Skip to content

Discover

Joshua Hiller edited this page Dec 19, 2024 · 26 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Discover service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
combined_applications
PEP8 query_combined_applications
Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria.
combined_hosts
PEP8 query_combined_hosts
Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria.
get_accounts
PEP8 get_accounts
Get details on accounts by providing one or more IDs.
get_applications
PEP8 get_applications
Get details on applications by providing one or more IDs.
get_hosts
PEP8 get_hosts
Get details on assets by providing one or more IDs.
get_iot_hosts
PEP8 get_iot_hosts
Get details on IoT assets by providing one or more IDs.
get_logins
PEP8 get_logins
Get details on logins by providing one or more IDs.
query_accounts
PEP8 query_accounts
Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_applications
PEP8 query_applications
Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.
query_hosts
PEP8 query_hosts
Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts
PEP8 query_iot_hosts
Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hostsV2
PEP8 query_iot_hosts_v2
Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_logins
PEP8 query_logins
Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

combined_applications

Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria.

PEP8 method name

query_combined_applications

Endpoint

Method Route
GET /discover/combined/applications/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter applications using a FQL query. A list of available filters can be found here.
limit
Service Class Support

Uber Class Support
query integer The number of account IDs to return in this response (Max: 1000, Default: 100).

Use with the after parameter to manage pagination of results.
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string Sort accounts by their properties. A single sort field is allowed. Common sort options include:
  • username|asc
  • last_failed_login_timestamp|desc
Available filters

The following properties can be using for filtering and sorting.

Name Description
id Unique ID of the application. Each application ID represents a particular instance of an application on a particular asset.

Example:
  • id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
cid The application's customer ID. In multi-CID environments:
  • You can filter on both parent and child CIDs.
  • If you're in a parent CID and leave this filter empty, the response includes data about the parent CID and all its child CIDs.
  • If you're in a parent CID and use this filter, the response includes data for only the CIDs you filtered on.
  • If you're in a child CID, this property will only show data for that CID.
Examples:
  • cid:'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4'
  • cid:!'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4'
  • cid:'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4',cid:'dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx5'
name Name of the application.

Example: name:'Chrome'
vendor Name of the application vendor.

Examples:
  • vendor:'Microsoft Corporation'
  • vendor:'CrowdStrike'
version Application version.

Examples:
  • version:'4.8.4320.0'
  • version:'108.0.5359.99'
name_vendor The app name and vendor name for all application IDs with this application name, this field can be used to group results by application. .

Examples:
  • name_vendor:'Chrome-Google'
  • name_vendor:'Tools-VMware'
name_vendor_version The app name, vendor name, and vendor version for all application IDs with this application name, this field can be used to group results by application version.

Examples:
  • name_vendor_version:'Chrome-Google-108.0.5359.99'
  • name_vendor_version:'Flash Player-Adobe-32.0.0.387'
versioning_scheme Versioning scheme of the application.

Example: versioning_scheme:'semver'
groups All application groups the application is assigned to. For more info, see Create application groups.

Example: groups:'ExampleAppGroup'
category Category the application is in. For more info, see Understanding applications.

Examples:
  • category:'IT/Security Apps'
  • category:'Web Browsers'
  • category:'Back up and Recovery'
architectures Application architecture.

Examples:
  • architectures:'x86'
  • architectures:!'x64'
installation_paths File paths of the application or executable file to the folder on the asset.

Examples:
  • installation_paths:'C:\Program Files\Internet Explorer\iexplore.exe'
  • installation_paths:'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
installation_timestamp Date and time the application was installed, if available.

Example: installation_timestamp:'2023-01-11T00:00:00.000Z'
first_seen_timestamp Date and time the application was first seen.

Example: first_seen_timestamp:'2022-12-22T12:41:47.417Z'
last_updated_timestamp Date and time the installation fields of the application instance most recently changed.

Example: last_updated_timestamp:'2022-12-22T12:41:47.417Z'
last_used_user_sid For Windows and macOS: Security identifier of the account that most recently used the application.

Example: last_used_user_sid:'S-1-x-x-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx1'
last_used_user_name For Windows and macOS: Username of the account that most recently used the application.

Examples:
  • last_used_user_name:'Administrator'
  • last_used_user_name:'xiany'
last_used_file_name For Windows and macOS: Most recent file name used for the application.

