules,
                                    rule_versions=versions,
                                    tracking="string"
                                    )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
    "from": "string",
    "op": "string",
    "path": "string"
}

BODY = {
    "diff_operations": [diffs],
    "diff_type": "string",
    "id": "string",
    "rule_ids": rules,
    "rule_versions": versions,
    "tracking": "string"
}

response = falcon.command("update_rule_group",
                          comment="string",
                          body=BODY
                          )

print(response)

Back to Table of Contents

create_rule_group_validation

Validates the request of creating a new rule group on a platform for a customer with a name and description

PEP8 method name

create_rule_group_validation

Endpoint

Method Route
POST /fwmgr/entities/rule-groups/validation/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format, not required if using other keywords.
clone_id
Service Class Support

Uber Class Support
query string A rule group validation ID from which to copy rules. If this is provided then the 'rules' property of the body is ignored.
comment
Service Class Support

Uber Class Support
query string Audit log comment for this action.
description
Service Class Support

Uber Class Support
body string Rule group validation description.
enabled
Service Class Support

Uber Class Support
body boolean Flag indicating if this validation is enabled.
library
Service Class Support

Uber Class Support
query boolean If this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewall Rule Groups Library.
name
Service Class Support

Uber Class Support
body string Name for this rule group validation.
parameters
Service Class Support

Uber Class Support
query dictionary Full parameters payload in JSON format. Not required if using the clone_id and comment keywords.
platform
Service Class Support

Uber Class Support
body string Name of the platform this rule group validation is associated with.
rules
Service Class Support

Uber Class Support
body list of dictionaries JSON formatted list of rules to validate.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rule_list = [
    {
        "action": "string",
        "address_family": "string",
        "description": "string",
        "direction": "string",
        "enabled": boolean,
        "fields": [
            {
                "final_value": "string",
                "label": "string",
                "name": "string",
                "type": "string",
                "value": "string",
                "values": [
                    "string"
                ]
            }
        ],
        "fqdn": "string",
        "fqdn_enabled": boolean,
        "icmp": {
            "icmp_code": "string",
            "icmp_type": "string"
        },
        "local_address": [
            {
                "address": "string",
                "netmask": integer
            }
        ],
        "local_port": [
            {
                "end": integer,
                "start": integer
            }
        ],
        "log": boolean,
        "monitor": {
            "count": "string",
            "period_ms": "string"
        },
        "name": "string",
        "protocol": "string",
        "remote_address": [
            {
            "address": "string",
            "netmask": integer
            }
        ],
        "remote_port": [
            {
            "end": integer,
            "start": integer
            }
        ],
        "temp_id": "string"
    }
]

response = falcon.create_rule_group_validation(clone_id="string",
                                               comment="string",
                                               description="string",
                                               enabled=boolean,
                                               library="string",
                                               name="string",
                                               platform="string",
                                               rules=rule_list
                                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rule_list = [
    {
        "action": "string",
        "address_family": "string",
        "description": "string",
        "direction": "string",
        "enabled": boolean,
        "fields": [
            {
                "final_value": "string",
                "label": "string",
                "name": "string",
                "type": "string",
                "value": "string",
                "values": [
                    "string"
                ]
            }
        ],
        "fqdn": "string",
        "fqdn_enabled": boolean,
        "icmp": {
            "icmp_code": "string",
            "icmp_type": "string"
        },
        "local_address": [
            {
                "address": "string",
                "netmask": integer
            }
        ],
        "local_port": [
            {
                "end": integer,
                "start": integer
            }
        ],
        "log": boolean,
        "monitor": {
            "count": "string",
            "period_ms": "string"
        },
        "name": "string",
        "protocol": "string",
        "remote_address": [
            {
            "address": "string",
            "netmask": integer
            }
        ],
        "remote_port": [
            {
            "end": integer,
            "start": integer
            }
        ],
        "temp_id": "string"
    }
]

BODY = {
    "description": "string",
    "enabled": boolean,
    "name": "string",
    "platform": "string",
    "rules": rule_list
}

response = falcon.command("create_rule_group_validation",
                          clone_id="string",
                          comment="string",
                          library="string",
                          body=BODY
                          )

print(response)

Back to Table of Contents

update_rule_group_validation

Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules

PEP8 method name

update_rule_group_validation

Endpoint

Method Route
PATCH /fwmgr/entities/rule-groups/validation/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
comment
Service Class Support

Uber Class Support
query string Audit log comment for this action.
diff_from
Service Class Support

Uber Class Support
body
diff_operations
string From value for the diff.
Overridden if diff_operations keyword is provided.
diff_op
Service Class Support

Uber Class Support
body
diff_operations
string Operation for the diff.
Overridden if diff_operations keyword is provided.
diff_operations
Service Class Support

Uber Class Support
body dictionary or list of dictionaries Differential operations to perform against the rule group.
diff_path
Service Class Support

Uber Class Support
body
diff_operations
string Path for the diff.
Overridden if diff_operations keyword is provided.
diff_type
Service Class Support

Uber Class Support
body string Type of diff to apply.
id
Service Class Support

Uber Class Support
body string ID of the rule group to update.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
rule_ids
Service Class Support

