Skip to content
jshcodes edited this page Dec 13, 2022 · 44 revisions

CrowdStrike Falcon Twitter URL

Using the IOC service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
indicator_combined_v1
PEP 8 indicator_combined
Get Combined for Indicators.
indicator_get_v1
PEP 8 indicator_get
Get Indicators by ids.
indicator_create_v1
PEP 8 indicator_create
Create Indicators.
indicator_delete_v1
PEP 8 indicator_delete
Delete Indicators by ids.
indicator_update_v1
PEP 8 indicator_update
Update Indicators.
indicator_search_v1
PEP 8 indicator_search
Search for Indicators.
DevicesCount
PEP 8 devices_count
Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn
PEP 8 devices_ran_on
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
ProcessesRanOn
PEP 8 processes_ran_on
Search for processes associated with a custom IOC
entities_processes
PEP 8 entities_processes
For the provided ProcessID retrieve the process details

Passing credentials

WARNING

client_id and client_secret are input variables that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

indicator_combined_v1

Get Combined for Indicators.

PEP8 method name

indicator_combined

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results.

Available filters:
type value
action severity
platforms tags
expiration expired
applied_globally host_groups
created_on created_by
modified_on modified_by
source  
from_parent
Service Class Support

Uber Class Support
query boolean The filter for returning either only indicators for the request customer or its MSSP parents.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_combined(filter="string",
                                     offset=integer,
                                     limit=integer,
                                     sort="string",
                                     after="string",
                                     from_parent=boolean
                                     )
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_combined_v1(filter="string",
                                        offset=integer,
                                        limit=integer,
                                        sort="string",
                                        after="string",
                                        from_parent=boolean
                                        )
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("indicator_combined_v1",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          after="string",
                          from_parent=boolean
                          )
print(response)

indicator_get_v1

Get Indicators by ids.

PEP8 method name

indicator_get

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ids of the Indicators to retrieve.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get_v1(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_get_v1", ids=id_list)
print(response)

indicator_create_v1

Create Indicators.

PEP8 method name

indicator_create

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action
Service Class Support

Uber Class Support
body string Default action for IOC.
applied_globally
Service Class Support

Uber Class Support
body boolean Flag indicating this IOC is applied globally.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
comment
Service Class Support

Uber Class Support
body string IOC comment.
description
Service Class Support

Uber Class Support
body string IOC description.
expiration
Service Class Support

Uber Class Support
body string UTC formatted date string.
filename
Service Class Support

Uber Class Support
body string Filename to use for the metadata dictionary.
host_groups
Service Class Support

Uber Class Support
body string or list of strings List of host groups this IOC applies to.
ignore_warnings
Service Class Support

Uber Class Support
query boolean Flag to indicate that warnings are ignored.
indicators
Service Class Support

Uber Class Support
body list of dictionaries List of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadata
Service Class Support

Uber Class Support
body dictionary Dictionary containing the filename for the IOC. Not required if the filename keyword is used.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
platforms
Service Class Support

Uber Class Support
body string or list of strings Platforms this IOC impacts.
retrodetects
Service Class Support

Uber Class Support
query boolean Flag to indicate whether to submit retrodetects.
severity
Service Class Support

Uber Class Support
body string IOC severity.
source
Service Class Support

Uber Class Support
body string IOC source.
tags
Service Class Support

Uber Class Support
body string or list of strings IOC tags.
type
Service Class Support

Uber Class Support
body string IOC type.
value
Service Class Support

Uber Class Support
body string String representation of the IOC.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_create(action="string",
                                   applied_globally=boolean,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename="string",
                                   host_groups=host_group_list,
                                   ignore_warnings=boolean,
                                   platforms=platform_list,
                                   retrodetects="string",
                                   severity="string",
                                   source="string",
                                   tags=tag_list,
                                   type="string"
                                   value="string"
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_create_v1(action="string",
                                      applied_globally=boolean,
                                      comment="string",
                                      description="string",
                                      expiration="string",
                                      filename="string",
                                      host_groups=host_group_list,
                                      ignore_warnings=boolean,
                                      platforms=platform_list,
                                      retrodetects="string",
                                      severity="string",
                                      source="string",
                                      tags=tag_list,
                                      type="string"
                                      value="string"
                                      )
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

host_group_list = ['HG1', 'HG2', 'HG3']

platform_list = ['OS1', 'OS2', 'OS3']

tag_list = ['TAG1', 'TAG2', 'TAG3']