Examples:
  • last_used_file_name:'setup.exe'
  • last_used_file_name:'putty.exe'
last_used_file_hash For Windows and macOS: Most recent file hash used for the application.

Example: last_used_file_hash:'0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa'
last_used_timestamp For Windows and macOS: Date and time the application was most recently used.

Example: last_used_timestamp:'2023-01-10T23:00:00.000Z'
is_normalized For Windows: Whether the application name is normalized (true or false).

Applications can have different naming variations that result in different records for each variation, for example, Acrobat Reader, Adobe Acrobat Reader, and Acrobat. To avoid this duplication, the most common applications are listed under a single normalized application name, for example, Acrobat.

Example: is_normalized:true
is_suspicious Whether the application is suspicious based on how often it's been seen in a detection on that asset (true or false).

Examples: is_suspicious:true or is_suspicious:!false
host.id Unique ID of the asset the application is on.

Example: host.id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
host.aid ID of the Falcon sensor installed on the asset the application is on.

Example: host.aid:'14xxxxxxxxxxxxxxxxxxxxxxxxxxxx2f'
host.country Name of the country where the asset the application is on is located.

Examples: host.country:'United States Of America' or host.country:!'Germany'
host.platform_name The platform name of the asset the application is on (Windows, Mac, Linux).

Examples: host.platform_name:'Windows' or host.platform_name:!'Linux'
host.os_version OS version of the asset the application is on.

Examples:
  • host.os_version:'Windows 10'
  • host.os_version:!'Ubuntu 16.04'
  • host.os_version:*'Win*'
host.kernel_version For Linux and Mac: The major version, minor version, and patch version of the kernel for the asset the application is on.

For Windows: the build number of the asset the application is on.

Examples:
  • host.kernel_version:'7601'
  • host.kernel_version:!'7601'
  • host.kernel_version:*'*01'
host.product_type_desc The product type of the asset the application is on (Workstation, Domain Controller, Server).

Examples:
  • host.product_type_desc:'Workstation'
  • host.product_type_desc:!'Domain Controller'
  • host.product_type_desc:'Server'
host.tags Sensor and cloud tags of the asset the application is on.

Examples:
  • host.tags:'FalconTag/Tag1'
  • host.tags:!'FalconTag/Tag1'
  • host.tags:*'Falcon*'
host.groups Host management groups the asset the application is on is part of.

Examples:
  • host.groups:'Workstations'
  • host.groups:!'QA Computers'
  • host.groups:*'Windows*'
host.agent_version Version of the Falcon sensor that's installed on the asset the application is on.

Examples:
  • host.agent_version:'6.24.13806.0'
  • host.agent_version:!'6.24.13806.0'
  • host.agent_version:*'6.24.*'
host.system_manufacturer System manufacturer of the asset the application is on.

Examples:
  • host.system_manufacturer:'VMware, Inc.'
  • host.system_manufacturer:!'VMware, Inc.'
  • host.system_manufacturer:*'*VMware*'
host.ou Organizational unit of the asset the application is on.

Examples: host.ou:'Endpoints' or host.ou:!'Endpoints'
host.machine_domain Domain name the asset the application is on is currently joined to.

Examples:
  • host.machine_domain:'domain.example.com'
  • host.machine_domain:!'domain.example.com'
  • host.machine_domain:*'*example.com'
host.site_name Site name of the domain the asset the asset the application is on is joined to (applies only to Windows hosts).

Examples:
  • host.site_name:'web-120.example.com'
  • host.site_name:!'web-120.examplee.com'
  • host.site_name:*'web-120.*'
host.external_ip External IPv4 address of the asset the application is on.

Examples:
  • host.external_ip:'192.0.2.71'
  • host.external_ip:!'192.0.2.71'
  • host.external_ip:'192.0.2.71/24'
host.hostname Hostname of the asset the application is on.

Examples: host.hostname:'ABC-123-DEF-456' or host.hostname:!'ABC-123-DEF-456'
host.current_network_prefix Most recent network prefix of the asset the application is on.

Examples: host.network_prefix:'192.0' or host.network_prefix:!'192.0'
host.internet_exposure Whether the asset the application is on is exposed to the internet (Yes or Unknown).

Examples: host.internet_exposure:'Yes' or host.internet_exposure:!'Unknown'
host.current_mac_address Most recent MAC address of the asset the application is on.

