Recon

Using the Recon service collection

Table of Contents

Operation ID	Description
AggregateNotificationsV1 PEP 8 aggregate_notifications	Get notification aggregates as specified via JSON in request body.
PreviewRuleV1 PEP 8 preview_rule	Preview rules notification count and distribution. This will return aggregations on: channel, count, site.
GetActionsV1 PEP 8 get_actions	Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.
CreateActionsV1 PEP 8 create_actions	Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
DeleteActionV1 PEP 8 delete_action	Delete an action from a monitoring rule based on the action ID.
UpdateActionV1 PEP 8 update_action	Update an action for a monitoring rule.
GetNotificationsDetailedTranslatedV1 PEP 8 get_notifications_detailed_translated	Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request
GetNotificationsDetailedV1 PEP 8 get_notifications_detailed	Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
GetNotificationsTranslatedV1 PEP 8 get_notifications_translated	Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.
GetNotificationsV1 PEP 8 get_notifications	Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.
DeleteNotificationsV1 PEP 8 delete_notifications	Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.
UpdateNotificationsV1 PEP 8 update_notifications	Update notification status or assignee. Accepts bulk requests
GetRulesV1 PEP 8 get_rules	Get monitoring rules rules by provided IDs.
CreateRulesV1 PEP 8 create_rules	Create monitoring rules.
DeleteRulesV1 PEP 8 delete_rules	Delete monitoring rules.
UpdateRulesV1 PEP 8 update_rules	Update monitoring rules.
QueryActionsV1 PEP 8 query_actions	Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.
QueryNotificationsV1 PEP 8 query_notifications	Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1.
QueryRulesV1 PEP 8 query_rules	Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.

Passing credentials

WARNING

client_id and client_secret are input variables that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

AggregateNotificationsV1

Get notification aggregates as specified via JSON in request body.

PEP8 method name

aggregate_notifications

Endpoint

Method	Route
	/recon/aggregates/notifications/GET/v1

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	list of dictionaries	Full body payload in JSON format.
date_ranges			body	list of dictionaries	Applies to date_range aggregations. Example: [   {     "from": "2016-05-28T09:00:31Z",     "to": "2016-05-30T09:00:31Z"   },   {     "from": "2016-06-01T09:00:31Z",     "to": "2016-06-10T09:00:31Z"   } ]
field			body	string	The field on which to compute the aggregation.
filter			body	string	FQL syntax formatted string to use to filter the results.
interval			body	string	Time interval for date histogram aggregations. Valid values include: year month week day hour minute
min_doc_count			body	integer	Only return buckets if values are greater than or equal to the value here.
missing			body	string	Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name			body	string	Name of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q			body	string	Full text search across all metadata fields.
ranges			body	list of dictionaries	Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [   {     "From": 0,     "To": 70   },   {     "From": 70,     "To": 100   } ]
size			body	integer	The max number of term buckets to be returned.
sub_aggregates			body	list of dictionaries	A nested aggregation, such as: [   {     "name": "max_first_behavior",     "type": "max",     "field": "first_behavior"   } ] There is a maximum of 3 nested aggregations per request.
sort			body	string	FQL syntax string to sort bucket results. _count - sort by document count _term - sort by the string value alphabetically Supports asc and desc using | format. Example: _count|desc
time_zone			body	string	Time zone for bucket results.
type			body	string	Type of aggregation. Valid values include: date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field. date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601. terms - Buckets detections by the value of a specified field. For example, if field used is scenario, then detections will be bucketed by the various detection scenario names. range - Buckets detections by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the detects will be counted by the specified ranges of severity. cardinality - Returns the count of distinct values in a specified field. max - Returns the maximum value of a specified field. min - Returns the minimum value of a specified field. avg - Returns the average value of the specified field. sum - Returns the total sum of all values for the specified field. percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_notifications(date_ranges=date_ranges,
                                          field="string",
                                          filter="string",
                                          interval="string",
                                          min_doc_count=integer,
                                          missing="string",
                                          name="string",
                                          q="string",
                                          ranges=ranges,
                                          size=integer,
                                          sort="string",
                                          time_zone="string",
                                          type="string"
                                          )
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateNotificationsV1(date_ranges=date_ranges,
                                           field="string",
                                           filter="string",
                                           interval="string",
                                           min_doc_count=integer,
                                           missing="string",
                                           name="string",
                                           q="string",
                                           ranges=ranges,
                                           size=integer,
                                           sort="string",
                                           time_zone="string",
                                           type="string"
                                           )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "field": "string",
    "filter": "string",
    "interval": "string",
    "min_doc_count": 0,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": 0,
    "sort": "string",
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateNotificationsV1", body=BODY)
print(response)

PreviewRuleV1

Preview rules notification count and distribution. This will return aggregations on: channel, count, site.

