Skip to content

Installation Tokens

Jump to bottom
jshcodes edited this page Aug 29, 2021 · 29 revisions

CrowdStrike Falcon Twitter URL

Using the Installation Tokens service collection

Uber class support Uber class support

Table of Contents

Method Operation ID Description
audit_events_read audit_events_read Gets the details of one or more audit events by id.
customer_settings_read customer_settings_read Check current installation token settings.
tokens_read tokens_read Gets the details of one or more tokens by id.
tokens_create tokens_create Creates a token.
tokens_delete tokens_delete Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.
tokens_update tokens_update Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
audit_events_query audit_events_query Search for audit events by providing an FQL filter and paging details.
tokens_query tokens_query Search for tokens by providing an FQL filter and paging details.

audit_events_read

Gets the details of one or more audit events by id.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
ids query array (string) IDs of audit events to retrieve details for

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.installation_tokens import InstallationTokens

falcon = InstallationTokens(client_id="API_CLIENT_ID_HERE",
                            client_secret="API_CLIENT_SECRET_HERE"
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.audit_events_read(ids=id_list)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("audit-events-read", ids=id_list)
print(response)

customer_settings_read

Check current installation token settings.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

No parameters

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.installation_tokens import InstallationTokens

falcon = InstallationTokens(client_id="API_CLIENT_ID_HERE",
                            client_secret="API_CLIENT_SECRET_HERE"
                            )

response = falcon.customer_settings_read()
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("customer-settings-read")
print(response)

tokens_read

Gets the details of one or more tokens by id.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
ids query array (string) IDs of tokens to retrieve details for

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.installation_tokens import InstallationTokens

falcon = InstallationTokens(client_id="API_CLIENT_ID_HERE",
                            client_secret="API_CLIENT_SECRET_HERE"
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.tokens_read(ids=id_list)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("tokens-read", ids=id_list)
print(response)

tokens_create

Creates a token.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
body body string

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.installation_tokens import InstallationTokens

falcon = InstallationTokens(client_id="API_CLIENT_ID_HERE",
                            client_secret="API_CLIENT_SECRET_HERE"
                            )

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.tokens_create(body=BODY)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.command("tokens-create", body=BODY)
print(response)

tokens_delete

Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.

Content-Type

  • Produces: application/json

Parameters

Required Name Type Datatype Description
ids query array (string) The token ids to delete.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.installation_tokens import InstallationTokens

falcon = InstallationTokens(client_id="API_CLIENT_ID_HERE",
                            client_secret="API_CLIENT_SECRET_HERE"
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.tokens_delete(ids=id_list)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("tokens-delete", ids=id_list)
print(response)

tokens_update

Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
ids query array (string) The token ids to update.
body body string

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.installation_tokens import InstallationTokens

falcon = InstallationTokens(client_id="API_CLIENT_ID_HERE",
                            client_secret="API_CLIENT_SECRET_HERE"
                            )

BODY = {
    "Body Payload": "See body description above"
}

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.tokens_update(body=BODY, ids=id_list)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

BODY = {
    "Body Payload": "See body description above"
}

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("tokens-update", body=BODY, ids=id_list)
print(response)

audit_events_query

Search for audit events by providing an FQL filter and paging details.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
offset query integer The offset to start retrieving records from.
limit query integer The maximum records to return. [1-1000]. Defaults to 50.
sort query string The property to sort by (e.g. timestamp.desc).
filter query string The filter expression that should be used to limit the results (e.g., action:'token_create').

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.installation_tokens import InstallationTokens

falcon = InstallationTokens(client_id="API_CLIENT_ID_HERE",
                            client_secret="API_CLIENT_SECRET_HERE"
                            )

response = falcon.audit_events_query(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string"
                                     )
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "offset": integer,
    "limit": integer,
    "sort": "string",
    "filter": "string"
}

response = falcon.command("audit-events-query", parameters=PARAMS)
print(response)

tokens_query

Search for tokens by providing an FQL filter and paging details.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
offset query integer The offset to start retrieving records from.
limit query integer The maximum records to return. [1-1000]. Defaults to 50.
sort query string The property to sort by (e.g. created_timestamp.desc).
filter query string The filter expression that should be used to limit the results (e.g., status:'valid').

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.installation_tokens import InstallationTokens

falcon = InstallationTokens(client_id="API_CLIENT_ID_HERE",
                            client_secret="API_CLIENT_SECRET_HERE"
                            )

response = falcon.tokens_query(offset=integer,
                               limit=integer,
                               sort="string",
                               filter="string"
                               )
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "offset": integer,
    "limit": integer,
    "sort": "string",
    "filter": "string"
}

response = falcon.command("tokens-query", parameters=PARAMS)
print(response)

CrowdStrike Falcon

Clone this wiki locally