Examples:
  • host.current_mac_address:'A1-B2-C4-D5-E5-F6'
  • host.current_mac_address:*'A1-B2-C4*'

Usage

Service class example (PEP8 syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_combined_applications(after="string",
                                              limit=integer,
                                              sort="string",
                                              filter="string"
                                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.combined_applications(after="string",
                                        limit=integer,
                                        sort="string",
                                        filter="string"
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_applications",
                          after="string",
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

combined_hosts

Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria.

PEP8 method name

query_combined_hosts

Endpoint

Method Route
GET /discover/combined/hosts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter assets using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
query integer The number of asset IDs to return in this response (Max: 1000, Default: 100).

Use with the after parameter to manage pagination of results.
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string Sort assets by their properties. A single sort field is allowed. Common sort options include:
  • hostname|asc
  • product_type_desc|desc
Available FQL Filters

Available filter fields that support exact match: id, aid, entity_type, country, city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, local_ips_count, network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, discoverer_count, discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, data_providers, data_providers_count, mac_addresses, local_ip_addresses, reduced_functionality_mode, number_of_disk_drives, processor_package_count, physical_core_count, logical_core_count, total_disk_space, disk_sizes.disk_name, disk_sizes.disk_space, cpu_processor_name, total_memory, encryption_status, encrypted_drives, encrypted_drives_count, unencrypted_drives, unencrypted_drives_count, os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, os_security.iommu_protection_status, os_security.secure_boot_enabled_status, os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, os_security.kernel_dma_protection_status, total_bios_files, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, bios_id, average_processor_usage, average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.mount_path, mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, discovering_by

Available filter fields that supports wildcard (*): id, aid, entity_type, country, city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, os_security.iommu_protection_status, os_security.secure_boot_enabled_status, os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, cpu_manufacturer, discovering_by

Available filter fields that supports range comparisons (>, <, >=, <=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.used_space, mount_storage_info.available_space, ad_user_account_control, creation_timestamp

All filter fields and operations supports negation (!).

Usage

Service class example (PEP8 syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_combined_hosts(after="string",
                                       limit=integer,
                                       sort="string",
                                       filter="string"
                                       )
print(response)
Service class example (Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.combined_hosts(after="string",
                                 limit=integer,
                                 sort="string",
                                 filter="string"
                                 )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_hosts",
                          after="string",
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

get_accounts

Get details on assets by providing one or more IDs.

PEP8 method name

get_accounts

Endpoint

Method Route
GET /discover/entities/accounts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings One or more account IDs. (Max: 100)

Find account IDs with query_accounts.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_accounts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_accounts", ids=id_list)
print(response)

get_applications

Get details on applications by providing one or more IDs.

PEP8 method name

get_applications

Endpoint

Method Route
GET /discover/entities/applications/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings One or more account IDs. (Max: 100)

Find account IDs with query_accounts.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_applications(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_applications", ids=id_list)
print(response)

get_hosts

Get details on assets by providing one or more IDs.

PEP8 method name

get_hosts

Endpoint

Method Route
GET /discover/entities/hosts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings One or more asset IDs. (Max: 100)

Find asset IDs with query_hosts.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_hosts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_hosts", ids=id_list)
print(response)

get_iot_hosts

Get details on assets by providing one or more IDs.

PEP8 method name

get_iot_hosts

Endpoint

Method Route
GET /discover/entities/iot-hosts/v1

Required Scope

discover-iot:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings One or more IoT asset IDs. (Max: 100)

Find asset IDs with query_iot_hosts.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_iot_hosts(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_iot_hosts", ids=id_list)

print(response)

get_logins

Get details on assets by providing one or more IDs.

PEP8 method name

get_logins

Endpoint

Method Route
GET /discover/entities/logins/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings One or more login IDs. (Max: 100)

Find login IDs with query_logins.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_logins(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_logins", ids=id_list)
print(response)

query_accounts

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_accounts

Endpoint

Method Route
GET /discover/queries/accounts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter accounts using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
query integer The number of account IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
query string An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string Sort accounts by their properties. A single sort field is allowed. Common sort options include:
  • username|asc
  • last_failed_login_timestamp|desc
Available FQL Filters

Common filters include:

  • account_type:'Local'
  • admin_privileges:'Yes'
  • first_seen_timestamp:<'now-7d'
  • last_successful_login_type:'Terminal server'

The following table lists acceptable values for the filter keyword described above.

id last_successful_login_timestamp
cid last_successful_login_hostname
user_sid last_successful_login_remote_ip
login_domain last_successful_login_host_country
account_name last_successful_login_host_city
username last_failed_login_type
account_type last_failed_login_timestamp
admin_privileges last_failed_login_hostname
first_seen_timestamp password_last_set_timestamp
last_successful_login_type  

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_accounts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_accounts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_applications

Search for applications in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.

