Skip to content

Real Time Response Admin

Joshua Hiller edited this page Dec 8, 2024 · 37 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Real Time Response Admin service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
BatchAdminCmd
PEP 8 batch_admin_command
Batch executes a RTR administrator command across the hosts mapped to the given batch ID.
RTR_CheckAdminCommandStatus
PEP 8 check_admin_command_status
Get status of an executed RTR administrator command on a single host.
RTR_ExecuteAdminCommand
PEP 8 execute_admin_command
Execute a RTR administrator command on a single host.
RTR_GetFalconScripts
PEP8 get_falcon_scripts
Get Falcon scripts with metadata and content of script
RTR_GetPut_Files
PEP 8 get_put_files
Get put-files based on the ID's given. These are used for the RTR put command.
RTR_GetPut_FilesV2
PEP 8 get_put_files_v2
Get put-files based on the ID's given. These are used for the RTR put command.
RTR_CreatePut_Files
PEP 8 create_put_files
Upload a new put-file to use for the RTR put command.
RTR_DeletePut_Files
PEP 8 delete_put_files
Delete a put-file based on the ID given. Can only delete one file at a time.
RTR_GetScripts
PEP 8 get_scripts
Get custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_GetScriptsV2
PEP 8 get_scripts_v2
Get custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_ListFalconScripts
PEP8 list_falcon_scripts
Get a list of Falcon script IDs available to the user to run
RTR_CreateScripts
PEP 8 create_scripts
Upload a new custom-script to use for the RTR runscript command.
RTR_DeleteScripts
PEP 8 delete_scripts
Delete a custom-script based on the ID given. Can only delete one script at a time.
RTR_UpdateScripts
PEP 8 update_scripts
Upload a new scripts to replace an existing one.
RTR_ListPut_Files
PEP 8 list_put_files
Get a list of put-file ID's that are available to the user for the put command.
RTR_ListScripts
PEP 8 list_scripts
Get a list of custom-script ID's that are available to the user for the runscript command.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

BatchAdminCmd

Batch executes a RTR administrator command across the hosts mapped to the given batch ID.

PEP8 method name

batch_admin_command

Endpoint

Method Route
POST /real-time-response/combined/batch-admin-command/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
base_command
Service Class Support

Uber Class Support
body string Active Responder base command to perform. For example: get or cp. Refer to this list for a complete listing of available commands.
batch_id
Service Class Support

Uber Class Support
body string RTR Batch ID to execute the command against. Received from batch_init_session.
command_string
Service Class Support

Uber Class Support
body string Full command line of the command to execute. Example: get some_file.txt.
host_timeout_duration
Service Class Support

Uber Class Support
query string Timeout duration for for how long a host has to complete processing in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes.
optional_hosts
Service Class Support

Uber Class Support
body string or list of strings List of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch.
persist_all
Service Class Support

Uber Class Support
body boolean Flag indicating if this command should be executed when the host returns to service.
timeout
Service Class Support

Uber Class Support
query integer Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes.
timeout_duration
Service Class Support

Uber Class Support
query string Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
Available base commands
Command Description Operating System
cat View file contents All supported
cd Change directory All supported
clear Clear the screen All supported
cp Copy a file All supported
csrutil Get system integrity protection status MacOS
encrypt Encrypt a file All supported
env Display environment variables All supported
eventlog Inspect the event log.

Subcommands:
  • list
  • view
  • export
  • backup
eventlog backup is the recommended solution as opposed to eventlog export, as this method is faster and follows industry-standard file format.
Windows
filehash Calculate a file hash (MD5 or SHA256) All supported
get Retrieve a file All supported
getsid Retrieve the current SID Windows MacOS
help Access help for a specific command or sub-command All supported
history Review command history for the current user All supported
ifconfig Review TCP configuration Linux MacOS
ipconfig Review TCP configuration Windows
kill Kill a running process All supported
ls List the contents of a directory All supported
map Map a UNC (SMB) path to a drive letter Windows
memdump Dump memory of a running process Windows
mkdir Create a directory All supported
mount Mount a file system (MacOS, Linux) or list available drives (Windows) All supported
mv Move a file All supported
netstat Retrieve network connection detail All supported
ps List running processes All supported
put Put a file onto a remote host Windows MacOS
put-and-run Put a file onto a remote host and then execute it. The put-and-run command reduces the potential for user error in file selection by ensuring that the file ‘put’ on the host is the same file that is ‘run’ on the host. Windows Linux MacOS
reg Registry operations.

