From 15a7be4b1ba9027e12f87b0f6a071ba5700d068c Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 9 Nov 2023 23:11:02 -0500 Subject: [PATCH 01/16] Fix update_policy_container payload handler. Closes #1068. Relates to #1059. --- src/falconpy/_payload/_firewall.py | 14 ++++---------- tests/test_firewall_management.py | 13 ++++++------- 2 files changed, 10 insertions(+), 17 deletions(-) diff --git a/src/falconpy/_payload/_firewall.py b/src/falconpy/_payload/_firewall.py index 263898fd9..dc6a7e283 100644 --- a/src/falconpy/_payload/_firewall.py +++ b/src/falconpy/_payload/_firewall.py @@ -85,18 +85,12 @@ def firewall_container_payload(passed_keywords: dict) -> dict: } """ returned_payload = {} - keys = ["default_inbound", "default_outbound", "platform_id", "tracking"] + keys = ["default_inbound", "default_outbound", "platform_id", "policy_id", "tracking", + "enforce", "is_default_policy", "local_logging", "test_mode" + ] for key in keys: - if passed_keywords.get(key, None): + if passed_keywords.get(key, None) is not None: returned_payload[key] = passed_keywords.get(key, None) - if passed_keywords.get("enforce", None) is not None: - returned_payload["enforce"] = passed_keywords.get("enforce", None) - if passed_keywords.get("is_default_policy", None) is not None: - returned_payload["is_default_policy"] = passed_keywords.get("is_default_policy", None) - if passed_keywords.get("local_logging", None) is not None: - returned_payload["local_logging"] = passed_keywords.get("local_logging", None) - if passed_keywords.get("test_mode", None) is not None: - returned_payload["test_mode"] = passed_keywords.get("test_mode", None) rg_list = passed_keywords.get("rule_group_ids", None) if rg_list: if isinstance(rg_list, str): diff --git a/tests/test_firewall_management.py b/tests/test_firewall_management.py index 7fe42c077..45359bb14 100644 --- a/tests/test_firewall_management.py +++ b/tests/test_firewall_management.py @@ -59,23 +59,22 @@ def firewall_test_all_code_paths(self): "update_policy_container": falcon.update_policy_container(default_inbound="something", default_outbound="something_else", platform_id="linux", - tracking="Bob", - cs_username="BillTheCat", enforce=False, is_default_policy=False, test_mode=True, - rule_group_ids="12345,67890", - local_logging=False + rule_group_ids=["12345", "67890"], + local_logging=False, + policy_id="987123" ), "update_policy_container_v1": falcon.update_policy_container_v1(default_inbound="something", default_outbound="something_else", platform_id="linux", - tracking="Bob", - cs_username="BillTheCat", enforce=False, + local_logging=False, is_default_policy=False, test_mode=True, - rule_group_ids="12345,67890" + rule_group_ids="12345,67890", + policy_id="987123" ), "create_rule_group": self.set_rule_group_id(), "create_rule_group_fail_one": falcon.create_rule_group(rules={"whatever": "bro"}), From 208fbfa71c65738d010033fbfc262220bce28700 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 9 Nov 2023 23:12:26 -0500 Subject: [PATCH 02/16] Cleaner field mapping for path variable handling. --- src/falconpy/_util/_uber.py | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/src/falconpy/_util/_uber.py b/src/falconpy/_util/_uber.py index 6ce666d10..b7e77e0e4 100644 --- a/src/falconpy/_util/_uber.py +++ b/src/falconpy/_util/_uber.py @@ -81,19 +81,18 @@ def handle_body_payload_ids(kwa: dict) -> dict: def scrub_target(oper: str, scrubbed: str, kwas: dict) -> str: """Scrubs the endpoint target by performing any outstanding string replacements.""" field_mapping = { - "DeleteImageDetails": "image_id", - "refreshActiveStreamSession": "partition", - "querySensorUpdateKernelsDistinct": "distinct_field", - "ListObjects": "collection_name", - "SearchObjects": "collection_name", - "GetObject": "collection_name~object_key", - "PutObject": "collection_name~object_key", - "DeleteObject": "collection_name~object_key", - "GetObjectMetadata": "collection_name~object_key" + "DeleteImageDetails": ["image_id"], + "refreshActiveStreamSession": ["partition"], + "querySensorUpdateKernelsDistinct": ["distinct_field"], + "ListObjects": ["collection_name"], + "SearchObjects": ["collection_name"], + "GetObject": ["collection_name", "object_key"], + "PutObject": ["collection_name", "object_key"], + "DeleteObject": ["collection_name", "object_key"], + "GetObjectMetadata": ["collection_name", "object_key"] } - for field_value, field_name in field_mapping.items(): + for field_value, field_names in field_mapping.items(): if oper == field_value: # Only perform replacements on mapped operation IDs. - field_names = field_name.split("~") if len(field_names) == 1: scrubbed = handle_field(scrubbed, kwas, field_names[0]) else: From d7ce7f01daa7ef9d6a93624a0f568f5cc5d41697 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Sat, 11 Nov 2023 11:41:40 -0500 Subject: [PATCH 03/16] Remove unsupported actions. Relates to #1059. --- src/falconpy/firewall_policies.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/falconpy/firewall_policies.py b/src/falconpy/firewall_policies.py index 7f11da473..0dfb8a93e 100644 --- a/src/falconpy/firewall_policies.py +++ b/src/falconpy/firewall_policies.py @@ -131,8 +131,8 @@ def perform_action(self: object, body: dict = None, parameters: dict = None, **k """Perform the specified action on the Firewall Policies specified in the request. Keyword arguments: - action_name -- action to perform: 'add-host-group', 'add-rule-group', 'disable', 'enable', - 'remove-rule-group' or 'remove-host-group'. + action_name -- action to perform: 'add-host-group', 'disable', 'enable', + or 'remove-host-group'. action_parameters -- Action specific parameter options. List of dictionaries. { "name": "string", @@ -164,8 +164,8 @@ def perform_action(self: object, body: dict = None, parameters: dict = None, **k Swagger URL https://assets.falcon.crowdstrike.com/support/api/swagger.html#/firewall-policies/performFirewallPoliciesAction """ - _allowed_actions = ['add-host-group', 'disable', 'enable', - 'remove-host-group', 'add-rule-group', 'remove-rule-group' + _allowed_actions = ['add-host-group', 'disable', 'enable', 'remove-host-group', + # 'add-rule-group', 'remove-rule-group' # Currently unsupported ] operation_id = "performFirewallPoliciesAction" parameter_payload = args_to_params(parameters, kwargs, Endpoints, operation_id) From c59c4ee8c9f2d21215a116b6b96d4c16fdf3c25a Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Sat, 11 Nov 2023 14:46:50 -0500 Subject: [PATCH 04/16] Add after property to Meta class. Closes #1069. --- src/falconpy/_result/_meta.py | 5 +++++ src/falconpy/_result/_result.py | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/src/falconpy/_result/_meta.py b/src/falconpy/_result/_meta.py index 5341657db..ef7dfc9d3 100644 --- a/src/falconpy/_result/_meta.py +++ b/src/falconpy/_result/_meta.py @@ -52,6 +52,11 @@ def query_time(self) -> Optional[float]: """Return the the contents of the query_time key.""" return self.get_property("query_time", None) + @property + def after(self) -> Optional[Union[int, str, float]]: + """Return the the contents of the after key.""" + return self.pagination.get("after", None) + @property def offset(self) -> Optional[Union[int, str, float]]: """Return the the contents of the offset key.""" diff --git a/src/falconpy/_result/_result.py b/src/falconpy/_result/_result.py index 5cbc72bdb..9b3512fb4 100644 --- a/src/falconpy/_result/_result.py +++ b/src/falconpy/_result/_result.py @@ -258,6 +258,14 @@ def total(self) -> Optional[Union[int, str, float]]: _returned = self.meta.total return _returned + @property + def after(self) -> Optional[Union[int, str, float]]: + """Return the record after from the underlying Meta object.""" + _returned: Optional[Union[int, str, float]] = None + if self.meta: + _returned = self.meta.after + return _returned + @property def offset(self) -> Optional[Union[int, str, float]]: """Return the record offset from the underlying Meta object.""" From a6d144793e28f68cc21684ed1f11b1348d9e961f Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Wed, 15 Nov 2023 04:16:41 -0500 Subject: [PATCH 05/16] Fix body payload handler. Closes #1074. --- src/falconpy/installation_tokens.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/falconpy/installation_tokens.py b/src/falconpy/installation_tokens.py index b21f0aff7..e59881d47 100644 --- a/src/falconpy/installation_tokens.py +++ b/src/falconpy/installation_tokens.py @@ -216,7 +216,7 @@ def tokens_update(self: object, body: dict, parameters: dict = None, **kwargs) - """ if not body: body = installation_token_payload(passed_keywords=kwargs) - if kwargs.get("revoked", None): + if kwargs.get("revoked", None) is not None: body["revoked"] = kwargs.get("revoked", None) return process_service_request( From ae8682c70580d9d8787ed7e7930cd8ad4243c58a Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Wed, 15 Nov 2023 10:46:07 -0500 Subject: [PATCH 06/16] Add malware warning to Malqueryinator docs --- samples/malquery/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/samples/malquery/README.md b/samples/malquery/README.md index 787d33690..95cf13779 100644 --- a/samples/malquery/README.md +++ b/samples/malquery/README.md @@ -9,6 +9,10 @@ The examples in this folder focus on leveraging CrowdStrike's MalQuery API to pe Downloads a specified number of examples from MalQuery that match the search term and type you specify. Results will be stored in _zip_ archive format with the password of `infected`. +> [!WARNING] +> Samples downloaded from MalQuery have been confirmed as __malware__. +> __*Handle with extreme caution*__. + ### Running the program In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes: | Service Collection | Scope | From efc4c23d7a35457b063a20476da47208d4b5a20d Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 17 Nov 2023 16:49:53 -0500 Subject: [PATCH 07/16] Leverage RAW content when tupling if necessary. Closes #1076. --- src/falconpy/_result/_result.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/falconpy/_result/_result.py b/src/falconpy/_result/_result.py index 9b3512fb4..6fdeac295 100644 --- a/src/falconpy/_result/_result.py +++ b/src/falconpy/_result/_result.py @@ -368,6 +368,8 @@ def tupled(self) -> Tuple[int, # \o_ _content: Optional[Union[Dict[str, Union[dict, list]], bytes]] = None if self.resources.binary: _content = bytes(self.resources) + elif self.raw: + _content = self.raw else: _content = { "meta": self.meta.data, From d2be3536c0418823958258e4ca3cd563ea7c2f4e Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 17 Nov 2023 22:02:20 -0500 Subject: [PATCH 08/16] Add token dispenser sample --- samples/README.md | 36 + samples/installation_tokens/README.md | 908 ++++++++++++++++ .../installation_tokens/token_dispenser.py | 999 ++++++++++++++++++ 3 files changed, 1943 insertions(+) create mode 100644 samples/installation_tokens/README.md create mode 100644 samples/installation_tokens/token_dispenser.py diff --git a/samples/README.md b/samples/README.md index b80bcd186..0d4e3c331 100644 --- a/samples/README.md +++ b/samples/README.md @@ -43,6 +43,7 @@ The following samples are categorized by CrowdStrike Falcon API service collecti | [Hosts](#hosts) | [List sensors by hostname](#list-sensors-by-hostname)
[Manage duplicate sensors](#manage-duplicate-sensors)
[CUSSED (Manage stale sensors)](#cussed-manage-stale-sensors)
[Match usernames to hosts](#match-usernames-to-hosts)
[Offset vs. Token](#offset-vs-token)
[Prune Hosts by Hostname or AID](#prune-hosts-by-hostname-or-aid)
[Quarantine a host](#quarantine-a-host)
[Quarantine a host (updated version)](#quarantine-a-host-updated-version) | | [Identity Protection](#identity-protection) | [GraphQL Pagination](#graphql-pagination) | | [Incidents](#incidents) | [CrowdScore QuickChart](#crowdscore-quickchart)
[Incident Triage](#incident-triage) | +| [Installation Tokens](#installation-tokens) | [Token Dispenser](#token-dispenser) | | [Intel](#intel) | [MISP Import](#misp-import)