PEP8 method name

query_applications

Endpoint

Method Route
GET /discover/queries/applications/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter applications using a FQL query. A list of available filters can be found here.
limit
Service Class Support

Uber Class Support
query integer The number of account IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
query string An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string Sort accounts by their properties. A single sort field is allowed. Common sort options include:
  • username|asc
  • last_failed_login_timestamp|desc
Available filters

The following properties can be using for filtering and sorting.

Name Description
id Unique ID of the application. Each application ID represents a particular instance of an application on a particular asset.

Example:
  • id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
cid The application's customer ID. In multi-CID environments:
  • You can filter on both parent and child CIDs.
  • If you're in a parent CID and leave this filter empty, the response includes data about the parent CID and all its child CIDs.
  • If you're in a parent CID and use this filter, the response includes data for only the CIDs you filtered on.
  • If you're in a child CID, this property will only show data for that CID.
Examples:
  • cid:'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4'
  • cid:!'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4'
  • cid:'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4',cid:'dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx5'
name Name of the application.

Example: name:'Chrome'
vendor Name of the application vendor.

Examples:
  • vendor:'Microsoft Corporation'
  • vendor:'CrowdStrike'
version Application version.

Examples:
  • version:'4.8.4320.0'
  • version:'108.0.5359.99'
name_vendor The app name and vendor name for all application IDs with this application name, this field can be used to group results by application. .

Examples:
  • name_vendor:'Chrome-Google'
  • name_vendor:'Tools-VMware'
name_vendor_version The app name, vendor name, and vendor version for all application IDs with this application name, this field can be used to group results by application version.

Examples:
  • name_vendor_version:'Chrome-Google-108.0.5359.99'
  • name_vendor_version:'Flash Player-Adobe-32.0.0.387'
versioning_scheme Versioning scheme of the application.

Example: versioning_scheme:'semver'
groups All application groups the application is assigned to. For more info, see Create application groups.

Example: groups:'ExampleAppGroup'
category Category the application is in. For more info, see Understanding applications.

Examples:
  • category:'IT/Security Apps'
  • category:'Web Browsers'
  • category:'Back up and Recovery'
architectures Application architecture.

Examples:
  • architectures:'x86'
  • architectures:!'x64'
installation_paths File paths of the application or executable file to the folder on the asset.

Examples:
  • installation_paths:'C:\Program Files\Internet Explorer\iexplore.exe'
  • installation_paths:'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
installation_timestamp Date and time the application was installed, if available.

Example: installation_timestamp:'2023-01-11T00:00:00.000Z'
first_seen_timestamp Date and time the application was first seen.

Example: first_seen_timestamp:'2022-12-22T12:41:47.417Z'
last_updated_timestamp Date and time the installation fields of the application instance most recently changed.

Example: last_updated_timestamp:'2022-12-22T12:41:47.417Z'
last_used_user_sid For Windows and macOS: Security identifier of the account that most recently used the application.

Example: last_used_user_sid:'S-1-x-x-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx1'
last_used_user_name For Windows and macOS: Username of the account that most recently used the application.

Examples:
  • last_used_user_name:'Administrator'
  • last_used_user_name:'xiany'
last_used_file_name For Windows and macOS: Most recent file name used for the application.

Examples:
  • last_used_file_name:'setup.exe'
  • last_used_file_name:'putty.exe'
last_used_file_hash For Windows and macOS: Most recent file hash used for the application.

Example: last_used_file_hash:'0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa'
last_used_timestamp For Windows and macOS: Date and time the application was most recently used.

Example: last_used_timestamp:'2023-01-10T23:00:00.000Z'
is_normalized For Windows: Whether the application name is normalized (true or false).

Applications can have different naming variations that result in different records for each variation, for example, Acrobat Reader, Adobe Acrobat Reader, and Acrobat. To avoid this duplication, the most common applications are listed under a single normalized application name, for example, Acrobat.