Subcommands:
  • query - Query the registry
  • set - Set a registry key or value
  • delete - Delete a registry key or value
  • load - Load a registry hive
  • unload - Unload a registry hive
Windows
restart Restart the system All supported
rm Remove a file All supported
run Run an executable All supported
runscript Run a script All supported
shutdown Shutdown the system All supported
tar Compress a file or directory into a tar file Linux
unmap Unmap a UNC (SMB) path from a drive letter Windows
unmount Unmount a file system Linux MacOS
update Install patches through Windows Update.

Subcommands:
  • history - Check update history for this host
  • install - Installs a patch by specifying the KB ID. 'Optional' KBs are not available.
  • list - show all available updates for this host
  • query - Show metadata about a specific KB
Windows
users Get details about local users Linux MacOS
xmemdump Dump complete memory (kernel) for the system Windows
zip Create a zip archive All supported

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

target_hosts = ["ID1", "ID2", "ID3"]

response = falcon.batch_admin_command(base_command="string",
                                      batch_id="string",
                                      command_string="string",
                                      optional_hosts=target_hosts,
                                      persist_all=boolean,
                                      timeout=integer,
                                      timeout_duration="string"
                                      )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

target_hosts = ["ID1", "ID2", "ID3"]

response = falcon.BatchAdminCmd(base_command="string",
                                batch_id="string",
                                command_string="string",
                                optional_hosts=target_hosts,
                                persist_all=boolean,
                                timeout=integer,
                                timeout_duration="string"
                                )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

target_hosts = ["ID1", "ID2", "ID3"]

BODY = {
  "base_command": "string",
  "batch_id": "string",
  "command_string": "string",
  "optional_hosts": target_hosts,
  "persist_all": true
}

response = falcon.command("BatchAdminCmd",
                          timeout=integer,
                          timeout_duration="string",
                          body=BODY
                          )
print(response)

Back to Table of Contents

RTR_CheckAdminCommandStatus

Get status of an executed RTR administrator command on a single host.

PEP8 method name

check_admin_command_status

Endpoint

Method Route
GET /real-time-response/entities/admin-command/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
cloud_request_id
Service Class Support

Uber Class Support
query string Cloud Request ID of the executed command to query.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sequence_id
Service Class Support

Uber Class Support
query integer Sequence ID that we want to retrieve. Command responses are chunked across sequences.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.check_admin_command_status(cloud_request_id="string", sequence_id=integer)
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.RTR_CheckAdminCommandStatus(cloud_request_id="string", sequence_id=integer)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("RTR_CheckAdminCommandStatus",
                          cloud_request_id="string",
                          sequence_id=integer
                          )
print(response)

Back to Table of Contents

RTR_ExecuteAdminCommand

Execute a RTR administrator command on a single host.

PEP8 method name

execute_admin_command

Endpoint

Method Route
POST /real-time-response/entities/admin-command/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
base_command
Service Class Support

Uber Class Support
body string Active Responder base command to perform. For example: get or cp. Refer to this list for a complete listing of available commands.
session_id
Service Class Support

Uber Class Support
body string RTR Session ID to execute the command against. Received from init_session.
command_string
Service Class Support

Uber Class Support
body string Full command line of the command to execute. Example: get some_file.txt.
persist
Service Class Support

Uber Class Support
body boolean Flag indicating if this command should be executed when the host returns to service.
Available base commands
Command Description Operating System
cat View file contents All supported
cd Change directory All supported
clear Clear the screen All supported
cp Copy a file All supported
csrutil Get system integrity protection status MacOS
encrypt Encrypt a file All supported
env Display environment variables All supported
eventlog Inspect the event log.

Subcommands:
  • list
  • view
  • export
  • backup
eventlog backup is the recommended solution as opposed to eventlog export, as this method is faster and follows industry-standard file format.
Windows
filehash Calculate a file hash (MD5 or SHA256) All supported
get Retrieve a file All supported
getsid Retrieve the current SID Windows MacOS
help Access help for a specific command or sub-command All supported
history Review command history for the current user All supported
ifconfig Review TCP configuration Linux MacOS
ipconfig Review TCP configuration Windows
kill Kill a running process All supported
ls List the contents of a directory All supported
map Map a UNC (SMB) path to a drive letter Windows
memdump Dump memory of a running process Windows
mkdir Create a directory All supported
mount Mount a file system (MacOS, Linux) or list available drives (Windows) All supported
mv Move a file All supported
netstat Retrieve network connection detail All supported
ps List running processes All supported
put-and-run Put a file onto a remote host and then execute it. The put-and-run command reduces the potential for user error in file selection by ensuring that the file ‘put’ on the host is the same file that is ‘run’ on the host. Windows Linux MacOS
reg Registry operations.