PEP8 method name

preview_rule

Endpoint

Method	Route
	/recon/aggregates/rules-preview/GET/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
filter			body	string	FQL Syntax formatted string used to limit results.
topic			body	string	Restricts results to the topic specified.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.preview_rule(filter="string", topic="string")
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.PreviewRuleV1(filter="string", topic="string")
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

BODY = {
  "filter": "string",
  "topic": "string"
}

response = falcon.command("PreviewRuleV1", body=BODY)
print(response)

GetActionsV1

Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.

PEP8 method name

get_actions

Endpoint

Method	Route
	/recon/entities/actions/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Action IDs to retrieve.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_actions(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetActionsV1(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetActionsV1", ids=id_list)
print(response)

CreateActionsV1

Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.

PEP8 method name

create_actions

Endpoint

Method	Route
	/recon/entities/actions/v1

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
actions			body	list of dictionaries	List of actions to attach to the monitoring rule. When provided, actions overrides other keywords (excluding body).
body			body	dictionary	Full body payload in JSON format.
frequency			body	string	Frequency of the action. Only one action can be applied when using this keyword.
recipients			body	list of strings	List of action recipients. Only one action can be applied when using this keyword.
rule_id			body	string	Rule ID to attach action(s) to.
type			body	string	Action type. Only one action can be applied when using this keyword.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

recips = ["RECIP1", "RECIP2", "RECIP3"]

response = falcon.create_actions(frequency="string",
                                 recipients=recips,
                                 rule_id="string",
                                 type="string"
                                 )
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

recips = ["RECIP1", "RECIP2", "RECIP3"]

response = falcon.CreateActionsV1(frequency="string",
                                 recipients=recips,
                                 rule_id="string",
                                 type="string"
                                 )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

recips = ["RECIP1", "RECIP2", "RECIP3"]

BODY = {
  "actions": [
    {
      "frequency": "string",
      "recipients": recips,
      "type": "string"
    }
  ],
  "rule_id": "string"
}

response = falcon.command("CreateActionsV1", body=BODY)
print(response)

DeleteActionV1

Delete an action from a monitoring rule based on the action ID.

PEP8 method name

delete_action

Endpoint

Method	Route
	/recon/entities/actions/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
id			query	string	Action ID to delete.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.delete_action(id="string")
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.DeleteActionV1(id="string")
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("DeleteActionV1", id="string")
print(response)

UpdateActionV1

Update an action for a monitoring rule.

PEP8 method name

update_action

Endpoint

Method	Route
	/recon/entities/actions/v1

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
frequency			body	string	Frequency of the action.
recipients			body	list of strings	List of action recipients.
id			body	string	Action ID to update.
status			body	string	Action status.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

recips = ["RECIP1", "RECIP2", "RECIP3"]

response = falcon.update_action(frequency="string",
                                recipients=recips,
                                id="string",
                                status="string"
                                )
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

recips = ["RECIP1", "RECIP2", "RECIP3"]

response = falcon.UpdateActionV1(frequency="string",
                                 recipients=recips,
                                 id="string",
                                 status="string"
                                 )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

recips = ["RECIP1", "RECIP2", "RECIP3"]

BODY = {
    "frequency": "string",
    "id": "string",
    "recipients": recips,
    "status": "string"
}

response = falcon.command("UpdateActionV1", body=BODY)
print(response)

GetNotificationsDetailedTranslatedV1

Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request

PEP8 method name

get_notifications_detailed_translated

Endpoint

Method	Route
	/recon/entities/notifications-detailed-translated/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Notification IDs to retrieve.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_notifications_detailed_translated(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetNotificationsDetailedTranslatedV1(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetNotificationsDetailedTranslatedV1", ids=id_list)
print(response)

GetNotificationsDetailedV1

Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.

PEP8 method name

get_notifications_detailed

Endpoint

Method	Route
	/recon/entities/notifications-detailed/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Notification IDs to retrieve.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_notifications_detailed(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetNotificationsDetailedV1(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetNotificationsDetailedV1", ids=id_list)
print(response)

GetNotificationsTranslatedV1

Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.

PEP8 method name

get_notifications_translated

Endpoint

Method	Route
	/recon/entities/notifications-translated/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Notification IDs to retrieve.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_notifications_translated(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetNotificationsTranslatedV1(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetNotificationsTranslatedV1", ids=id_list)
print(response)

GetNotificationsV1

Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.