[Intel Search](#intel-search) | | [IOC](#ioc) | [Create indicators](#create-indicators) | | [MalQuery](#malquery) | [Malqueryinator](#malqueryinator) | @@ -643,6 +644,41 @@ This sample demonstrates the following CrowdStrike Incidents API operations: --- +## Installation Tokens +This category is dedicated to demonstrating the functionality provided by the CrowdStrike Installation Tokens API service collection. + +- [Token Dispenser](#token-dispenser) + +### Token Dispenser +Easily manage installation tokens within your tenant or across child tenants with the [Token Dispenser](installation_tokens#token-dispenser). + +[![Installation Tokens](https://img.shields.io/badge/Service%20Class-Token_Dispenser-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](installation_tokens#token-dispenser) +[![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](installation_tokens#token-dispenser) + +#### Installation Tokens API operations discussed +This sample demonstrates the following CrowdStrike Installation Tokens API operations: + +| Operation | Description | +| :--- | :--- | +| [tokens_create](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_create) | Creates a token. | +| [tokens_delete](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_delete) | Deletes a token immediately. To revoke a token, use `token_update` instead. | +| [tokens_read](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_read) | Get the details of one or more tokens by ID. | +| [tokens_update](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_update) | Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore. | + +#### Flight Control API operations discussed +This sample demonstrates the following CrowdStrike Flight Control API operations: +| Operation | Description | +| :--- | :--- | +| [queryChildren](https://www.falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | + +#### Sensor Download API operations discussed +This sample demonstrates the following CrowdStrike Sensor Download API operations: +| Operation | Description | +| :--- | :--- | +| [GetSensorInstallersCCIDByQuery](https://www.falconpy.io/Service-Collections/Sensor-Download.html#getsensorinstallersccidbyquery) | Get CCID to use with sensor installers. | + +--- + ## Intel This category provides samples that demonstrate the CrowdStrike Falcon Intel API service collection. diff --git a/samples/installation_tokens/README.md b/samples/installation_tokens/README.md new file mode 100644 index 000000000..10c7a96e0 --- /dev/null +++ b/samples/installation_tokens/README.md @@ -0,0 +1,908 @@ +![CrowdStrike Falcon](https://raw.githubusercontent.com/CrowdStrike/falconpy/main/docs/asset/cs-logo.png) + +[![CrowdStrike Subreddit](https://img.shields.io/badge/-r%2Fcrowdstrike-white?logo=reddit&labelColor=gray&link=https%3A%2F%2Freddit.com%2Fr%2Fcrowdstrike)](https://reddit.com/r/crowdstrike) + +# Installation Tokens examples +The examples in this folder focus on leveraging CrowdStrike's Installation Tokens API to manage sensor installation tokens. +- [Token Dispenser](#token-dispenser) + +## Token Dispenser +This application displays and manages installation tokens within your CrowdStrike tenant. +> [!NOTE] +> This solution supports Flight Control (MSSP) usage for all functionality, allowing administrators to manage multiple tokens across child tenants with a single command. + +- [Requirements](#requirements) +- [Running the program](#running-the-program) +- [Execution syntax](#execution-syntax) +- [Commands](#commands) +- [Source code](#example-source-code) + +### Requirements +- [Python 3.7 or greater](https://www.python.org) +- [CrowdStrike FalconPy v1.3.4 or greater](https://github.com/CrowdStrike/falconpy/releases/tag/v1.3.4) +- [pyfiglet](https://pypi.org/project/pyfiglet/) +- [tabulate](https://pypi.org/project/tabulate/) + +### Running the program +In order to run this demonstration, you will need access to CrowdStrike API keys with the following scope: +| Service Collection | Scope | +| :---- | :---- | +| Installation Tokens | __READ__, __WRITE__ | + +To take advantage of MSSP mode (Flight Control) functionality, you will also need the following scopes: +| Service Collection | Scope | +| :---- | :---- | +| Flight Control | __READ__ | +| Sensor Downloads | __READ__ | + +> [!NOTE] +> All operations within the Installation Tokens service collection maintain low rate limits. This application automatically backs off and retries the request when these limits are exceeded. + +### Execution syntax +This application provides multiple commands, each with unique options. + +```shell +python3 token_dispenser.py [-h] command [options] +``` + +##### Command line help +The menu of commands can be retrieved by providing `-h` on the command line with no other arguments. + +```shell +Installation Token management utility. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | |::.. . | FalconPy v1.3.4 +`-------' `-------' + +_______ _____ _ _ _______ __ _ + | | | |____/ |______ | \ | + | |_____| | \_ |______ | \_| + +______ _____ _______ _____ _______ __ _ _______ _______ ______ +| \ | |______ |_____] |______ | \ | |______ |______ |_____/ +|_____/ __|__ ______| | |______ | \_| ______| |______ | \_ + + .-------. with ________) + |Jackpot| (, / /) , /) + ____________|_______|____________ /___, // _ (/ _/_ + | __ __ ___ _____ __ | ) / (/__(_(_/_/ )_(__ + | / _\ / / /___\/__ \ / _\ | (_/ .-/ + | \ \ / / // // / /\ \\ \ 25| (_/ ) ___ + | _\ \/ /___/ \_// / / \/_\ \ []| __ (__/_____) /) + | \__/\____/\___/ \/ \__/ []| (__) / _____ _/_ __ ___// + |===_______===_______===_______===| || / (_) / (_(__/ (_(_)(/_ + ||*| _____ |*| |*| ___ |*|| || (______) + ||*|| ||*| /\ _ |*| |_ | |*|| || + ||*||*BAR*||*| \_(_)|*| / / |*|| || + ||*||_____||*| (_) |*| /_/ |*|| || + ||*|_______|*|_______|*|_______|*||_// Creation date: 11.15.2023 + | \=___________________________=/ |_/ jshcodes@CrowdStrike + _| \_______________________/ |_ WE STOP BREACHES +(_____________________________________) + +positional arguments: + Token command Command description + list (l) List all tokens [default] + create (c) Create tokens + revoke (x) Revoke tokens + restore (r) Restore tokens + update (u) Update tokens + delete (d) Delete tokens + +optional arguments: + -h, --help show this help message and exit +``` + +### Commands +The token dispenser supports 6 primary commands, each accepting optional arguments that alter how the command is performed. +When using [MSSP mode](#flight-control-mssp-mode-arguments) operations performed cross all tenants. +> Example: Calling the `list` command while also enabling MSSP mode with the `-m` command line argument will show tokens for the parent and all children. + +- [List](#list-tokens) - List all tokens within the environment. +- [Create](#create-tokens) - Create one or multiple tokens with a specified expiration and label. +- [Revoke](#revoke-tokens) - Revoke one or multiple tokens by label or ID. +- [Restore](#restore-tokens) - Restore one or multiple tokens by label or ID. +- [Update](#update-tokens) - Update the label or expiration for one or multiple tokens by label or ID. +- [Delete](#delete-tokens) - Delete one or multiple tokens by label or ID. + +#### Authentication, display and saving results to a file +All commands accept universal arguments that may be mixed with command-specific arguments. +These arguments control configuration elements that are shared across all available commands such as: +- Authentication +- Flight Control (MSSP mode) +- Display options (such as filtering, sorting and formatting) +- Outputting displayed results to CSV or JSON format + +##### Universal arguments +The following options are available as command line arguments regardless of command performed. +Universal arguments may be provided in any order. + +###### General, display and output arguments +These arguments allow users to control debug and result display settings. +Results can also be exported to a file in JSON or CSV format using these options. + +| Argument | Long Argument | Description | Category | +| :-- | :-- | :-- | :-- | + | `-h` | `--help` | Show help for the specified command and exit. | General | + | `-d` | `--debug` | Enable debug. | General | + | `-f` FILTER | `--filter` FILTER | Filter results by searching token labels (stemmed search). | Display | + | `-o` ORDER_BY | `--order-by` ORDER_BY | Sort key to use for tabular displays. | Display | + | `-r` | `--reverse` | Reverses the sort order. | Display | + | `-t` TABLE_FORMAT | `--table-format` TABLE_FORMAT | Format to use for tabular output. | Display | + | `-v` | `--show-version` | Show FalconPy version in output. | Display | + | | `--output-file` OUTPUT_FILE | Output token list results to a CSV or JSON file. | Output | + | | `--output-format` OUTPUT_FORMAT | Set output file format.

Allowed options:
  • csv
  • json
| Output | + +###### Authentication arguments +> [!NOTE] +> The following arguments are not required when you are using [environment authentication](https://www.falconpy.io/Usage/Authenticating-to-the-API.html#environment-authentication). + +| Argument | Long Argument | Description | Category | +| :-- | :-- | :-- | :-- | +| `-k` CLIENT_ID | `--client_id` CLIENT_ID | Falcon API client ID. | Authentication | +| `-s` CLIENT_SECRET | `--client_secret` CLIENT_SECRET | Falcon API client secret. | Authentication + +###### Flight Control (MSSP mode) arguments +> [!NOTE] +> The following arguments are not required when you are not using Flight Control. + +| Argument | Long Argument | Description | Category | +| :-- | :-- | :-- | :-- | +| `-c` CHILD | `--child` CHILD | CID of the child tenant to target. | MSSP | +| `-m` | `--mssp` | Flight Control (MSSP) mode.
Commands executed are performed within every tenant unless the parent is explicitly skipped. | MSSP | +| | `--skip-parent`| Do not execute commands within the parent tenant. | MSSP | +| | `--show-tenant` | Display tenant CID values as part of execution. | MSSP | + +##### Examples +The following examples demonstrate different universal argument variations. + +###### Enable debugging +Passing the `-d` (`--debug`) argument will enable API debugging for every operation performed. + +```shell +python3 token_dispenser.py -d +``` + +###### Filter display results by label +The `-f` (`--filter`) option will only display results that include the word "Example" in any position within the label. + +```shell +python3 token_dispenser.py -f Example +``` + +###### Sort display results +You can sort results by any column in the display results using the `-o` (`order-by`) argument. +Using the `-r` (`--reverse`) argument will reverse the sort. + +```shell +python3 token_dispenser.py -o status -r +``` + +###### Change the display table format +You can change the format of the display table to any of the following options using the `-t` (`table-format`) argument. + +```shell +python3 token_dispenser.py -t fancy_grid +``` + +###### *Available table format options* +| | | | | | | +| :-- | :-- | :-- | :-- | :-- | :-- | +| `plain` | `simple` | `github` | `grid` | `simple_grid` | `rounded_grid` | +| `heavy_grid` | `mixed_grid` | `double_grid` | `fancy_grid` | `outline` | `simple_outline` | +| `rounded_outline` | `heavy_outline` | `mixed_outline` | `double_outline` | `fancy_outline` | `pipe` | +| `orgtbl` | `asciidoc` | `jira` | `presto` | `pretty` | `psql` | +| `rst` | `mediawiki` | `moinmoin` | `youtrack` | `html` | `unsafehtml` | +| `latex` | `latex_raw` | `latex_booktabs` | `latex_longtable` | `textile` | `tsv` | + + +###### Authenticating to a single tenant +If you are not using [Environment Authentication](https://www.falconpy.io/Usage/Authenticating-to-the-API.html#environment-authentication), you will need to provide authentication detail on the command line using the `-k` (`--client-id`) and `-s` (`--client-secret`) arguments. + +```shell +python3 token_dispenser.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET +``` + +###### Authenticating to a parent tenant and enabling MSSP mode +MSSP mode will perform commands against all child tenants and the parent (if not explicitly skipped using the `--skip-parent` argument). +This includes API calls used to create display results. + +```shell +python3 token_dispenser.py -k $PARENT_CLIENT_ID -s $PARENT_CLIENT_SECRET -m +``` + +###### Authenticating as a parent to a single child +You can also directly authenticate (as a parent) to the child tenant using the `-c` (`--child`) argument. +This argument does not require MSSP mode and may be provided with or without the `-m` argument. + +```shell +python3 token_dispenser.py -k $PARENT_CLIENT_ID -s $PARENT_CLIENT_SECRET -c $CHILD_TENANT_CID +``` + +###### Displaying the tenant ID +You can display the tenant ID for the parent and child tenants before the operation is performed with the `--show-tenant` argument. + +```shell +python3 token_dispenser.py --show-tenant +``` + +--- + +#### List tokens +The list command is the default command, and is executed when no command is specified. +After the execution of any other command, the list command is executed to display the results generated. + +There are no list command-specific arguments. All universal arguments are accepted. + +##### Command line help (list) +Command-line help for this command is available when the command is called along with the `-h` argument. + +```shell +usage: token_dispenser.py list [-h] [-d] [-f FILTER] [-o ORDER_BY] [-r] [-t TABLE_FORMAT] [-v] [--output-file OUTPUT_FILE] [--output-format {csv,json}] [-k CLIENT_ID] [-s CLIENT_SECRET] [-c CHILD] [-m] [--skip-parent] + [--show-tenant] + + _ _ _ +| | (_) | | +| | _ ___| |_ +| | | / __| __| +| |____| \__ \ |_ +|______|_|___/\__| + + + +optional arguments: + -h, --help show this help message and exit + -d, --debug Enable debug. + -f FILTER, --filter FILTER + Filter results by searching token labels (stemmed search). + -o ORDER_BY, --order-by ORDER_BY + Sort key to use for tabular displays. + -r, --reverse Reverses the sort order. + -t TABLE_FORMAT, --table-format TABLE_FORMAT + Format to use for tabular output. + -v, --show-version Show FalconPy version in output. + --output-file OUTPUT_FILE + Output token list results to a CSV or JSON file. + --output-format {csv,json} + Set output file format. + +authentication arguments (not required if using environment authentication): + -k CLIENT_ID, --client_id CLIENT_ID + Falcon API client ID + -s CLIENT_SECRET, --client_secret CLIENT_SECRET + Falcon API client secret + +mssp arguments: + -c CHILD, --child CHILD + CID of the child tenant to target. + -m, --mssp Flight Control (MSSP) mode. + --skip-parent Do not take action within the parent tenant. + --show-tenant Display tenant CID values. +``` + +--- + +#### Create tokens +Create tokens within your tenant, or across parent and child tenants simultaneously. Supports the creation of multiple tokens with specified expiration dates. +Expiration may be set by number of days or by specifying a specific date in UTC format. + +##### Create command arguments +There are two create command-specific required arguments (`token-label` and `expiration`). There are also two optional arguments `count` and `force`. +All [universal arguments](#universal-arguments) are supported and can be mixed with create command arguments in any order or combination. + +| Argument | Long Argument | Description | Category | +| :-- | :-- | :-- | :-- | +| | `--force` | Perform the operation without asking for confirmation. | General | +| `-l` TOKEN_LABEL | `--token-label` TOKEN_LABEL | Label for the token. | Create | +| `-e` EXPIRATION | `--expiration` EXPIRATION | Token expiration.