Subcommands:
  • query - Query the registry
  • set - Set a registry key or value
  • delete - Delete a registry key or value
  • load - Load a registry hive
  • unload - Unload a registry hive
Windows
restart Restart the system All supported
rm Remove a file All supported
run Run an executable All supported
runscript Run a script All supported
shutdown Shutdown the system All supported
tar Compress a file or directory into a tar file Linux
unmap Unmap a UNC (SMB) path from a drive letter Windows
unmount Unmount a file system Linux MacOS
update Install patches through Windows Update.

Subcommands:
  • history - Check update history for this host
  • install - Installs a patch by specifying the KB ID. 'Optional' KBs are not available.
  • list - show all available updates for this host
  • query - Show metadata about a specific KB
Windows
users Get details about local users Linux MacOS
xmemdump Dump complete memory (kernel) for the system Windows
zip Create a zip archive All supported

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.execute_admin_command(base_command="string",
                                        session_id="string",
                                        command_string="string",
                                        persist=boolean
                                        )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.RTR_ExecuteAdminCommand(base_command="string",
                                          session_id="string",
                                          command_string="string",
                                          persist=boolean
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

target_hosts = ["ID1", "ID2", "ID3"]

BODY = {
  "base_command": "string",
  "command_string": "string",
  "persist": true,
  "session_id": "string"
}

response = falcon.command("RTR_ExecuteAdminCommand", body=BODY)
print(response)

Back to Table of Contents

RTR_GetFalconScripts

Get Falcon scripts with metadata and content of script

PEP8 method name

get_falcon_scripts

Endpoint

Method Route
GET /real-time-response/entities/falcon-scripts/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query array (string) IDs of the Falcon scripts you want to retrieve

Usage

Service class example (PEP8 syntax)
from falconpy.real_time_response_admin import RealTimeResponseAdmin

falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_falcon_scripts(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.RTR_GetFalconScripts(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("RTR_GetFalconScripts", ids=id_list)

print(response)

Back to Table of Contents

RTR_GetPut_Files

Get put-files based on the ID's given. These are used for the RTR put command.

PEP8 method name

get_put_files

Endpoint

Method Route
GET /real-time-response/entities/put-files/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings File IDs.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_put_files(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.RTR_GetPut_Files(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("RTR_GetPut_Files", ids=id_list)
print(response)

Back to Table of Contents

RTR_GetPut_FilesV2

Get put-files based on the ID's given. These are used for the RTR put command.

PEP8 method name

get_put_files_v2

Endpoint

Method Route
GET /real-time-response/entities/put-files/v2

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings File IDs.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_put_files_v2(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.RTR_GetPut_FilesV2(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("RTR_GetPut_FilesV2", ids=id_list)
print(response)

Back to Table of Contents

RTR_CreatePut_Files

Upload a new put-file to use for the RTR put command.

PEP8 method name

create_put_files

Endpoint

Method Route
POST /real-time-response/entities/put-files/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
comments_for_audit_log
Service Class Support

Uber Class Support
formData string A descriptive comment for the audit log.
data
Service Class Support

Uber Class Support
formData file Full formData payload in JSON format.
description
Service Class Support

Uber Class Support
formData string File description.
name
Service Class Support

Uber Class Support
formData string File name (if different than actual file name).
files
Service Class Support

Uber Class Support
query list of tuples File(s) to be uploaded.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

filename = "somefile.ext"
with open(filename, "rb") as upload_file:
    file_upload = [('file', ('MyPutFile', upload_file.read(), 'application/octet-stream'))]

response = falcon.create_put_files(comments_for_audit_log="string",
                                   description="string",
                                   name="string",
                                   files=file_upload
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

filename = "somefile.ext"
with open(filename, "rb") as upload_file:
    file_upload = [('file', ('MyPutFile', upload_file.read(), 'application/octet-stream'))]

response = falcon.RTR_CreatePut_Files(comments_for_audit_log="string",
                                      description="string",
                                      name="string",
                                      files=file_upload
                                      )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