PEP8 method name

get_notifications

Endpoint

Method	Route
	/recon/entities/notifications/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Notification IDs to retrieve.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_notifications(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetNotificationsV1(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetNotificationsV1", ids=id_list)
print(response)

DeleteNotificationsV1

Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.

PEP8 method name

delete_notifications

Endpoint

Method	Route
	/recon/entities/notifications/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Notification IDs to delete.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_notifications(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteNotificationsV1(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteNotificationsV1", ids=id_list)
print(response)

UpdateNotificationsV1

Update notification status or assignee. Accepts bulk requests

PEP8 method name

update_notifications

Endpoint

Method	Route
	/recon/entities/notifications/v1

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
assigned_to_uuid			body	string	UUID of the assigned user.
body			body	dictionary	Full body payload in JSON format.
id			body	string	Notification ID.
status			body	string	Notification status.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.update_notifications(assigned_to_uuid="string",
                                       id="string",
                                       status="string"
                                       )
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.UpdateNotificationsV1(assigned_to_uuid="string",
                                        id="string",
                                        status="string"
                                        )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

BODY = [
  {
    "assigned_to_uuid": "string",
    "id": "string",
    "status": "string"
  }
]

response = falcon.command("UpdateNotificationsV1", body=BODY)
print(response)

GetRulesV1

Get monitoring rules rules by provided IDs.

PEP8 method name

get_rules

Endpoint

Method	Route
	/recon/entities/rules/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Rule IDs to retrieve.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetRulesV1(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetRulesV1", ids=id_list)
print(response)

CreateRulesV1

Create monitoring rules.

PEP8 method name

create_rules

Endpoint

Method	Route
	/recon/entities/rules/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
filter			body	string	Rule filter.
name			body	string	Rule name.
permissions			body	string	Permissions. private or public.
priority			body	string	Priority. high, medium, low
topic			body	string	Rule topic.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.create_rules(filter="string",
                               name="string",
                               permissions="string",
                               priority="string",
                               topic="string"
                               )
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.CreateRulesV1(filter="string",
                               name="string",
                               permissions="string",
                               priority="string",
                               topic="string"
                               )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

BODY = [
    {
        "filter": "string",
        "name": "string",
        "permissions": "string",
        "priority": "string",
        "topic": "string"
    }
]

response = falcon.command("CreateRulesV1", body=BODY)
print(response)

DeleteRulesV1

Delete monitoring rules.

PEP8 method name

delete_rules

Endpoint

Method	Route
	/recon/entities/rules/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Rule IDs to delete.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rules(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteRulesV1(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteRulesV1", ids=id_list)
print(response)

UpdateRulesV1

Update monitoring rules.

PEP8 method name

update_rules

Endpoint

Method	Route
	/recon/entities/rules/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
filter			body	string	Rule filter.
name			body	string	Rule name.
permissions			body	string	Permissions. private or public.
priority			body	string	Priority. high, medium, low
id			body	string	Rule ID to update.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.update_rules(filter="string",
                               id="string",
                               name="string",
                               permissions="string",
                               priority="string"
                               )
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.UpdateRulesV1(filter="string",
                                id="string",
                                name="string",
                                permissions="string",
                                priority="string"
                                )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

BODY = [
  {
    "filter": "string",
    "id": "string",
    "name": "string",
    "permissions": "string",
    "priority": "string"
  }
]

response = falcon.command("UpdateRulesV1", body=BODY)
print(response)

QueryActionsV1

Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.

PEP8 method name

query_actions

Endpoint

Method	Route
	/recon/queries/actions/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results.
limit			query	integer	Maximum number of records to return.
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actions(offset="string",
                                limit=integer,
                                sort="string",
                                filter="string",
                                q="string"
                                )
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryActionsV1(offset="string",
                                 limit=integer,
                                 sort="string",
                                 filter="string",
                                 q="string"
                                 )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryActionsV1",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

QueryNotificationsV1

Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1.

PEP8 method name

query_notifications

Endpoint

Method	Route
	/recon/queries/notifications/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results.
limit			query	integer	Maximum number of records to return.
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_notifications(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string"
                                      )
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryNotificationsV1(offset=integer,
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string"
                                       )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryNotificationsV1",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

QueryRulesV1

Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.

PEP8 method name

query_rules

Endpoint

Method	Route
	/recon/queries/rules/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results.
limit			query	integer	Maximum number of records to return.
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_rules(offset="string",
                              limit=integer,
                              sort="string",
                              filter="string",
                              q="string"
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryRulesV1(offset="string",
                               limit=integer,
                               sort="string",
                               filter="string",
                               q="string"
                               )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryRulesV1",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)