(number of days or a specific date in `YYYY-mm-ddTHH:MM:SSZ` format). | Create | +| `-n` COUNT | `--count` COUNT | Number of tokens to create. | Create | + +##### Examples +The following examples demonstrate different create command variations. + +###### Create a single token in a standard tenant +This example will create a token labeled "ExampleToken" with an expiration of 5 days from now. + +```shell +python3 token_dispenser.py create -l ExampleToken -e 5 +``` + +##### Flight Control examples +> [!IMPORTANT] +> You must provide either the MSSP mode (`-m`) or the child (`-c`) argument in order to execute operations within child tenants. + +###### Create a single token across the parent and child tenants +This example will create a token labeled "ExampleToken" with an expiration 10 days from now in the parent and every child tenant. + +```shell +python3 token_dispenser.py create -l ExampleToken -e 10 -m +``` + +###### Create multiple tokens in all child tenants but do not create one in the parent +This example will create three tokens with a specific expiration date, labeled "ExampleToken1", "ExampleToken2", and "ExampleToken3" within child tenants. +The parent tenant will remain unchanged as the `skip-parent` argument has been provided. + +```shell +python3 token_dispenser.py create -l ExampleToken -e 2025-01-01T00:00:01Z -n 3 -m --skip-parent +``` + +> [!NOTE] +> To skip the confirmation dialog presented when performing multi-tenant operations, provide the `--force` argument. This argument has no impact on operations where a confirmation dialog is not normally presented. + +##### Command line help (create) +Command-line help for this command is available when the command is called along with the `-h` argument. + +```shell +usage: token_dispenser.py create [-h] -l TOKEN_LABEL -e EXPIRATION [-n COUNT] [--force] [-d] [-f FILTER] [-o ORDER_BY] [-r] [-t TABLE_FORMAT] [-v] [--output-file OUTPUT_FILE] [--output-format {csv,json}] [-k CLIENT_ID] + [-s CLIENT_SECRET] [-c CHILD] [-m] [--skip-parent] [--show-tenant] + + _____ _ + / ____| | | +| | _ __ ___ __ _| |_ ___ +| | | '__/ _ \/ _` | __/ _ \ +| |____| | | __/ (_| | || __/ + \_____|_| \___|\__,_|\__\___| + + + +optional arguments: + -h, --help show this help message and exit + -n COUNT, --count COUNT + Number of tokens to create + --force Perform the operation without asking for confirmation. + -d, --debug Enable debug. + -f FILTER, --filter FILTER + Filter results by searching token labels (stemmed search). + -o ORDER_BY, --order-by ORDER_BY + Sort key to use for tabular displays. + -r, --reverse Reverses the sort order. + -t TABLE_FORMAT, --table-format TABLE_FORMAT + Format to use for tabular output. + -v, --show-version Show FalconPy version in output. + --output-file OUTPUT_FILE + Output token list results to a CSV or JSON file. + --output-format {csv,json} + Set output file format. + +required arguments: + -l TOKEN_LABEL, --token-label TOKEN_LABEL + Label for the token. + -e EXPIRATION, --expiration EXPIRATION + Token expiration (number of days or YYYY-mm-ddTHH:MM:SSZ). + +authentication arguments (not required if using environment authentication): + -k CLIENT_ID, --client_id CLIENT_ID + Falcon API client ID + -s CLIENT_SECRET, --client_secret CLIENT_SECRET + Falcon API client secret + +mssp arguments: + -c CHILD, --child CHILD + CID of the child tenant to target. + -m, --mssp Flight Control (MSSP) mode. + --skip-parent Do not take action within the parent tenant. + --show-tenant Display tenant CID values. +``` + +--- + +#### Revoke tokens +Revoke tokens within your tenant, or across parent and child tenants simultaneously. Supports the revocation of multiple tokens. + +##### Revoke command arguments +There are two revoke command-specific required arguments (`token-id` and `token-label`). These arguments are mutually exclusive. There is one optional argument `force`. +All [universal arguments](#universal-arguments) are supported and can be mixed with create command arguments in any order or combination. + +| Argument | Long Argument | Description | Category | +| :-- | :-- | :-- | :-- | +| | `--force` | Perform the operation without asking for confirmation. | General | +| `-i` TOKEN_ID | `--token-id` TOKEN_ID | ID of the token to revoke. | Revoke | +| `-l` TOKEN_LABEL | `--token-label` TOKEN_LABEL | Label of the token to revoke (starts with match). | Revoke | + +##### Examples +The following examples demonstrate different revoke command variations. + +###### Revoke tokens in a standard tenant +This example will revoke any token with a label starting with "ExampleToken". + +```shell +python3 token_dispenser.py revoke -l ExampleToken +``` + +You can also revoke specific tokens by ID. + +```shell +python3 token_dispenser.py delete -i $TOKEN_ID +``` + +##### Flight Control examples +> [!IMPORTANT] +> You must provide the MSSP mode (`-m`) argument in order to access child tenants. If you wish processing to only occur within child tenants, you must provide the `--skip-parent` argument. + +###### Revoke a single token in a child tenant +This example will revoke a single token within a child tenant. + +```shell +python3 token_dispenser.py revoke -i $TOKEN_ID -c $CHILD_TENANT_CID +``` + +You can also accomplish this leveraging MSSP mode. All child tenants will be searched for a token that matches the ID. + +```shell +python3 token_dispenser.py revoke -i $TOKEN_ID -m +``` + +###### Revoke tokens in a child tenant that have a label starting with a specific string +This example will revoke tokens labeled "ExampleToken" (or any variation starting with this string) within child tenants. + +```shell +python3 token_dispenser.py revoke -l ExampleToken -c $CHILD_TENANT_CID +``` + +You can also accomplish this leveraging MSSP mode. All child tenants will be searched for labels that match the specified string. + +```shell +python3 token_dispenser.py revoke -l ExampleToken -m +``` + +> [!NOTE] +> To skip the confirmation dialog presented when performing multi-tenant operations, provide the `--force` argument. This argument has no impact on operations where a confirmation dialog is not normally presented. + +##### Command line help (revoke) +Command-line help for this command is available when the command is called along with the `-h` argument. + +```shell +usage: token_dispenser.py revoke [-h] (-i TOKEN_ID | -l TOKEN_LABEL) [--force] [-d] [-f FILTER] [-o ORDER_BY] [-r] [-t TABLE_FORMAT] [-v] [--output-file OUTPUT_FILE] [--output-format {csv,json}] [-k CLIENT_ID] + [-s CLIENT_SECRET] [-c CHILD] [-m] [--skip-parent] [--show-tenant] + + _____ _ +| __ \ | | +| |__) |_____ _____ | | _____ +| _ // _ \ \ / / _ \| |/ / _ \ +| | \ \ __/\ V / (_) | < __/ +|_| \_\___| \_/ \___/|_|\_\___| + + + +optional arguments: + -h, --help show this help message and exit + --force Perform the operation without asking for confirmation. + -d, --debug Enable debug. + -f FILTER, --filter FILTER + Filter results by searching token labels (stemmed search). + -o ORDER_BY, --order-by ORDER_BY + Sort key to use for tabular displays. + -r, --reverse Reverses the sort order. + -t TABLE_FORMAT, --table-format TABLE_FORMAT + Format to use for tabular output. + -v, --show-version Show FalconPy version in output. + --output-file OUTPUT_FILE + Output token list results to a CSV or JSON file. + --output-format {csv,json} + Set output file format. + +required arguments (mutually exclusive): + -i TOKEN_ID, --token-id TOKEN_ID + ID of the token to revoke. + -l TOKEN_LABEL, --token-label TOKEN_LABEL + Label of the token to revoke (starts with match). + +authentication arguments (not required if using environment authentication): + -k CLIENT_ID, --client_id CLIENT_ID + Falcon API client ID + -s CLIENT_SECRET, --client_secret CLIENT_SECRET + Falcon API client secret + +mssp arguments: + -c CHILD, --child CHILD + CID of the child tenant to target. + -m, --mssp Flight Control (MSSP) mode. + --skip-parent Do not take action within the parent tenant. + --show-tenant Display tenant CID values. +``` + +--- + +#### Restore tokens +Restore tokens within your tenant, or across parent and child tenants simultaneously. Supports the restoration of multiple tokens. + +##### Restore command arguments +There are two restore command-specific required arguments (`token-id` and `token-label`). These arguments are mutually exclusive. There is one optional argument `force`. +All [universal arguments](#universal-arguments) are supported and can be mixed with create command arguments in any order or combination. + +| Argument | Long Argument | Description | Category | +| :-- | :-- | :-- | :-- | +| | `--force` | Perform the operation without asking for confirmation. | General | +| `-i` TOKEN_ID | `--token-id` TOKEN_ID | ID of the token to restore. | Restore | +| `-l` TOKEN_LABEL | `--token-label` TOKEN_LABEL | Label of the token to restore (starts with match). | Restore | + +##### Examples +The following examples demonstrate different restore command variations. + +###### Restore tokens in a standard tenant +This example will restore any token with a label starting with "ExampleToken". + +```shell +python3 token_dispenser.py restore -l ExampleToken +``` + +You can also restore specific tokens by ID. + +```shell +python3 token_dispenser.py restore -i $TOKEN_ID +``` + +##### Flight Control examples +> [!IMPORTANT] +> You must provide the MSSP mode (`-m`) argument in order to access child tenants. If you wish processing to only occur within child tenants, you must provide the `--skip-parent` argument. + +###### Restore a single token in a child tenant +This example will restore a single token within a child tenant. + +```shell +python3 token_dispenser.py restore -i $TOKEN_ID -c $CHILD_TENANT_CID +``` + +You can also accomplish this leveraging MSSP mode. All child tenants will be searched for a token that matches the ID. + +```shell +python3 token_dispenser.py restore -i $TOKEN_ID -m +``` + +###### Restore tokens in a child tenant that have a label starting with a specific string +This example will restore tokens labeled "ExampleToken" (or any variation starting with this string) within child tenants. + +```shell +python3 token_dispenser.py restore -l ExampleToken -c $CHILD_TENANT_CID +``` + +You can also accomplish this leveraging MSSP mode. All child tenants will be searched for labels that match the specified string. + +```shell +python3 token_dispenser.py restore -l ExampleToken -m +``` + +> [!NOTE] +> To skip the confirmation dialog presented when performing multi-tenant operations, provide the `--force` argument. This argument has no impact on operations where a confirmation dialog is not normally presented. + +##### Command line help (restore) +Command-line help for this command is available when the command is called along with the `-h` argument. + +```shell +usage: token_dispenser.py restore [-h] (-i TOKEN_ID | -l TOKEN_LABEL) [--force] [-d] [-f FILTER] [-o ORDER_BY] [-r] [-t TABLE_FORMAT] [-v] [--output-file OUTPUT_FILE] [--output-format {csv,json}] [-k CLIENT_ID] + [-s CLIENT_SECRET] [-c CHILD] [-m] [--skip-parent] [--show-tenant] + + _____ _ +| __ \ | | +| |__) |___ ___| |_ ___ _ __ ___ +| _ // _ \/ __| __/ _ \| '__/ _ \ +| | \ \ __/\__ \ || (_) | | | __/ +|_| \_\___||___/\__\___/|_| \___| + + + +optional arguments: + -h, --help show this help message and exit + --force Perform the operation without asking for confirmation. + -d, --debug Enable debug. + -f FILTER, --filter FILTER + Filter results by searching token labels (stemmed search). + -o ORDER_BY, --order-by ORDER_BY + Sort key to use for tabular displays. + -r, --reverse Reverses the sort order. + -t TABLE_FORMAT, --table-format TABLE_FORMAT + Format to use for tabular output. + -v, --show-version Show FalconPy version in output. + --output-file OUTPUT_FILE + Output token list results to a CSV or JSON file. + --output-format {csv,json} + Set output file format. + +required arguments (mutually exclusive): + -i TOKEN_ID, --token-id TOKEN_ID + ID of the token to restore. + -l TOKEN_LABEL, --token-label TOKEN_LABEL + Label of the token to restore (starts with match). + +authentication arguments (not required if using environment authentication): + -k CLIENT_ID, --client_id