Example: is_normalized:true
is_suspicious Whether the application is suspicious based on how often it's been seen in a detection on that asset (true or false).

Examples: is_suspicious:true or is_suspicious:!false
host.id Unique ID of the asset the application is on.

Example: host.id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
host.aid ID of the Falcon sensor installed on the asset the application is on.

Example: host.aid:'14xxxxxxxxxxxxxxxxxxxxxxxxxxxx2f'
host.country Name of the country where the asset the application is on is located.

Examples: host.country:'United States Of America' or host.country:!'Germany'
host.platform_name The platform name of the asset the application is on (Windows, Mac, Linux).

Examples: host.platform_name:'Windows' or host.platform_name:!'Linux'
host.os_version OS version of the asset the application is on.

Examples:
  • host.os_version:'Windows 10'
  • host.os_version:!'Ubuntu 16.04'
  • host.os_version:*'Win*'
host.kernel_version For Linux and Mac: The major version, minor version, and patch version of the kernel for the asset the application is on.

For Windows: the build number of the asset the application is on.

Examples:
  • host.kernel_version:'7601'
  • host.kernel_version:!'7601'
  • host.kernel_version:*'*01'
host.product_type_desc The product type of the asset the application is on (Workstation, Domain Controller, Server).

Examples:
  • host.product_type_desc:'Workstation'
  • host.product_type_desc:!'Domain Controller'
  • host.product_type_desc:'Server'
host.tags Sensor and cloud tags of the asset the application is on.

Examples:
  • host.tags:'FalconTag/Tag1'
  • host.tags:!'FalconTag/Tag1'
  • host.tags:*'Falcon*'
host.groups Host management groups the asset the application is on is part of.

Examples:
  • host.groups:'Workstations'
  • host.groups:!'QA Computers'
  • host.groups:*'Windows*'
host.agent_version Version of the Falcon sensor that's installed on the asset the application is on.

Examples:
  • host.agent_version:'6.24.13806.0'
  • host.agent_version:!'6.24.13806.0'
  • host.agent_version:*'6.24.*'
host.system_manufacturer System manufacturer of the asset the application is on.

Examples:
  • host.system_manufacturer:'VMware, Inc.'
  • host.system_manufacturer:!'VMware, Inc.'
  • host.system_manufacturer:*'*VMware*'
host.ou Organizational unit of the asset the application is on.

Examples: host.ou:'Endpoints' or host.ou:!'Endpoints'
host.machine_domain Domain name the asset the application is on is currently joined to.

Examples:
  • host.machine_domain:'domain.example.com'
  • host.machine_domain:!'domain.example.com'
  • host.machine_domain:*'*example.com'
host.site_name Site name of the domain the asset the asset the application is on is joined to (applies only to Windows hosts).

Examples:
  • host.site_name:'web-120.example.com'
  • host.site_name:!'web-120.examplee.com'
  • host.site_name:*'web-120.*'
host.external_ip External IPv4 address of the asset the application is on.

Examples:
  • host.external_ip:'192.0.2.71'
  • host.external_ip:!'192.0.2.71'
  • host.external_ip:'192.0.2.71/24'
host.hostname Hostname of the asset the application is on.

Examples: host.hostname:'ABC-123-DEF-456' or host.hostname:!'ABC-123-DEF-456'
host.current_network_prefix Most recent network prefix of the asset the application is on.

Examples: host.network_prefix:'192.0' or host.network_prefix:!'192.0'
host.internet_exposure Whether the asset the application is on is exposed to the internet (Yes or Unknown).

Examples: host.internet_exposure:'Yes' or host.internet_exposure:!'Unknown'
host.current_mac_address Most recent MAC address of the asset the application is on.