PAYLOAD = {
    "description": "string",
    "name": "string",
    "comments_for_audit_log": "string"
}

filename = "somefile.ext"
with open(filename, "rb") as upload_file:
    file_upload = [('file', ('MyPutFile', upload_file.read(), 'application/octet-stream'))]

response = falcon.command("RTR_CreatePut_Files", data=PAYLOAD, files=file_upload)
print(response)

Back to Table of Contents

RTR_DeletePut_Files

Delete a put-file based on the ID given. Can only delete one file at a time.

PEP8 method name

delete_put_files

Endpoint

Method Route
DELETE /real-time-response/entities/put-files/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings File IDs.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_put_files(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.RTR_DeletePut_Files(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("RTR_DeletePut_Files", ids=id_list)
print(response)

Back to Table of Contents

RTR_GetScripts

Get custom-scripts based on the ID's given. These are used for the RTR runscript command.

PEP8 method name

get_scripts

Endpoint

Method Route
GET /real-time-response/entities/scripts/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings File IDs.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_scripts(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.RTR_GetScripts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("RTR_GetScripts", ids=id_list)
print(response)

Back to Table of Contents

RTR_GetScriptsV2

Get custom-scripts based on the ID's given. These are used for the RTR runscript command.

PEP8 method name

get_scripts_v2

Endpoint

Method Route
GET /real-time-response/entities/scripts/v2

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings File IDs.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_scripts_v2(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.RTR_GetScriptsV2(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("RTR_GetScriptsV2", ids=id_list)
print(response)

Back to Table of Contents

RTR_CreateScripts

Upload a new custom-script to use for the RTR runscript command.

PEP8 method name

create_scripts

Endpoint

Method Route
POST /real-time-response/entities/scripts/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
comments_for_audit_log
Service Class Support

Uber Class Support
formData string A descriptive comment for the audit log.
content
Service Class Support

Uber Class Support
formData string The text contents you want to use for the script. Takes place of a file upload.
data
Service Class Support

Uber Class Support
formData file Full formData payload in JSON format.
description
Service Class Support

Uber Class Support
formData string File description.
name
Service Class Support

Uber Class Support
formData string File name (if different than actual file name).
permission_type
Service Class Support

Uber Class Support
formData string Permissions for the custom-script. Valid permission values include:
  • private - usable only by the user who upload it
  • group - usable by all RTR admins
  • public - usable by all active-responders and RTR admins
platform
Service Class Support

Uber Class Support
formData list of strings Platform for the script. Currently supports windows, mac, and linux. If no platform is provided, windows is assumed.
files
Service Class Support

Uber Class Support
query list of tuples File(s) to be uploaded.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

filename = "somefile.ext"
with open(filename, "rb") as upload_file:
    file_upload = [('file', ('MyScript', upload_file.read(), 'application/script'))]

response = falcon.create_scripts(comments_for_audit_log="string",
                                 description="string",
                                 name="string",
                                 files=file_upload,
                                 platform=["string"],
                                 permission_type="string",
                                 content="string"
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

filename = "somefile.ext"
with open(filename, "rb") as upload_file:
    file_upload = [('file', ('MyScript', upload_file.read(), 'application/script'))]

response = falcon.RTR_CreateScripts(comments_for_audit_log="string",
                                    description="string",
                                    name="string",
                                    files=file_upload,
                                    platform=["string"],
                                    permission_type="string",
                                    content="string"
                                    )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

PAYLOAD = {
    "description": "string",
    "name": "string",
    "comments_for_audit_log": "string",
    "permission_type": "string",
    "content": "string",
    "platform": [
       "string",
       "string"
    ]
}

filename = "somefile.ext"
with open(filename, "rb") as upload_file:
    file_upload = [('file', ('MyScript', upload_file.read(), 'application/script'))]

response = falcon.command("RTR_CreateScripts", data=PAYLOAD, files=file_upload)
print(response)

Back to Table of Contents

RTR_DeleteScripts

Delete a custom-script based on the ID given. Can only delete one script at a time.