CLIENT_ID + Falcon API client ID + -s CLIENT_SECRET, --client_secret CLIENT_SECRET + Falcon API client secret + +mssp arguments: + -c CHILD, --child CHILD + CID of the child tenant to target. + -m, --mssp Flight Control (MSSP) mode. + --skip-parent Do not take action within the parent tenant. + --show-tenant Display tenant CID values. +``` + +--- + +#### Update tokens +Update tokens within your tenant, or across parent and child tenants simultaneously. Supports the restoration of multiple tokens. + +##### Update command arguments +There are two sets of update command-specific required arguments. The first set includes `token-id` and `token-label` which are mutually exclusive to each other. +The second set of required arguments includes `add-days`, `expiration` and `new_token_label`. These three are mutually exclusive to each other. There is one optional argument `force`. +All [universal arguments](#universal-arguments) are supported and can be mixed with create command arguments in any order or combination. + +| Argument | Long Argument | Description | Category | +| :-- | :-- | :-- | :-- | +| | `--force` | Perform the operation without asking for confirmation. | General | +| `-i` TOKEN_ID | `--token-id` TOKEN_ID | ID of the token to update. | Update | +| `-l` TOKEN_LABEL | `--token-label` TOKEN_LABEL | Label of the token to update (starts with match). | Update | +| `-a` ADD_DAYS | `--add-days` ADD_DAYS | Add specified number of days to token expiration. | +| `-e` EXPIRATION | `--expiration` EXPIRATION | Token expiration (`YYYY-mm-ddTHH:MM:SSZ` format). | Update | +| `-n` NEW_TOKEN_LABEL | `--new-label` NEW_TOKEN_LABEL | New label for the token. | Update | + +##### Examples +The following examples demonstrate different update command variations. + +###### Update tokens in a standard tenant to extend the expiration +This example will update all tokens with a label starting with "ExampleToken" and add 5 days to the expiration. + +```shell +python3 token_dispenser.py update -l ExampleToken -a 5 +``` + +You can also update specific tokens by ID. + +```shell +python3 token_dispenser.py update -i $TOKEN_ID -a 5 +``` + +###### Update tokens in a standard tenant to a specific expiration +This example will update all tokens with a label starting with "ExampleToken" to have the specified expiration date. + +```shell +python3 token_dispenser.py update -l ExampleToken -e 2025-01-01T12:01:01Z +``` + +You can also perform this update on a specific token by providing the ID. + +```shell +python3 token_dispenser.py update -i $TOKEN_ID -e 2025-01-01T12:01:01Z +``` + +###### Change the label of tokens within a standard tenant +This example will change the label for any token with a label starting with "ExampleToken" to be "NewExampleToken". If multiple tokens are renamed within a tenant, a number will be appended at the end of each. + +```shell +python3 token_dispenser.py update -l ExampleToken -n NewExampleToken +``` + +You can also update a token label by providing the specific token ID. + +```shell +python3 token_dispenser.py delete -i $TOKEN_ID -n NewExampleToken +``` + +##### Flight Control examples +> [!IMPORTANT] +> You must provide the MSSP mode (`-m`) argument in order to access child tenants. If you wish processing to only occur within child tenants, you must provide the `--skip-parent` argument. + +###### Update a single token to extend the expiration +This example will update a single token within a parent or child tenant to add 5 days to the expiration. + +```shell +python3 token_dispenser.py update -i $TOKEN_ID -c $CHILD_TENANT_CID -a 5 +``` + +You can also accomplish this leveraging MSSP mode. All child tenants will be searched for the token with the matching ID. + +```shell +python3 token_dispenser.py update -i $TOKEN_ID -m -a 5 +``` + +###### Update tokens that have a label starting with a specific string to a specific expiration +This example will update tokens labeled "ExampleToken" (or any variation starting with this string) within the parent and child tenants to have the specified expiration date. + +```shell +python3 token_dispenser.py update -l ExampleToken -c $CHILD_TENANT_CID -e 2025-01-01T12:01:01Z +``` + +You can also accomplish this leveraging MSSP mode. All child tenants will be searched for labels that match the specified string. + +```shell +python3 token_dispenser.py update -l ExampleToken -m -e 2025-01-01T12:01:01Z +``` + +###### Changing the label of a token +This example will change the label for the token "ExampleToken" to be "NewExampleToken" within the tenant it is found. + +```shell +python3 token_dispenser.py update -i $TOKEN_ID -m -n NewExampleToken +``` + +This example will change the label for any token matching "ExampleToken" to be "NewExampleToken" within the tenant it is found. If multiple tokens are updated within a tenant, a number will be appended to the end of each. + +```shell +python3 token_dispenser.py update -l ExampleToken -m -n NewExampleToken +``` + +> [!NOTE] +> To skip the confirmation dialog presented when performing multi-tenant operations, provide the `--force` argument. This argument has no impact on operations where a confirmation dialog is not normally presented. + +##### Command line help (update) +Command-line help for this command is available when the command is called along with the `-h` argument. + +```shell +usage: token_dispenser.py update [-h] (-i TOKEN_ID | -l TOKEN_LABEL) (-a ADD_DAYS | -e EXPIRATION | -n NEW_TOKEN_LABEL) [--force] [-d] [-f FILTER] [-o ORDER_BY] [-r] [-t TABLE_FORMAT] [-v] [--output-file OUTPUT_FILE] + [--output-format {csv,json}] [-k CLIENT_ID] [-s CLIENT_SECRET] [-c CHILD] [-m] [--skip-parent] [--show-tenant] + + _ _ _ _ +| | | | | | | | +| | | |_ __ __| | __ _| |_ ___ +| | | | '_ \ / _` |/ _` | __/ _ \ +| |__| | |_) | (_| | (_| | || __/ + \____/| .__/ \__,_|\__,_|\__\___| + | | + |_| + +optional arguments: + -h, --help show this help message and exit + --force Perform the operation without asking for confirmation. + -d, --debug Enable debug. + -f FILTER, --filter FILTER + Filter results by searching token labels (stemmed search). + -o ORDER_BY, --order-by ORDER_BY + Sort key to use for tabular displays. + -r, --reverse Reverses the sort order. + -t TABLE_FORMAT, --table-format TABLE_FORMAT + Format to use for tabular output. + -v, --show-version Show FalconPy version in output. + --output-file OUTPUT_FILE + Output token list results to a CSV or JSON file. + --output-format {csv,json} + Set output file format. + +required arguments: + -i TOKEN_ID, --token-id TOKEN_ID + ID of the token to update. + -l TOKEN_LABEL, --token-label TOKEN_LABEL + Label of the token to update (starts with match). + -a ADD_DAYS, --add-days ADD_DAYS + Add specified number of days to token expiration. + -e EXPIRATION, --expiration EXPIRATION + Token expiration (YYYY-mm-ddTHH:MM:SSZ). + -n NEW_TOKEN_LABEL, --new-label NEW_TOKEN_LABEL + New label for the token. + +authentication arguments (not required if using environment authentication): + -k CLIENT_ID, --client_id CLIENT_ID + Falcon API client ID + -s CLIENT_SECRET, --client_secret CLIENT_SECRET + Falcon API client secret + +mssp arguments: + -c CHILD, --child CHILD + CID of the child tenant to target. + -m, --mssp Flight Control (MSSP) mode. + --skip-parent Do not take action within the parent tenant. + --show-tenant Display tenant CID values. +``` + +#### Delete tokens +Delete tokens within your tenant, or across parent and child tenants simultaneously. Supports the restoration of multiple tokens. + +##### Delete command arguments +There are two delete command-specific required arguments (`token-id` and `token-label`). These arguments are mutually exclusive. There is one optional argument `force`. +All [universal arguments](#universal-arguments) are supported and can be mixed with create command arguments in any order or combination. + +| Argument | Long Argument | Description | Category | +| :-- | :-- | :-- | :-- | +| | `--force` | Perform the operation without asking for confirmation. | General | +| `-i` TOKEN_ID | `--token-id` TOKEN_ID | ID of the token to delete. | Delete | +| `-l` TOKEN_LABEL | `--token-label` TOKEN_LABEL | Label of the token to delete (starts with match). | Delete | + +##### Examples +The following examples demonstrate different delete command variations. + +###### Delete tokens in a standard tenant +This example will delete any token with a label starting with "ExampleToken". + +```shell +python3 token_dispenser.py delete -l ExampleToken +``` + +You can also delete specific tokens by ID. + +```shell +python3 token_dispenser.py delete -i $TOKEN_ID +``` + +##### Flight Control examples +> [!IMPORTANT] +> You must provide the MSSP mode (`-m`) argument in order to access child tenants. If you wish processing to only occur within child tenants, you must provide the `--skip-parent` argument. + +###### Delete a single token in a child tenant +This example will delete a single token within a child tenant. + +```shell +python3 token_dispenser.py delete -i $TOKEN_ID -c $CHILD_TENANT_CID +``` + +You can also accomplish this leveraging MSSP mode. All child tenants will be searched for a token that matches the ID. + +```shell +python3 token_dispenser.py delete -i $TOKEN_ID -m +``` + +###### Delete tokens in a child tenant that have a label starting with a specific string +This example will delete tokens labeled "ExampleToken" (or any variation starting with this string) within child tenants. + +```shell +python3 token_dispenser.py delete -l ExampleToken -c $CHILD_TENANT_CID +``` + +You can also accomplish this leveraging MSSP mode. All child tenants will be searched for labels that match the specified string. + +```shell +python3 token_dispenser.py delete -l ExampleToken -m +``` + +> [!NOTE] +> To skip the confirmation dialog presented when performing multi-tenant operations, provide the `--force` argument. This argument has no impact on operations where a confirmation dialog is not normally presented. + +##### Command line help (delete) +Command-line help for this command is available when the command is called along with the `-h` argument. + +```shell +usage: token_dispenser.py delete [-h] (-i TOKEN_ID | -l TOKEN_LABEL) [--force] [-d] [-f FILTER] [-o ORDER_BY] [-r] [-t TABLE_FORMAT] [-v] [--output-file OUTPUT_FILE] [--output-format {csv,json}] [-k CLIENT_ID] + [-s CLIENT_SECRET] [-c CHILD] [-m] [--skip-parent] [--show-tenant] + + _____ _ _ +| __ \ | | | | +| | | | ___| | ___| |_ ___ +| | | |/ _ \ |/ _ \ __/ _ \ +| |__| | __/ | __/ || __/ +|_____/ \___|_|\___|\__\___| + + + +optional arguments: + -h, --help show this help message and exit + --force Perform the operation without asking for confirmation. + -d, --debug Enable debug. + -f FILTER, --filter FILTER + Filter results by searching token labels (stemmed search). + -o ORDER_BY, --order-by ORDER_BY + Sort key to use for tabular displays. + -r, --reverse Reverses the sort order. + -t TABLE_FORMAT, --table-format TABLE_FORMAT + Format to use for tabular output. + -v, --show-version Show FalconPy version in output. + --output-file OUTPUT_FILE + Output token list results to a CSV or JSON file. + --output-format {csv,json} + Set output file format. + +required arguments (mutually exclusive): + -i TOKEN_ID, --token-id TOKEN_ID + ID of the token to remove. + -l TOKEN_LABEL, --token-label TOKEN_LABEL + Label of the token to remove (starts with match). + +authentication arguments (not required if using environment authentication): + -k CLIENT_ID, --client_id CLIENT_ID + Falcon API client ID + -s CLIENT_SECRET, --client_secret CLIENT_SECRET + Falcon API client secret + +mssp arguments: + -c CHILD, --child CHILD + CID of the child tenant to target. + -m, --mssp Flight Control (MSSP) mode. + --skip-parent Do not take action within the parent tenant. + --show-tenant Display tenant CID values. +``` + +### Example source code +The source code for this example can be found [here](token_dispenser.py). \ No newline at end of file diff --git a/samples/installation_tokens/token_dispenser.py b/samples/installation_tokens/token_dispenser.py new file mode 100644 index 000000000..f9c42220f --- /dev/null +++ b/samples/installation_tokens/token_dispenser.py @@ -0,0 +1,999 @@ +r"""Installation Token management utility. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | |::.. . | FalconPy v1.3.4 +`-------' `-------' + +_______ _____ _ _ _______ __ _ + | | | |____/ |______ | \ | + | |_____| | \_ |______ | \_| + +______ _____ _______ _____ _______ __ _ _______ _______ ______ +| \ | |______ |_____] |______ | \ | |______ |______ |_____/ +|_____/ __|__ ______| | |______ | \_| ______| |______ | \_ + + .-------. with ________) + |Jackpot| (, / /) , /) + ____________|_______|____________ /___, // _ (/ _/_ + | __ __ ___ _____ __ | ) / (/__(_(_/_/ )_(__ + | / _\ / / /___\/__ \ / _\ | (_/ .-/ + | \ \ / / // // / /\ \\ \ 25| (_/ ) ___ + | _\ \/ /___/ \_// / / \/_\ \ []| __ (__/_____) /) + | \__/\____/\___/ \/ \__/ []| (__) / _____ _/_ __ ___// + |===_______===_______===_______===| || / (_) / (_(__/ (_(_)(/_ + ||*| _____ |*| |*| ___ |*|| || (______) + ||*|| ||*| /\ _ |*| |_ | |*|| || + ||*||*BAR*||*| \_(_)|*| / / |*|| || + ||*||_____||*| (_) |*| /_/ |*|| || + ||*|_______|*|_______|*|_______|*||_// Creation date: 11.15.2023 + | \=___________________________=/ |_/ jshcodes@CrowdStrike + _| \_______________________/ |_ WE STOP BREACHES +(_____________________________________) +""" +# _____ _______ _____ _____ ______ _______ _______ +# | | | | |_____] | | |_____/ | |______ +# __|__ | | | | |_____| | \_ | ______| +# +import sys +from argparse import ArgumentParser, Namespace, RawTextHelpFormatter, _SubParsersAction +from copy import deepcopy +from csv import writer +from datetime import datetime, timedelta +from json import dump +from logging import basicConfig, DEBUG +from os import getenv +from secrets import randbelow +from time import sleep +from typing import Tuple, Callable, List, Dict +try: + from pyfiglet import figlet_format +except ImportError as no_figlet: + raise SystemExit("The pyfiglet library is required to use this program.") from no_figlet +try: + from tabulate import tabulate +except ImportError as no_tabulate: + raise SystemExit("The tabulate library is required to use this program.") from no_tabulate +try: + from falconpy import ( + APIError, + InstallationTokens, + SensorDownload, + FlightControl, + Result, + version + ) +except ImportError as no_falconpy: + raise SystemExit("The CrowdStrike FalconPy library (version 1.3.4 or greater) is required " + "to use this program." + ) from no_falconpy + + +# _____ _____ _______ _____ _____ __ _ _______ +# | | |_____] | | | | | \ | |_____| | +# |_____| | | __|__ |_____| | \_| | | |_____ +# _______ ______ ______ _ _ _______ _______ __ _ _______ _______ +# |_____| |_____/ | ____ | | | | | |______ | \ | | |______ +# | | | \_ |_____| |_____| | | | |______ | \_| | ______| +# +def add_opt_arguments(sbp: ArgumentParser) -> ArgumentParser: + """Add shared optional arguments to the provided command line argument subparser.""" + sbp.add_argument("-d", "--debug", help="Enable debug.", default=False, action="store_true") + sbp.add_argument("-f", "--filter", + help="Filter results by searching token labels (stemmed search)." + ) + sbp.add_argument("-o", "--order-by", + help="Sort key to use for tabular displays.", + dest="order_by", + default="label" + ) + sbp.add_argument("-r", "--reverse", + help="Reverses the sort order.", + default=False, + action="store_true" + ) + sbp.add_argument("-t", "--table-format", + dest="table_format", + help="Format to use for tabular output.", + default="simple" + ) + sbp.add_argument("-v", "--show-version", + dest="show_version", + help="Show FalconPy version in output.", + default=False, + action="store_true" + ) + sbp.add_argument("--output-file", + dest="output_file", + help="Output token list results to a CSV or JSON file.", + default=None + ) + sbp.add_argument("--output-format", + dest="output_format", + help="Set output file format.", + default="csv", + choices=["csv", "json"] + ) + auth = sbp.add_argument_group("authentication arguments " + "(not required if using environment authentication)") + auth.add_argument("-k", "--client_id", + help="Falcon API client ID", + default=getenv("FALCON_CLIENT_ID") + ) + auth.add_argument("-s", "--client_secret", + help="Falcon API client secret", + default=getenv("FALCON_CLIENT_SECRET") + ) + mssp = sbp.add_argument_group("mssp arguments") + mssp.add_argument("-c", "--child", + dest="child", + help="CID of the child tenant to target.", + default=None + ) + mssp.add_argument("-m", "--mssp", + dest="mssp", + help="Flight Control (MSSP) mode.", + default=False, + action="store_true" + ) + mssp.add_argument("--skip-parent", + dest="skip_parent", + help="Do not take action within the parent tenant.", + action="store_true", + default=False + ) + mssp.add_argument("--show-tenant", + dest="show_tenant", + help="Display tenant CID values.", + action="store_true", + default=False + ) + return sbp + + +def add_force_argument(sbp: ArgumentParser) -> ArgumentParser: + """Add shared optional arguments to the provided command line argument subparser.""" + sbp.add_argument("--force", + help="Perform the operation without asking for confirmation.", + action="store_true", + default=False + ) + return sbp + + +def extra_args(subp: ArgumentParser) -> ArgumentParser: + """Add in optional arguments along with the force argument.""" + subp = add_force_argument(subp) + subp = add_opt_arguments(subp) + return subp + + +# | _____ _______ _______ +# | | |______ | +# |_____ __|__ ______| | +# _______ ______ ______ _ _ _______ _______ __ _ _______ _______ +# |_____| |_____/ | ____ | | | | | |______ | \ | | |______ +# | | | \_ |_____| |_____| | | | |______ | \_| | ______| +# +def handle_list_arguments(sub: _SubParsersAction, head: str) -> ArgumentParser: + """Handle list command arguments.""" + do_list: ArgumentParser = sub.add_parser("list", + help="List all tokens [default]", + aliases=["l"], + description=figlet_format("List", font=head), + formatter_class=RawTextHelpFormatter + ) + do_list = add_opt_arguments(do_list) + return do_list + + +def show_tenant_list(arg_list: Namespace, cids_to_show: list): + """Show CIDs for all tenants searched.""" + if arg_list.mssp and arg_list.show_tenant: + parent = False + for kid in cids_to_show: + if not parent: + print(f"Tenant: {kid}") + parent = True + else: + print(f"Child tenant: {kid}") + + +# | _____ _______ _______ +# | | |______ | +# |_____ __|__ ______| | +# +def show_all_tokens(sdk: InstallationTokens, cmdline: str, filter_str: str = None): + """Display every token in the tenant (or across all tenants).""" + hold_creds = sdk.auth_object.creds + this_cid, cid_list = get_cid_ids(sdk, cmdline) + show_tenant_list(cmdline, cid_list) + token_details = [] + ptokens = [] + for cid in cid_list: + if cid != this_cid: + hold_creds["member_cid"] = cid + api = sdk + if cmdline.mssp and (len(cid_list) > 1 and ptokens): + api = InstallationTokens(creds=hold_creds, pythonic=True, debug=cmdline.debug) + token_details = get_all_tokens(api, cmdline, filter_str, cid, token_details) + if cid == this_cid and not ptokens: + ptokens = deepcopy(token_details) + display_tokens(token_details, cmdline, ptokens) + + +# _______ ______ _______ _______ _______ _______ +# | |_____/ |______ |_____| | |______ +# |_____ | \_ |______ | | | |______ +# _______ ______ ______ _ _ _______ _______ __ _ _______ _______ +# |_____| |_____/ | ____ | | | | | |______ | \ | | |______ +# | | | \_ |_____| |_____| | | | |______ | \_| | ______| +# +def handle_create_arguments(sub: _SubParsersAction, head: str) -> ArgumentParser: + """Handle create command arguments.""" + do_create: ArgumentParser = sub.add_parser("create", + help="Create tokens", + aliases=["c"], + description=figlet_format("Create", font=head), + formatter_class=RawTextHelpFormatter + ) + create_req = do_create.add_argument_group("required arguments") + create_req.add_argument("-l", "--token-label", + dest="token_label", + help="Label for the token.", + required=True + ) + create_req.add_argument("-e", "--expiration", + help="Token expiration (number of days or YYYY-mm-ddTHH:MM:SSZ).", + required=True + ) + do_create.add_argument("-n", "--count", help="Number of tokens to create.", type=int, default=1) + do_create = extra_args(do_create) + return do_create + + +# _______ ______ _______ _______ _______ _______ +# | |_____/ |______ |_____| | |______ +# |_____ | \_ |______ | | | |______ +# +def create_token(sdk: InstallationTokens, cmdline: Namespace): + """Create a token with the specified expiration and label.""" + hold_creds = sdk.auth_object.creds + this_cid, cids = get_cid_ids(sdk, cmdline) + token_expiration = cmdline.expiration + cids_to_process = [ + c for c in cids if (cmdline.skip_parent and not c == this_cid) or not cmdline.skip_parent + ] + for cid in cids_to_process: + if cid != this_cid: + hold_creds["member_cid"] = cid + api = sdk + if cmdline.mssp and len(cids) > 1: + api = InstallationTokens(creds=hold_creds, pythonic=True, debug=cmdline.debug) + try: + if int(cmdline.expiration) > 0: + token_expiration = ( + datetime.now() + timedelta(days=int(cmdline.expiration)) + ).strftime("%Y-%m-%dT%H:%M:%SZ") + else: + raise SystemExit("Token expiration days must be an integer greater than zero.") + except ValueError: + pass + + for num in range(1, cmdline.count+1): + label = f"{cmdline.token_label}{num if cmdline.count > 1 else ''}" + create_result = sdk_operation(api.tokens_create, + LONG_WAIT, + cmdline.debug, + label=label, + expires_timestamp=token_expiration + ) + if create_result.errors: + for error in create_result.errors: + print(f"NONFATAL {error['code']} ERROR: {error['message']}") + + +# ______ _______ _ _ _____ _ _ _______ +# |_____/ |______ \ / | | |____/ |______ +# | \_ |______ \/ |_____| | \_ |______ +# _______ ______ ______ _ _ _______ _______ __ _ _______ _______ +# |_____| |_____/ | ____ | | | | | |______ | \ | | |______ +# | | | \_ |_____| |_____| | | | |______ | \_| | ______| +# +def handle_revoke_arguments(sub: _SubParsersAction, head: str) -> ArgumentParser: + """Handle revoke command arguments.""" + do_revoke: ArgumentParser = sub.add_parser("revoke", + help="Revoke tokens", + aliases=["x"], + description=figlet_format("Revoke", font=head), + formatter_class=RawTextHelpFormatter + ) + revoke_req = do_revoke.add_argument_group("required arguments (mutually exclusive)") + revoke_grp = revoke_req.add_mutually_exclusive_group(required=True) + revoke_grp.add_argument("-i", "--token-id", dest="token_id", help="ID of the token to revoke.") + revoke_grp.add_argument("-l", "--token-label", + dest="token_label", + help="Label of the token to revoke (starts with match)." + ) + do_revoke = extra_args(do_revoke) + return do_revoke + + +# ______ _______ _______ _______ _____ ______ _______ +# |_____/ |______ |______ | | | |_____/ |______ +# | \_ |______ ______| | |_____| | \_ |______ +# _______ ______ ______ _ _ _______ _______ __ _ _______ _______ +# |_____| |_____/ | ____ | | | | | |______ | \ | | |______ +# | | | \_ |_____| |_____| | | | |______ | \_| | ______| +# +def handle_restore_arguments(sub: _SubParsersAction, head: str) -> ArgumentParser: + """Handle restore command arguments.""" + do_restore: ArgumentParser = sub.add_parser("restore", + help="Restore tokens", + aliases=["r"], + description=figlet_format("Restore", font=head), + formatter_class=RawTextHelpFormatter + ) + restore_req = do_restore.add_argument_group("required arguments (mutually exclusive)") + restore_grp = restore_req.add_mutually_exclusive_group(required=True) + restore_grp.add_argument("-i", "--token-id", + dest="token_id", + help="ID of the token to restore." + ) + restore_grp.add_argument("-l", "--token-label", + dest="token_label", + help="Label of the token to restore (starts with match)." + ) + do_restore = extra_args(do_restore) + return do_restore + + +# ______ _______ _ _ _____ _ _ _______ _______ __ _ ______ +# |_____/ |______ \ / | | |____/ |______ |_____| | \ | | \ +# | \_ |______ \/ |_____| | \_ |______ | | | \_| |_____/ +# ______ _______ _______ _______ _____ ______ _______ +# |_____/ |______ |______ | | | |_____/ |______ +# | \_ |______ ______| | |_____| | \_ |______ +# +def token_revocation(sdk: InstallationTokens, cmdline: Namespace, revoking: bool = False): + """Revoke a token by ID or