BODY = {
  "comment": "string",
  "indicators": [
    {
      "action": "string",
      "applied_globally": true,
      "description": "string",
      "expiration": "2021-10-22T10:40:39.372Z",
      "host_groups": host_group_list,
      "metadata": {
        "filename": "string"
      },
      "mobile_action": "string",
      "platforms": platform_list,
      "severity": "string",
      "source": "string",
      "tags": tag_list,
      "type": "string",
      "value": "string"
    }
  ]
}

response = falcon.command("indicator_create_v1",
                          retrodetects=boolean,
                          ignore_warnings=boolean,
                          body=BODY
                          )
print(response)

indicator_delete_v1

Delete Indicators by ids or a filter.

PEP8 method name

indicator_delete

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to delete indicators in bulk. If both filter and ids are provided, then filter takes precedence and ids is ignored.
from_parent
Service Class Support

Uber Class Support
query boolean Limit action to IOCs originating from the MSSP parent.
ids
Service Class Support

Uber Class Support
query string or list of strings The ids of the Indicators to delete. If both filter and ids are provided, then filter takes precedence and ids is ignored.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete(filter="string",
                                   from_parent=boolean,
                                   comment="string",
                                   ids=id_list
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete_v1(filter="string",
                                      from_parent=boolean,
                                      comment="string",
                                      ids=id_list
                                      )

print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_delete_v1",
                          filter="string",
                          from_parent=boolean,
                          comment="string",
                          ids=id_list
                          )
print(response)

indicator_update_v1

Update Indicators.

PEP8 method name

indicator_update

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action
Service Class Support

Uber Class Support
body string Default action for IOC.
applied_globally
Service Class Support

Uber Class Support
body boolean Flag indicating this IOC is applied globally.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
bulk_update
Service Class Support

Uber Class Support
body dictionary Dictionary containing the indicator update in JSON format. Not necessary when using other keywords.
comment
Service Class Support

Uber Class Support
body string IOC comment.
description
Service Class Support

Uber Class Support
body string IOC description.
expiration
Service Class Support

Uber Class Support
body string UTC formatted date string.
filename
Service Class Support

Uber Class Support
body string Filename to use for the metadata dictionary.
host_groups
Service Class Support

Uber Class Support
body string or list of strings List of host groups this IOC applies to.
id
Service Class Support

Uber Class Support
body string The Indicator ID to be updated. At least one ID must be specified using this keyword, or as part of the indicators list using the indicators keyword.
ignore_warnings
Service Class Support

Uber Class Support
query boolean Flag to indicate that warnings are ignored.
indicators
Service Class Support

Uber Class Support
body list of dictionaries List of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadata
Service Class Support

Uber Class Support
body dictionary Dictionary containing the filename for the IOC. Not required if the filename keyword is used.
mobile_action
Service Class Support

Uber Class Support
body string Mobile action to perform.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
platforms
Service Class Support

Uber Class Support
body string or list of strings Platforms this IOC impacts.
retrodetects
Service Class Support

Uber Class Support
query boolean Flag to indicate whether to submit retrodetects.
severity
Service Class Support

Uber Class Support
body string IOC severity.
source
Service Class Support

Uber Class Support
body string IOC source.
tags
Service Class Support

Uber Class Support
body string or list of strings IOC tags.
type
Service Class Support