Uber Class Support
body list of strings Rule ID(s) to add to the rule group.
rule_versions
Service Class Support

Uber Class Support
body list of integers Rule group versions.
tracking
Service Class Support

Uber Class Support
body string Tracking.

| | comment | query | string | Audit log comment for this action | | ✅ | body | body | string

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
    "from": "string",
    "op": "string",
    "path": "string"
}

response = falcon.update_rule_group_validation(comment="string",
                                               diff_operations=diffs,
                                               diff_type="string",
                                               id="string",
                                               rule_ids=rules,
                                               rule_versions=versions,
                                               tracking="string"
                                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
    "from": "string",
    "op": "string",
    "path": "string"
}

BODY = {
    "diff_operations": [diffs],
    "diff_type": "string",
    "id": "string",
    "rule_ids": rules,
    "rule_versions": versions,
    "tracking": "string"
}

response = falcon.command("update_rule_group_validation",
                          comment="string",
                          body=BODY
                          )

print(response)

Back to Table of Contents

get_rules

Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)

PEP8 method name

get_rules

Endpoint

Method Route
GET /fwmgr/entities/rules/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The rules to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rules", ids=id_list)

print(response)

Back to Table of Contents

validate_filepath_pattern

Validates that the test pattern matches the executable filepath glob pattern.

PEP8 method name

validate_filepath_pattern

Endpoint

Method Route
POST /fwmgr/entities/rules/validate-filepath/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
filepath_pattern
Service Class Support

Uber Class Support
body string Pattern to test against.
filepath_test_string
Service Class Support

Uber Class Support
body string File path string to be tested.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.validate_filepath_pattern(filepath_pattern="string",
                                            filepath_test_string="string"
                                            )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "filepath_pattern": "string",
    "filepath_test_string": "string"
}

response = falcon.command("validate_filepath_pattern", body=BODY)

print(response)

Back to Table of Contents

query_events

Find all event IDs matching the query with filter

PEP8 method name

query_events

Endpoint

Method Route
GET /fwmgr/queries/events/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_events(sort="string",
                               filter="string",
                               q="string",
                               offset=integer,
                               after="string",
                               limit=integer
                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_events",
                          sort="string",
                          filter="string",
                          q="string",
                          offset=integer,
                          after="string",
                          limit=integer
                          )

print(response)

Back to Table of Contents

query_firewall_fields

Get the firewall field specification IDs for the provided platform

PEP8 method name

query_firewall_fields

Endpoint

Method Route
GET /fwmgr/queries/firewall-fields/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
platform_id
Service Class Support

Uber Class Support
query string Field configurations specific to this platform.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_firewall_fields(platform_id="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_firewall_fields", 
                          platform_id="string",
                          limit=integer,
                          offset=integer
                          )

print(response)

Back to Table of Contents

query_network_locations

Get a list of network location IDs

PEP8 method name

query_network_locations

Endpoint

Method Route
GET /fwmgr/queries/network-locations/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_network_locations(sort="string",
                                          filter="string",
                                          q="string",
                                          offset="string",
                                          after="string",
                                          limit=integer
                                          )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_network_locations",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          after="string",
                          limit=integer
                          )

print(response)

Back to Table of Contents

query_platforms

Get the list of platform names

PEP8 method name

query_platforms

Endpoint

Method Route
GET /fwmgr/queries/platforms/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_platforms(offset=integer, limit=integer)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_platforms", limit=integer, offset=integer)

print(response)

Back to Table of Contents

query_policy_rules

Find all firewall rule IDs matching the query with filter, and return them in precedence order

PEP8 method name

query_policy_rules

Endpoint

Method Route
GET /fwmgr/queries/policy-rules/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results.
id
Service Class Support

Uber Class Support
query string The ID of the policy container within which to query.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_policy_rules(id="string",
                                     sort="string",
                                     filter="string",
                                     q="string",
                                     offset=integer,
                                     limit=integer,
                                     after="string"
                                     )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_policy_rules",
                          id="string",
                          sort="string",
                          filter="string",
                          q="string",
                          offset=integer,
                          limit=integer,
                          after="string"
                          )

print(response)

Back to Table of Contents

query_rule_groups

Find all rule group IDs matching the query with filter

PEP8 method name

query_rule_groups

Endpoint

Method Route
GET /fwmgr/queries/rule-groups/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_rule_groups(sort="string",
                                    filter="string",
                                    q="string",
                                    offset="string",
                                    after="string",
                                    limit=integer
                                    )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_groups",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          after="string",
                          limit=integer
                          )

print(response)

Back to Table of Contents

query_rules

Find all rule IDs matching the query with filter

PEP8 method name

query_rules

Endpoint

Method Route
GET /fwmgr/queries/rules/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_rules(sort="string",
                              filter="string",
                              q="string",
                              offset=integer,
                              after="string",
                              limit=integer
                              )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rules",
                          sort="string",
                          filter="string",
                          q="string",
                          offset=integer,
                          after="string",
                          limit=integer
                          )

print(response)

Back to Table of Contents

CrowdStrike Falcon

Clone this wiki locally