PEP8 method name

delete_scripts

Endpoint

Method Route
DELETE /real-time-response/entities/scripts/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings File IDs.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_scripts(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.RTR_DeleteScripts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("RTR_DeleteScripts", ids=id_list)
print(response)

Back to Table of Contents

RTR_UpdateScripts

Upload a new scripts to replace an existing one.

PEP8 method name

update_scripts

Endpoint

Method Route
PATCH /real-time-response/entities/scripts/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
comments_for_audit_log
Service Class Support

Uber Class Support
formData string A descriptive comment for the audit log.
content
Service Class Support

Uber Class Support
formData string The text contents you want to use for the script. Takes place of a file upload.
data
Service Class Support

Uber Class Support
formData file Full formData payload in JSON format.
description
Service Class Support

Uber Class Support
formData string File description.
id
Service Class Support

Uber Class Support
formData string The ID of the script to be updated.
name
Service Class Support

Uber Class Support
formData string File name (if different than actual file name).
permission_type
Service Class Support

Uber Class Support
formData string Permissions for the custom-script. Valid permission values include:
  • private - usable only by the user who upload it
  • group - usable by all RTR admins
  • public - usable by all active-responders and RTR admins
platform
Service Class Support

Uber Class Support
formData list of strings Platform for the script. Currently supports windows, mac, and linux. If no platform is provided, windows is assumed.
files
Service Class Support

Uber Class Support
query list of tuples File(s) to be uploaded.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

file_upload = [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]

response = falcon.update_scripts(comments_for_audit_log="string",
                                 description="string",
                                 id="string",
                                 name="string",
                                 files=file_upload,
                                 platform=["string"],
                                 permission_type="string",
                                 content="string"
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

file_upload = [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]

response = falcon.RTR_UpdateScripts(comments_for_audit_log="string",
                                    description="string",
                                    id="string",
                                    name="string",
                                    files=file_upload,
                                    platform=["string"],
                                    permission_type="string",
                                    content="string"
                                    )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

PAYLOAD = {
    "id": "string",
    "description": "string",
    "name": "string",
    "comments_for_audit_log": "string",
    "permission_type": "string",
    "content": "string",
    "platform": [
       "string",
       "string"
    ]
}

file_upload = [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]

response = falcon.command("RTR_UpdateScripts", data=PAYLOAD, files=file_upload)
print(response)

Back to Table of Contents

RTR_ListFalconScripts

Get a list of Falcon script IDs available to the user to run

PEP8 method name

list_falcon_scripts

Endpoint

Method Route
GET /real-time-response/queries/falcon-scripts/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
limit
Service Class Support

Uber Class Support
query integer Number of ids to return.
sort
Service Class Support

Uber Class Support
query string Sort by spec. Ex: 'created_at

Usage

Service class example (PEP8 syntax)
from falconpy.real_time_response_admin import RealTimeResponseAdmin

falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.list_falcon_scripts(filter="string",
                                      offset=integer,
                                      limit=integer,
                                      sort="string"
                                      )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.RTR_ListFalconScripts(filter="string",
                                        offset=integer,
                                        limit=integer,
                                        sort="string"
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("RTR_ListFalconScripts",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string"
                          )
print(response)

Back to Table of Contents

RTR_ListPut_Files

Get a list of put-file ID's that are available to the user for the put command.

PEP8 method name

list_put_files

Endpoint

Method Route
GET /real-time-response/queries/put-files/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.

user_id can accept a special value ‘@me’ which will restrict results to records with current user’s ID.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.list_put_files(filter="string",
                                 offset="string",
                                 limit=integer,
                                 sort="string"
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.RTR_ListPut_Files(filter="string",
                                    offset="string",
                                    limit=integer,
                                    sort="string"
                                    )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("RTR_ListPut_Files",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

Back to Table of Contents

RTR_ListScripts

Get a list of custom-script ID's that are available to the user for the runscript command.

PEP8 method name

list_scripts

Endpoint

Method Route
GET /real-time-response/queries/scripts/v1

Required Scope

real-time-response-admin:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.

user_id can accept a special value ‘@me’ which will restrict results to records with current user’s ID.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.list_scripts(filter="string",
                               offset="string",
                               limit=integer,
                               sort="string"
                               )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAdmin

# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.RTR_ListScripts(filter="string",
                                  offset="string",
                                  limit=integer,
                                  sort="string"
                                  )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("RTR_ListScripts",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

Back to Table of Contents

CrowdStrike Falcon

Clone this wiki locally