Examples:
  • host.current_mac_address:'A1-B2-C4-D5-E5-F6'
  • host.current_mac_address:*'A1-B2-C4*'

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_applications(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string"
                                     )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_applications",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_hosts

Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_hosts

Endpoint

Method Route
GET /discover/queries/hosts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter assets using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
query integer The number of asset IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
query string An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string Sort assets by their properties. A single sort field is allowed. Common sort options include:
  • hostname|asc
  • product_type_desc|desc
Available FQL Filters

The following table lists acceptable values for the filter keyword described above.

agent_version kernel_version
aid last_discoverer_aid
bios_manufacturer last_seen_timestamp
bios_version local_ips_count
cid machine_domain
city network_interfaces
confidence network_interfaces.interface_alias
country network_interfaces.interface_description
current_local_ip network_interfaces.local_ip
discoverer_aids network_interfaces.mac_address
discoverer_count network_interfaces.network_prefix
discoverer_platform_names os_version
discoverer_product_type_descs ou
discoverer_tags platform_name
entity_type product_type
external_ip product_type_desc
first_discoverer_aid site_name
first_discoverer_ip system_manufacturer
first_seen_timestamp system_product_name
groups system_serial_number
hostname tags
id  

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_hosts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_hosts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_iot_hosts

Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_iot_hosts

Endpoint

Method Route
GET /discover/queries/iot-hosts/v1

Required Scope

discover-iot:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter assets using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
query integer The number of IoT asset IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
query string An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string Sort IoT assets by their properties. A single sort field is allowed. Common sort options include:
  • hostname|asc
  • product_type_desc|desc
Available FQL Filters

The following table lists acceptable values for the filter keyword described above.

agent_version local_ips_count
aid mac_addresses
bios_manufacturer machine_domain
bios_version network_id
business_criticality network_interfaces
cid network_interfaces.interface_alias
city network_interfaces.interface_description
claroty_id network_interfaces.local_ip
confidence network_interfaces.mac_address
country network_interfaces.network_prefix
current_local_ip number_of_disk_drives
data_providers os_is_eol
data_providers_count os_version
device_class ou
device_family physical_core_count
device_type platform_name
discoverer_count processor_package_count
discoverer_product_type_descs product_type_desc
discoverer_tags protocols
entity_type purdue_level
external_ip reduced_functionality_mode
first_seen_timestamp site_name
groups subnet
hostname system_manufacturer
ics_id system_product_name
id system_serial_number
internet_exposure tags
kernel_version virtual_zone
last_seen_timestamp vlan
local_ip_addresses  

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_iot_hosts(offset=integer,
                                  limit=integer,
                                  sort="string",
                                  filter="string"
                                  )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_iot_hosts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )

print(response)

query_logins

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_logins

Endpoint

Method Route
GET /discover/queries/logins/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter logins using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
query integer The number of login IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
query string An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string Sort logins by their properties. A single sort field is allowed. Common sort options include:
  • account_name|asc
  • login_timestamp|desc
Available FQL Filters

Common filters include:

  • account_type:'Local'
  • login_type:'Interactive'
  • first_seen_timestamp:<'now-7d'
  • admin_privileges:'No'

The following table lists acceptable values for the filter keyword described above.

id login_timestamp
cid login_domain
login_status admin_privileges
account_id local_ip
host_id remote_ip
user_sid host_country
aid host_city
account_name is_suspicious
username failure_description
hostname login_event_count
account_type aggregation_time_interval
login_type  

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_logins(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_logins",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_iot_hostsV2

Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_iot_hosts_v2

Endpoint

Method Route
GET /discover/queries/iot-hosts/v2

Required Scope

discover-iot:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter assets using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
query integer The number of IoT asset IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
query string An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string Sort IoT assets by their properties. A single sort field is allowed. Common sort options include:
  • hostname|asc
  • product_type_desc|desc
Available FQL Filters

The following table lists acceptable values for the filter keyword described above.

agent_version local_ips_count
aid mac_addresses
bios_manufacturer machine_domain
bios_version network_id
business_criticality network_interfaces
cid network_interfaces.interface_alias
city network_interfaces.interface_description
claroty_id network_interfaces.local_ip
confidence network_interfaces.mac_address
country network_interfaces.network_prefix
current_local_ip number_of_disk_drives
data_providers os_is_eol
data_providers_count os_version
device_class ou
device_family physical_core_count
device_type platform_name
discoverer_count processor_package_count
discoverer_product_type_descs product_type_desc
discoverer_tags protocols
entity_type purdue_level
external_ip reduced_functionality_mode
first_seen_timestamp site_name
groups subnet
hostname system_manufacturer
ics_id system_product_name
id system_serial_number
internet_exposure tags
kernel_version virtual_zone
last_seen_timestamp vlan
local_ip_addresses  

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_iot_hosts_v2(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string"
                                     )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_iot_hosts_v2",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

CrowdStrike Falcon

Clone this wiki locally