Uber Class Support
body string IOC type.
value
Service Class Support

Uber Class Support
body string String representation of the IOC.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_update(action="string",
                                   applied_globally=boolean,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename="string",
                                   host_groups=host_group_list,
                                   ignore_warnings=boolean,
                                   mobile_action="string",
                                   platforms=platform_list,
                                   retrodetects="string",
                                   severity="string",
                                   source="string",
                                   tags=tag_list,
                                   type="string"
                                   value="string"
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_update_v1(action="string",
                                      applied_globally=boolean,
                                      comment="string",
                                      description="string",
                                      expiration="string",
                                      filename="string",
                                      host_groups=host_group_list,
                                      ignore_warnings=boolean,
                                      mobile_action="string",
                                      platforms=platform_list,
                                      retrodetects="string",
                                      severity="string",
                                      source="string",
                                      tags=tag_list,
                                      type="string"
                                      value="string"
                                      )
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

host_group_list = ['HG1', 'HG2', 'HG3']

platform_list = ['OS1', 'OS2', 'OS3']

tag_list = ['TAG1', 'TAG2', 'TAG3']

BODY = {
    "bulk_update": {
        "action": "string",
        "applied_globally": true,
        "description": "string",
        "expiration": "2021-10-22T11:03:16.123Z",
        "filter": "string",
        "host_groups": host_group_list,
        "mobile_action": "string",
        "platforms": platform_list,
        "severity": "string",
        "source": "string",
        "tags": tag_list
    },
    "comment": "string",
    "indicators": [
        {
            "action": "string",
            "applied_globally": true,
            "description": "string",
            "expiration": "2021-10-22T11:03:16.123Z",
            "host_groups": host_group_list,
            "id": "string",
            "metadata": {
                "filename": "string"
            },
            "mobile_action": "string",
            "platforms": platform_list,
            "severity": "string",
            "source": "string",
            "tags": tag_list
        }
    ]
}

response = falcon.command("indicator_update_v1",
                          ignore_warnings=boolean,
                          retrodetects=boolean,
                          body=BODY
                          )
print(response)

indicator_search_v1

Search for Indicators.

PEP8 method name

indicator_search

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results.

Available filters:
type value
action severity
platforms tags
expiration expired
applied_globally host_groups
created_on created_by
modified_on modified_by
source  
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_search(filter="string",
                                   offset=integer,
                                   limit=integer,
                                   sort="string",
                                   after="string"
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_search_v1(filter="string",
                                      offset=integer,
                                      limit=integer,
                                      sort="string",
                                      after="string"
                                      )
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("indicator_search_v1",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          after="string"
                          )
print(response)

DevicesCount

Number of hosts in your customer account that have observed a given custom IOC

PEP8 method name

devices_count

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
query string The string representation of the indicator.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_count(type="string", value="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.DevicesCount(type="string", value="string")
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("DevicesCount", type="string", value="string")
print(response)

DevicesRanOn

Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1

PEP8 method name

devices_ran_on

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
query string The string representation of the indicator.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer Starting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_ran_on(type="string",
                                 value="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.DevicesRanOn(type="string",
                               value="string",
                               limit="string",
                               offset="string"
                               )
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("DevicesRanOn",
                          type="string",
                          value="string",
                          limit="string",
                          offset="string"
                          )
print(response)

ProcessesRanOn

Search for processes associated with a custom IOC

PEP8 method name

processes_ran_on

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
query string The string representation of the indicator.
device_id
Service Class Support

Uber Class Support
query string Specify a Host AID to return only processes from that host.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer Starting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.processes_ran_on(type="string",
                                   value="string",
                                   device_id="string",
                                   limit="string",
                                   offset="string"
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.ProcessesRanOn(type="string",
                                 value="string",
                                 device_id="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("ProcessesRanOn",
                          type="string",
                          value="string",
                          device_id="string",
                          limit="string",
                          offset="string"
                          )
print(response)

entities_processes

For the provided ProcessID retrieve the process details

PEP8 method name

entities_processes

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings ProcessID for the running process you want to lookup.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_processes", ids=id_list)
print(response)

CrowdStrike Falcon

Clone this wiki locally