name.""" + hold_creds = sdk.auth_object.creds + this_cid, cids = get_cid_ids(sdk, cmdline) + cids_to_process = [ + c for c in cids if (cmdline.skip_parent and not c == this_cid) or not cmdline.skip_parent + ] + for cid in cids_to_process: + if cid != this_cid: + hold_creds["member_cid"] = cid + api = sdk + if cmdline.mssp and len(cids) > 1: + api = InstallationTokens(creds=hold_creds, pythonic=True, debug=cmdline.debug) + + if cmdline.token_id: + revoke_result = sdk_operation(api.tokens_update, + SHORT_WAIT, + cmdline.debug, + ids=cmdline.token_id, + revoked=revoking + ) + if revoke_result.errors: + for error in revoke_result.errors: + print(f"NONFATAL {error['code']} ERROR: {error['message']} ({error['id']})") + if cmdline.token_label: + token_lookup = sdk_operation(api.tokens_query, + LONG_WAIT, + cmdline.debug, + filter=f"label:*'{cmdline.token_label}*'" + ) + if token_lookup.status_code == 200 and len(token_lookup.data): + for returned_token_id in token_lookup.data: + sdk_operation(api.tokens_update, + LONG_WAIT, + cmdline.debug, + ids=returned_token_id, + revoked=revoking + ) + else: + print(f"NONFATAL 404 ERROR: Not Found ({cmdline.token_label})") + + +# _ _ _____ ______ _______ _______ _______ +# | | |_____] | \ |_____| | |______ +# |_____| | |_____/ | | | |______ +# _______ ______ ______ _ _ _______ _______ __ _ _______ _______ +# |_____| |_____/ | ____ | | | | | |______ | \ | | |______ +# | | | \_ |_____| |_____| | | | |______ | \_| | ______| +# +def handle_update_arguments(sub: _SubParsersAction, head: str) -> ArgumentParser: + """Handle update command arguments.""" + do_update: ArgumentParser = sub.add_parser("update", + help="Update tokens", + aliases=["u"], + description=figlet_format("Update", font=head), + formatter_class=RawTextHelpFormatter + ) + update_req = do_update.add_argument_group("required arguments") + update_grp1 = update_req.add_mutually_exclusive_group(required=True) + update_grp1.add_argument("-i", "--token-id", + dest="token_id", + help="ID of the token to update." + ) + update_grp1.add_argument("-l", "--token-label", + dest="token_label", + help="Label of the token to update (starts with match)." + ) + update_grp2 = update_req.add_mutually_exclusive_group(required=True) + update_grp2.add_argument("-a", "--add-days", + help="Add specified number of days to token expiration." + ) + update_grp2.add_argument("-e", "--expiration", help="Token expiration (YYYY-mm-ddTHH:MM:SSZ).") + update_grp2.add_argument("-n", "--new-label", + dest="new_token_label", + help="New label for the token." + ) + do_update = extra_args(do_update) + return do_update + + +# _ _ _____ ______ _______ _______ _______ ______ __ __ _____ ______ +# | | |_____] | \ |_____| | |______ |_____] \_/ | | \ +# |_____| | |_____/ | | | |______ |_____] | __|__ |_____/ +# +def update_token_by_id(sdk: InstallationTokens, cmdline: Namespace): + """Update a token by ID.""" + hold_creds = sdk.auth_object.creds + this_cid, cids = get_cid_ids(sdk, cmdline) + cids_to_process = [ + c for c in cids if (cmdline.skip_parent and not c == this_cid) or not cmdline.skip_parent + ] + for cid in cids_to_process: + if cid != this_cid: + hold_creds["member_cid"] = cid + api = sdk + if cmdline.mssp and len(cids) > 1: + api = InstallationTokens(creds=hold_creds, pythonic=True, debug=cmdline.debug) + updates = {} + if cmdline.new_token_label: + updates["label"] = cmdline.new_token_label + if cmdline.expiration: + updates["expires_timestamp"] = cmdline.expiration + if cmdline.add_days: + exp = sdk_operation(api.tokens_read, + LONG_WAIT, + cmdline.debug, + ids=cmdline.token_id + ) + if exp.status_code == 200 and len(exp.data): + new_exp = datetime.strptime(exp.data[0]["expires_timestamp"], "%Y-%m-%dT%H:%M:%SZ") + updates["expires_timestamp"] = ( + new_exp + timedelta(days=int(cmdline.add_days)) + ).strftime("%Y-%m-%dT%H:%M:%SZ") + if updates: + updates["ids"] = cmdline.token_id + update_result = sdk_operation(api.tokens_update, SHORT_WAIT, cmdline.debug, **updates) + if update_result.errors: + for error in update_result.errors: + print(f"NONFATAL {error['code']} ERROR: {error['message']} ({error['id']})") + + +# _ _ _____ ______ _______ _______ _______ +# | | |_____] | \ |_____| | |______ +# |_____| | |_____/ | | | |______ +# ______ __ __ _______ ______ _______ +# |_____] \_/ | |_____| |_____] |______ | +# |_____] | |_____ | | |_____] |______ |_____ +# +def update_token_by_label(sdk: InstallationTokens, cmdline: Namespace): + """Update a token by label.""" + hold_creds = sdk.auth_object.creds + this_cid, cids = get_cid_ids(sdk, cmdline) + cids_to_process = [ + c for c in cids if (cmdline.skip_parent and not c == this_cid) or not cmdline.skip_parent + ] + for cid in cids_to_process: + if cid != this_cid: + hold_creds["member_cid"] = cid + api = sdk + if cmdline.mssp and len(cids) > 1: + api = InstallationTokens(creds=hold_creds, pythonic=True, debug=cmdline.debug) + updates = {} + if cmdline.new_token_label: + updates["label"] = cmdline.new_token_label + if cmdline.expiration: + updates["expires_timestamp"] = cmdline.expiration + token_lookup = sdk_operation(api.tokens_query, + LONG_WAIT, + cmdline.debug, + filter=f"label:*'{cmdline.token_label}*'" + ) + if token_lookup.status_code == 200 and len(token_lookup.data): + loop = 1 + for returned_token_id in token_lookup.data: + if cmdline.add_days: + exp = sdk_operation(api.tokens_read, + LONG_WAIT, + cmdline.debug, + ids=returned_token_id + ) + if exp.status_code == 200 and len(exp.data): + new_exp = datetime.strptime(exp.data[0]["expires_timestamp"], + "%Y-%m-%dT%H:%M:%SZ" + ) + updates["expires_timestamp"] = ( + new_exp + timedelta(days=int(cmdline.add_days)) + ).strftime("%Y-%m-%dT%H:%M:%SZ") + if cmdline.new_token_label and len(token_lookup.data) > 1: + updates["label"] = f"{cmdline.new_token_label}{loop}" + if updates: + updates["ids"] = returned_token_id + sdk_operation(api.tokens_update, LONG_WAIT, cmdline.debug, **updates) + loop += 1 + else: + print(f"NONFATAL 404 ERROR: Not Found ({cmdline.token_label})") + + +# ______ _______ _______ _______ _______ +# | \ |______ | |______ | |______ +# |_____/ |______ |_____ |______ | |______ +# _______ ______ ______ _ _ _______ _______ __ _ _______ _______ +# |_____| |_____/ | ____ | | | | | |______ | \ | | |______ +# | | | \_ |_____| |_____| | | | |______ | \_| | ______| +# +def handle_delete_arguments(sub: _SubParsersAction, head: str) -> ArgumentParser: + """Handle delete command arguments.""" + do_delete: ArgumentParser = sub.add_parser("delete", + help="Delete tokens", + aliases=["d"], + description=figlet_format("Delete", font=head), + formatter_class=RawTextHelpFormatter + ) + delete_req = do_delete.add_argument_group("required arguments (mutually exclusive)") + delete_grp = delete_req.add_mutually_exclusive_group(required=True) + delete_grp.add_argument("-i", "--token-id", dest="token_id", help="ID of the token to remove.") + delete_grp.add_argument("-l", "--token-label", + dest="token_label", + help="Label of the token to remove (starts with match)." + ) + do_delete = extra_args(do_delete) + return do_delete + + +# ______ _______ _______ _______ _______ +# | \ |______ | |______ | |______ +# |_____/ |______ |_____ |______ | |______ +# +def delete_token(sdk: InstallationTokens, cmdline: Namespace): + """Delete a token by ID or name.""" + hold_creds = sdk.auth_object.creds + this_cid, cids = get_cid_ids(sdk, cmdline) + cids_to_process = [ + c for c in cids if (cmdline.skip_parent and not c == this_cid) or not cmdline.skip_parent + ] + for cid in cids_to_process: + if cid != this_cid: + hold_creds["member_cid"] = cid + api = sdk + if cmdline.mssp and len(cids) > 1: + api = InstallationTokens(creds=hold_creds, pythonic=True, debug=cmdline.debug) + if cmdline.token_id: + delete_result = sdk_operation(api.tokens_delete, + SHORT_WAIT, + cmdline.debug, + ids=cmdline.token_id + ) + if delete_result.errors: + for error in delete_result.errors: + print(f"NONFATAL {error['code']} ERROR: {error['message']} ({error['id']})") + if cmdline.token_label: + token_lookup = sdk_operation(api.tokens_query, + LONG_WAIT, + cmdline.debug, + filter=f"label:*'{cmdline.token_label}*'" + ) + if token_lookup.status_code == 200 and len(token_lookup.data): + for returned_token_id in token_lookup.data: + sdk_operation(api.tokens_delete, + LONG_WAIT, + cmdline.debug, + ids=returned_token_id + ) + else: + print(f"NONFATAL 404 ERROR: Not Found ({cmdline.token_label})") + + +# _____ _______ ______ _______ _______ +# |_____] |_____| |_____/ |______ |______ +# | | | | \_ ______| |______ +# _______ _____ _______ _______ _______ __ _ ______ _____ __ _ _______ +# | | | | | | | | | |_____| | \ | | \ | | | \ | |______ +# |_____ |_____| | | | | | | | | | \_| |_____/ |_____ __|__ | \_| |______ +# _______ ______ ______ _ _ _______ _______ __ _ _______ _______ +# |_____| |_____/ | ____ | | | | | |______ | \ | | |______ +# | | | \_ |_____| |_____| | | | |______ | \_| | ______| +# +def consume_arguments() -> Tuple[Namespace, ArgumentParser]: + """Retrieve any provided command line arguments.""" + subcommands = [ + "create", "c", "list", "l", "delete", "d", "revoke", "x", "restore", "r", "update", "u" + ] + parser = ArgumentParser(description=__doc__, formatter_class=RawTextHelpFormatter) + header_font = "big" + subparsers = parser.add_subparsers(help="Command description", + dest="subcommand", + required=False, + metavar="Token command" + ) + handle_list_arguments(subparsers, header_font) # List + handle_create_arguments(subparsers, header_font) # Create + handle_revoke_arguments(subparsers, header_font) # Revoke + handle_restore_arguments(subparsers, header_font) # Restore + handle_update_arguments(subparsers, header_font) # Update + handle_delete_arguments(subparsers, header_font) # Delete + # Force "list" as the default subcommand without breaking the help processor + if len(sys.argv) == 1: + sys.argv.append("list") + if sys.argv[1].lower() not in subcommands and "-h" not in sys.argv: + sys.argv.insert(1, "list") + else: + if sys.argv[1].lower() not in subcommands: + sys.argv = [sys.argv[0], "-h"] + return parser.parse_args(), parser + + +# ______ _______ _______ _______ _____ _______ _____ _______ +# |_____/ |_____| | |______ | | | | | | | +# | \_ | | | |______ |_____ __|__ | | | __|__ | +# _ _ _______ __ _ ______ _______ ______ +# |_____| |_____| | \ | | \ | |______ |_____/ +# | | | | | \_| |_____/ |_____ |______ | \_ +# +def rate_delay(wait_time: int): + """Wait for the specified amount of time while informing the user.""" + for wait in range(wait_time, 0, -1): + print(f" Rate limit exceeded, sleeping for {wait} seconds. ", end="\r") + sleep(1) + print(" " * 80, end="\r") + + +def sdk_operation(operation: Callable, delay_time: int, debugging: bool, **kwargs) -> Result: + """Perform an operation against the CrowdStrike API, gracefully handling rate limit errors.""" + rate_limited = True + while rate_limited: + try: + operation_result: Result = operation(**kwargs) + rate_limited = False + except APIError as rate_limit_met: + if rate_limit_met.code == 429: + rate_delay(delay_time) + elif debugging: + raise rate_limit_met + else: + failure = FAIL if randbelow(3000) % 2 == 0 else FAIL2 + raise SystemExit( + failure.format(rate_limit_met.code, rate_limit_met.message) + ) from rate_limit_met + return operation_result + + +# _ _ _______ _____ _______ ______ _______ +# |_____| |______ | |_____] |______ |_____/ |______ +# | | |______ |_____ | |______ | \_ ______| +# +def reorganize_token_dictionary(tenant: str, record: dict) -> Dict[str, str]: + """Reorganize a token record dictionary to include the CID column.""" + cid_key = {"cid": tenant} + cid_list = list(cid_key.items()) + token_keys = list(record.keys()) + token_values = list(record.values()) + token_keys.insert(token_keys.index("id")+1, cid_list[0][0]) + token_values.insert(token_keys.index("id")+1, cid_list[0][1]) + return { + token_keys[i]: token_values[i] + for i in range(0, len(token_keys)) + } + + +def get_all_tokens(api_sdk: InstallationTokens, + cmd_args: Namespace, + filt: str, + cur_cid: str, + returning: List[Dict[str, str]] + ) -> List[Dict[str, str]]: + """Retrieve all tokens across all tenants.""" + offset = None + running = True + while running: + token_lookup = sdk_operation(api_sdk.tokens_query, + LONG_WAIT, + cmd_args.debug, + limit=1000, + offset=offset, + filter=f"label:*'*{filt}*'" if filt else None + ) + if not token_lookup.data: + running = False + batches = [token_lookup.data[i:i+100] for i in range(0, len(token_lookup.data), 100)] + for batch in batches: + token_detail = sdk_operation(api_sdk.tokens_read, LONG_WAIT, cmd_args.debug, ids=batch) + found = token_detail.data + if cmd_args.mssp: + found = [] + for token_det in token_detail.data: + new_dict = reorganize_token_dictionary(cur_cid, token_det) + found.append(new_dict) + returning.extend(found) + + offset = len(returning) + if token_lookup.total <= len(returning): + running = False + return returning + + +def confirm(msg: str): + """Request confirmation from the user and return a boolean of the response.""" + return input(msg) in ["y", "yes", "Y", "YES"] + + +def get_this_cid(auth: InstallationTokens, debug_mode: bool = False): + """Retrieve the CID for the current tenant.""" + my_id = "Not available" + running = True + while running: + try: + my_id = sdk_operation( + SensorDownload(auth_object=auth).get_sensor_installer_ccid, + SHORT_WAIT, + debug_mode + ).data[0][:-3].lower() + running = False + except APIError as no_sensor_dl: + if no_sensor_dl.code != 429: + print("NONFATAL 403 ERROR: This API client is not scoped for Sensor Downloads.") + running = False + else: + rate_delay(SHORT_WAIT) + return my_id + + +def check_mssp_scope(auth: InstallationTokens): + """Confirm if this API client has access to Flight Control.""" + valid = False + running = True + while running: + try: + valid = bool(FlightControl(auth_object=auth).query_children(limit=1).status_code == 200) + running = False + except APIError as rate_limit_met: + if rate_limit_met.code != 429: + running = False + raise rate_limit_met + rate_delay(SHORT_WAIT) + return valid + + +def get_cid_ids(interface: InstallationTokens, arguments: Namespace) -> Tuple[str, List[str]]: + """Return all CIDs associated with the API client (if MSSP mode is enabled).""" + this_cid = "NonMSSP" + cid_list = [this_cid] + if arguments.mssp: + this_cid = get_this_cid(interface, arguments.debug) + cid_list = [this_cid] + try: + mssp = FlightControl(auth_object=interface) + cid_list.extend(mssp.query_children().data) + except APIError: + pass + return this_cid, cid_list + + +def write_output_results(cmdline_args: Namespace, tresults: list): + """Write the displayed token results to the requested file.""" + if cmdline_args.output_file: + if cmdline_args.output_format.lower() == "csv": + with open(cmdline_args.output_file, "w", newline="", encoding="utf-8") as csv_file: + csv_writer = writer(csv_file) + if tresults: + csv_writer.writerow(tresults[0].keys()) + for token_row in tresults: + csv_writer.writerow(token_row.values()) + print(f"CSV results output to {cmdline_args.output_file}.") + elif cmdline_args.output_format.lower() == "json": + with open(cmdline_args.output_file, "w", encoding="utf-8") as json_file: + dump(tresults, json_file, indent=4) + print(f"JSON results output to {cmdline_args.output_file}.") + + +def display_tokens(token_results: list, cmd_args: Namespace, parent_tokens: list): + """Display the retrieved tokens in a tabular format.""" + new_token_results = token_results + if cmd_args.mssp: + new_token_results = [] + for tok in token_results: + matched = False + for ptok in parent_tokens: + if ptok["cid"] == tok["cid"]: + if tok["id"] == ptok["id"] and tok["value"] == ptok["value"]: + matched = True + elif ptok["cid"] != tok["cid"]: + matched = True + if matched: + new_token_results.append(tok) + + token_results = sorted(new_token_results, + key=lambda x: x[cmd_args.order_by], + reverse=cmd_args.reverse + ) + vers = "" + if cmd_args.show_version: + vers = f" (FalconPy v{version(agent_string=False)})" + if token_results: + tabular_display = tabulate(tabular_data=[t.values() for t in token_results], + headers=token_results[0].keys(), + tablefmt=cmd_args.table_format + ) + print(tabular_display) + print(f"{len(token_results)} total tokens found{vers}") + write_output_results(cmd_args, token_results) + else: + print(NOT_FOUND.format(vers.replace("(", "").replace(")", ""))) + + +def cross_tenant_action(action: Callable, msg: str, **kwargs): + """Check and warn if this action impacts multiple CIDs.""" + proceed = True + if not kwargs.get("cmdline").force: + if kwargs.get("cmdline").mssp and check_mssp_scope(kwargs.get("sdk")): + parent_to = "the parent and " + if kwargs.get("cmdline").skip_parent: + parent_to = "" + proceed = confirm(WARNING.format(msg, parent_to)) + if proceed: + action(**kwargs) + else: + print("Operation cancelled.") + sys.exit(0) + + +# _______ _____ __ _ _______ _______ _______ __ _ _______ _______ +# | | | | \ | |______ | |_____| | \ | | |______ +# |_____ |_____| | \_| ______| | | | | \_| | ______| +# +LONG_WAIT = 10 +SHORT_WAIT = 5 +FAIL = r""" + , , + (\____/) FATAL {} {} + (_oo_) / + (O) + __||__ \) + []/______\[] / + / \______/ \/ + / /__\ +(\ /____\ +""" +FAIL2 = r""" + _ + [ ] FATAL {} {} + ( ) / + |>| + __/===\__ + //| o=o |\\ +<] | o=o | [> + \=====/ + / / | \ \ + <_________> +""" +NOT_FOUND = r""" + __ No tokens found! + _(\ |@@| / +(__/\__ \--/ __ + \___|----| | __ + \ CS /\ )_ / _\ + /\__/\ \__O (__ + (--/\--) \__/ + _)( )(_ + `---''---` {} +""" +WARNING = r""" + __,_, + [_|_/ ⚠️ Warning ⚠️ + // This action will {} multiple tokens + _// __ / across {}child tenants. +(_|) |@@| + \ \__ \--/ __ + \o__|----| | __ + \ CS /\ )_ / _\ + /\__/\ \__O (__ + (--/\--) \__/ + _)( )(_ + `---''---` + +Are you sure you wish to proceed? (y/n) => """ +# _______ _______ _____ __ _ ______ _____ _ _ _______ _____ __ _ _______ +# | | | |_____| | | \ | |_____/ | | | | | | | \ | |______ +# | | | | | __|__ | \_| | \_ |_____| |_____| | __|__ | \_| |______ +# +if __name__ == "__main__": + begin = datetime.now().timestamp() # Start the timer + if sys.version_info <= (3, 7): # Make sure we're running the minimum version of Python + raise SystemExit("This application only supports Python 3.7 or greater.") + if not version(compare="1.3.4"): # Check for 1.3.4 or greater + raise SystemExit("In order to use this sample application, the CrowdStrike FalconPy " + "library (version 1.3.4 or greater) must be installed." + ) + parsed, handler = consume_arguments() # Retrieve command line arguments and the parser + # There are no credentials in the environment or command line, show help and quit + if not parsed.client_id or not parsed.client_secret: + handler.print_help() + raise SystemExit( + "\nYou must provide API credentials via the environment variables\n" + "FALCON_CLIENT_ID and FALCON_CLIENT_SECRET or you must provide\n" + "these values using the '-k' and '-s' command line arguments." + ) + if parsed.debug: # Enable debug logging to the console if requested + basicConfig(level=DEBUG) + # Construct an instance of the InstallationTokens Service Class + tokens = InstallationTokens(client_id=parsed.client_id, + client_secret=parsed.client_secret, + debug=parsed.debug, + pythonic=True, + member_cid=parsed.child + ) + default_action_args = [tokens, parsed] # We display all tokens regardless of command executed + tcommand = parsed.subcommand.lower() # Selected token command + if tcommand in ["create", "c"]: # Create + cross_tenant_action(create_token, "create", sdk=tokens, cmdline=parsed) + elif tcommand in ["delete", "d"]: # Delete + if parsed.token_label: + cross_tenant_action(delete_token, "delete", sdk=tokens, cmdline=parsed) + else: + delete_token(tokens, parsed) + elif tcommand in ["revoke", "x", "restore", "r"]: # Revoke and Restore + if parsed.token_label: + cross_tenant_action(token_revocation, + "restore" if tcommand in ["restore", "r"] else "revoke", + sdk=tokens, + cmdline=parsed, + revoking=tcommand in ["revoke", "x"] + ) + else: + token_revocation(tokens, parsed, tcommand in ["revoke", "x"]) + elif tcommand in ["update", "u"]: # Update + if parsed.token_id: + update_token_by_id(tokens, parsed) + elif parsed.token_label: + cross_tenant_action(update_token_by_label, "update", sdk=tokens, cmdline=parsed) + if parsed.filter: # List / all commands + # Add any provided command line filters to the arguments for the default action + default_action_args.append(parsed.filter) + show_all_tokens(*default_action_args) # After all processing, display the list of tokens + + +# █ █ +# █ ██ +# ██ _ _ _ _______ _______ _______ _____ _____ ▓█ +# ▒▒███ | | | |______ |______ | | | |_____] ██▓▒▓ +# ▒░▒▓████ |__|__| |______ ______| | |_____| | █████▒▒▒▓ +# █▒▒▓████▒▓███ ▓██▓▓████▒░▒ +# ▒░▒████▒░░▒▒▓▓█▓▓ ████▒▒▒░░▓███▓▒░▒ +# ▓░▒▒███▓░░▒▒▒▓██▓▒█▓█▓▓ ▒▓█▓▓▒███▒▒▒▒░▒████▒░▒ +# ▒░▒▓███▓░░▒▒▒███▒░░░▓███▓█▓ █▓█▓███▒░░░▓██▓▒▒▒░▒████▒░▒ +# ▒░▒▓███▓░░▒▒▒███▒░░░▓███░░▒▓▓█▓ ▓██▒▒░▒███▒░░░▓██▓▒▒▒░▒████▒░▒ +# ▓░▒▒███▓░░▒▒▒▒██▓░░░░░░░░▒▒▒█████▓ ▓█████░▒░░░░░░░░░███▒▒▒▒░▒████▒░▒ +# ▒░▒████▒░░▒▒▒▓███▒░▒▒▒▒░░████▒▒▒▓██ █▓▓▒▒▓███▒░▒▒▒▒░░▓███▒▒▒▒░░▓███▓▒░▒ +# █▒▒▒████▒░▒▒▒▒▒████████████▓▒▒▒▒▒▒███ █▓▒░▒▒▒▒▒████████████▓▒▒▒▒░░▓████▒▒▒ +# ▒░▒▓████▒░░▒▒▒▒▒▓███████▒▒▒▒▒▒░░▓███ ████▒░▒▒▒▒▒▒▓███████▒▒▒▒▒▒░░▓████▒▒░▒ +# ▒░▒▓████▓▒░░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒░░▒█▓███▓█ █▓████▓▒░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒░░▒█▓███▒▒▒▓ +# ▒░▒▒██████▒░░░▒▒▒▒▒▒▒▒▒░░▒▒█▓███▓▒▒▓█ █▒▒▒██████▒░░▒▒▒▒▒▒▒▒▒▒░░▒▒█▓███▓▒▒▒▒ +# ▓▒▒▒▒███████▒▒▒▒▒▒▒▒▒▒▓███████▒▒▒▒ ▒▒▒▒███████▒▒▒▒▒░▒▒▒▒▓███████▒▒░▒ +# ▒▒▒▒▒▓█████████▓█████████▒▒▒▒▒ ▓▒▒▒▒▓█████████▓█████████▒▒▒░▒ +# ▓▒▒▒▒▒▒████████████▓▒▒▒▒▒▓ █▒▒▒▒▒▒████████████▓▒▒▒▒░▒ +# ▓▒░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ █▓▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒░▓ +# ▓▒▓▓▓▓▒▓█ █▒░▓▓▓▒▓█ +# +# ______ ______ _______ _______ _______ _ _ _______ _______ +# |_____] |_____/ |______ |_____| | |_____| |______ |______ +# |_____] | \_ |______ | | |_____ | | |______ ______| From 71102d94eb38f758ba99d4883d39f6ecdeb11f51 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 17 Nov 2023 22:22:39 -0500 Subject: [PATCH 09/16] Bump version -> 1.3.4 --- src/falconpy/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/falconpy/_version.py b/src/falconpy/_version.py index 6542247cd..aa90211c5 100644 --- a/src/falconpy/_version.py +++ b/src/falconpy/_version.py @@ -35,7 +35,7 @@ For more information, please refer to """ -_VERSION = '1.3.3' +_VERSION = '1.3.4' _MAINTAINER = 'Joshua Hiller' _AUTHOR = 'CrowdStrike' _AUTHOR_EMAIL = 'falconpy@crowdstrike.com' From c89bb547497044871d51830612b8544afeb1952d Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 17 Nov 2023 23:55:39 -0500 Subject: [PATCH 10/16] Add context manager support --- src/falconpy/_auth_object/_uber_interface.py | 9 +++++++++ src/falconpy/_service_class/_service_class.py | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/src/falconpy/_auth_object/_uber_interface.py b/src/falconpy/_auth_object/_uber_interface.py index 7ffcbd520..b23e61b11 100644 --- a/src/falconpy/_auth_object/_uber_interface.py +++ b/src/falconpy/_auth_object/_uber_interface.py @@ -150,6 +150,15 @@ def logout(self) -> bool: return bool(result["status_code"] == 200) + def __enter__(self): + """Allow for entry as a context manager.""" + return self + + def __exit__(self, *args): + """Discard our token when we exit the context.""" + self.logout() + return args + # Legacy property getters maintained for backwards functionality. def authenticated(self) -> bool: """Return the current authentication status.""" diff --git a/src/falconpy/_service_class/_service_class.py b/src/falconpy/_service_class/_service_class.py index a11a4df5b..6d98def7c 100644 --- a/src/falconpy/_service_class/_service_class.py +++ b/src/falconpy/_service_class/_service_class.py @@ -230,6 +230,15 @@ def override(self, exp=expand_result )) + def __enter__(self): + """Allow for entry as a context manager.""" + return self + + def __exit__(self, *args): + """Discard our token when we exit the context.""" + self.logout() + return args + # ___ ____ ____ ___ ____ ____ ___ _ ____ ____ # |__] |__/ | | |__] |___ |__/ | | |___ [__ # | | \ |__| | |___ | \ | | |___ ___] From aab58514c0a332bd32397478aaff723653f403e1 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 17 Nov 2023 22:36:00 -0500 Subject: [PATCH 11/16] Update CHANGELOG.md --- CHANGELOG.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 35ebf3bdf..d006fd396 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,37 @@ +# Version 1.3.4 +## Added features and functionality ++ Added: Use a Service Class or the Uber Class as a context manager. + > Leveraging this functionality will automatically revoke your bearer token on context manager exit. + ```python + from falconpy import Hosts + with Hosts(pythonic=True) as hosts: + for device in hosts.query_devices().data: + print(device) + ``` + - `_auth_object/_uber_interface.py` + - `_service_class/_service_class.py` + +## Issues resolved ++ Fixed: _update_policy_container_ operation payload handler is missing the `policy_id`` key. Closes #1068. + - `_payload/_firewall.py` + > Expanded unit testing to complete code coverage. + - `tests/test_firewall_management.py` ++ Fixed: `after` property is missing from the __Meta__ object. Closes #1069. + - `_result/_meta.py` + - `_result/_result.py` ++ Fixed: Payload handler for _tokens_update_ operation is not properly passing the `revoked` key. Closes #1074. + - `installation_tokens.py` ++ Fixed: API operations generating leveraging the raw attribute are not properly displaying results when leveraging result object expansion. Closes #1076. + - `_result/_result.py` + +# Other ++ Changed: Updated field mapping for Uber Class path variables to a cleaner solution. + - `_util/_uber.py` ++ Removed: The unsupported actions `add-rule-group` and `remove-rule-group` are removed from the _performFirewallPoliciesAction_ operation. Relates to #1059. + - `firewall_policies.py` + +--- + # Version 1.3.3 ## Added features and functionality + Added: Deprecation warnings for deprecated classes and operations. Closes #1055. From 0b89af6b1bcaf14a1de1ca472d52df6ce11466da Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Sun, 19 Nov 2023 02:07:54 -0500 Subject: [PATCH 12/16] Reformat Sample Library README --- samples/README.md | 1531 +++++++++++++++++++++++++++------------------ 1 file changed, 908 insertions(+), 623 deletions(-) diff --git a/samples/README.md b/samples/README.md index 0d4e3c331..0a3e8a7d5 100644 --- a/samples/README.md +++ b/samples/README.md @@ -24,42 +24,87 @@ In order to expedite sample delivery, examples will follow one of three standard > Please note: These are not the only methods for providing these values. # Samples by API service collection -The following samples are categorized by CrowdStrike Falcon API service collection. Some samples have specific FalconPy version requirements, check documentation maintained within the source or the sample `README.md` for more details. +The following samples are categorized by CrowdStrike product, and further categorized by Falcon API service collection. Some samples have specific FalconPy version requirements, check documentation maintained within the source or the sample `README.md` for more details. ![Total samples](https://img.shields.io/endpoint?url=https%3A%2F%2Ffalconpy.io%2F_samples.json&style=for-the-badge) -| Service Collection | Samples | -| :--- | :--- | -| [Authentication](#authentication) | [AES Authentication](#aes-authentication)
[AES File Crypt](#aes-file-crypt)
[Token Authentication](#token-authentication) | -| [Custom IOA](#custom-ioa) | [Custom IOA Cloner](#custom-ioa-cloner) | -| [Detects](#detects) | [Detects Advisor](#detects-advisor) | -| [Event Streams](#event-streams) | [Send detections to AWS Security Hub](#send-detections-to-aws-security-hub) | -| [Falcon Discover](#falcon-discover) | [List discovered hosts](#list-discovered-hosts)
[Spyglass](#spyglass) | -| [Falcon Discover for Cloud and Containers](#falcon-discover-for-cloud-and-containers-aws-accounts) | [Manage Discover accounts (AWS)](#manage-discover-accounts) | -| [Falcon Horizon](#falcon-horizon) | [Get CSPM policies](#get-cspm-policies) | -| [Falcon Flight Control](#falcon-flight-control) | [Find child CID](#find-child-cid)
[Get Child Prevention Policies](#get-child-prevention-policies)
[Host Group Duplicator](#host-group-duplicator)
[Execute a command on hosts across multiple children](#execute-a-command-on-hosts-across-multiple-children) | -| [Falcon Intelligence](#falcon-intelligence) | [Manage sandbox uploads](#manage-sandbox-uploads)
[Falcon Intelligence sandbox scan](#falcon-intelligence-sandbox-scan)
[Get all artifacts](#get-all-artifacts)
[Quick Scan a target](#quick-scan-a-target)
[Quick Scan quota check](#quick-scan-quota-check)
[S3 Bucket Protection](#s3-bucket-protection) | -| [Firewall Management](#firewall-management) | [Export Firewall events to a file](#export-firewall-events-to-a-file) | -| [Hosts](#hosts) | [List sensors by hostname](#list-sensors-by-hostname)
[Manage duplicate sensors](#manage-duplicate-sensors)
[CUSSED (Manage stale sensors)](#cussed-manage-stale-sensors)
[Match usernames to hosts](#match-usernames-to-hosts)
[Offset vs. Token](#offset-vs-token)
[Prune Hosts by Hostname or AID](#prune-hosts-by-hostname-or-aid)
[Quarantine a host](#quarantine-a-host)
[Quarantine a host (updated version)](#quarantine-a-host-updated-version) | -| [Identity Protection](#identity-protection) | [GraphQL Pagination](#graphql-pagination) | -| [Incidents](#incidents) | [CrowdScore QuickChart](#crowdscore-quickchart)
[Incident Triage](#incident-triage) | -| [Installation Tokens](#installation-tokens) | [Token Dispenser](#token-dispenser) | -| [Intel](#intel) | [MISP Import](#misp-import)
[Intel Search](#intel-search) | -| [IOC](#ioc) | [Create indicators](#create-indicators) | -| [MalQuery](#malquery) | [Malqueryinator](#malqueryinator) | -| [Prevention Policy](#prevention-policy) | [Prevention Policy Hawk](#prevention-policy-hawk) | -| [Quarantine](#quarantine) | [Get Quarantined Files](#get-quarantined-files) -| [Real Time Response](#real-time-response) | [Bulk execute a command](#bulk-execute-a-command)
[Bulk execute a command (queued)](#bulk-execute-a-command-queued)
[Get host uptime](#get-host-uptime)
[Get RTR result](#get-rtr-result)
[Dump memory for a running process](#dump-memory-for-a-running-process)
[My Little RTR](#my-little-rtr)
[ProxyTool](#proxytool) | -| [Recon](#recon) | [Create monitoring rules for an email list](#create-monitoring-rules-for-an-email-list) | -| [Report Executions](#report-executions) | [Retrieve all report results](#retrieve-all-report-results) | -| [Sensor Download](#sensor-download) | [Download the CrowdStrike sensor](#download-the-crowdstrike-sensor) | -| [Sensor Update Policies](#sensor-update-policies) | [Policy Wonk](#policy-wonk) | -| [Spotlight](#spotlight) | [Find vulnerable hosts by CVE ID](#find-vulnerable-hosts-by-cve-id)
[CISA DHS Known Exploited Vulnerabilities](#cisa-dhs-known-exploited-vulnerabilities)
[Spotlight Quick Report](#spotlight-quick-report) | -| [User Management](#user-management) | [Bulk user administration](#bulk-user-administration)
[Get user grants](#get-user-grants) | - - -##### Class type legend -Provided examples are further categorized by the type of class used to interact with the CrowdStrike API. + +
+

Table of Contents

 + + + +### [General](#general-apis) +| Topic | Samples | +| :-- | :-- | +| [Authentication](#authentication) | AES Authentication
AES File Crypt
Token Authentication | + + + +### [Deployment and Management](#deployment-and-management-apis) + +| Topic | Samples | +| :-- | :-- | +| [Hosts](#hosts-samples)
[Host Groups](#hosts-samples)
| List sensors by hostname
Manage duplicate sensors
CUSSED (Manage stale sensors)
Match usernames to hosts
Offset vs. Token
Prune Hosts by Hostname or AID
Quarantine a host
Quarantine a host (updated version) | +| [Report Executions](#report-executions-samples) | Retrieve all report results | +| [Sensor Download](#sensor-download-samples) | Download the CrowdStrike sensor | +| [Sensor Update Policies](#sensor-update-policies-samples) | Policy Wonk | +| [Installation Tokens](#installation-tokens-samples) | Token Dispenser | +| [Quarantine](#quarantine-samples) | Get Quarantined Files | +| [User Management](#user-management-samples) | Bulk user administration
Get user grants | +| [Event Streams](#event-streams-samples) | Send detections to AWS Security Hub | +| [Flight Control (MSSP)](#flight-control-samples) | Find child CID
Get Child Prevention Policies
Host Group Duplicator
Execute a command on hosts across multiple children | + + + +### [Endpoint Security](#endpoint-security-apis) + +| Topic | Samples | +| :-- | :-- | +| [Custom IOA](#custom-ioa-samples) | Custom IOA Cloner | +| [Detects](#detects-samples) | Detects Advisor | +| [IOC](#ioc-samples) | Create indicators | +| [Prevention Policies](#prevention-policies-samples) | Prevention Policy Hawk | +| [Incidents](#incidents-samples) | CrowdScore QuickChart
Incident Triage | +| [Real Time Response](#real-time-response-samples) | Bulk execute a command
Bulk execute a command (queued)
Get host uptime
Get RTR result
Dump memory for a running process
My Little RTR
ProxyTool | +| [Firewall Management](#firewall-management-samples) | Export Firewall events to a file | + + + +### [Cloud Security](#cloud-security-apis) +| Topic | Samples | +| :-- | :-- | +| [Cloud Workload Protection](#cloud-workload-protection-samples) | Manage Discover accounts (AWS) | +| [CSPM Registration](#horizon-samples) | Get CSPM policies | + + + +### [Identity Protection](#identity-protection-apis) +| Topic | Samples | +| :-- | :-- | +| [Identity Protection](#identity-protection-samples) | GraphQL Pagination | + + + +### [Exposure Management](#exposure-management-apis) +| Topic | Samples | +| :-- | :-- | +| [Asset Management (Discover)](#asset-management-samples) | List discovered hosts
Spyglass | +| [Vulnerability Management (Spotlight)](#vulnerability-management-samples) | Find vulnerable hosts by CVE ID
CISA DHS Known Exploited Vulnerabilities
Spotlight Quick Report | + + + +### [Threat Intelligence](#threat-intelligence-apis) +| Topic | Samples | +| :-- | :-- | +| [Falcon Intelligence (includes MalQuery)](#falcon-intelligence-samples) | Intel Search
MISP Import
Malqueryinator | +| [Falcon Intelligence Sandbox (includes QuickScan)](#falcon-intelligence-sandbox-samples) | Manage sandbox uploads
Falcon Intelligence sandbox scan
Get all artifacts
Quick Scan a target
Quick Scan quota check
S3 Bucket Protection | +| [Falcon Intelligence Recon](#recon-samples) | Create monitoring rules for an email list | + +
+ +#### Class type legend +Provided examples are additionally labeled by the type of class used to interact with the CrowdStrike API and if the solution supports MSSP usage scenarios. | Indicator | Detail | | :--- | :--- | @@ -68,15 +113,22 @@ Provided examples are further categorized by the type of class used to interact | [![MSSP Usage supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](https://falconpy.io/Usage/Authenticating-to-the-API.html#mssp-examples-hosts) | These samples support MSSP usage scenarios. -## Authentication -This group of samples discuss different variations of authentication to CrowdStrike's OAuth2 API. + + + +
+

General

 + +
+

Authentication

(click to expand)
+This group of samples discuss different variations of authentication to CrowdStrike's OAuth2 API. -### AES Authentication +#### AES Authentication The AES authentication example demonstrates the technical aspects of implementing a cryptographic solution for storing and retrieving credentials from the file system. Upon successful decryption, a simple API connectivity test is performed. [![AES Authentication](https://img.shields.io/badge/Service%20Class-AES_Authentication-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](authentication#aes-authentication) -#### API operations discussed +##### API operations discussed This sample leverages the Hosts API to perform a connectivity test. | Operation | Description | @@ -85,541 +137,625 @@ This sample leverages the Hosts API to perform a connectivity test. --- -### AES File Crypt +#### AES File Crypt The AES file crypt example builds on the code developed for the [AES Authentication](#aes-authentication) example to encrypt arbitrary files. [![AES File Crypt](https://img.shields.io/badge/Just_Because-AES_File_Crypt-silver?style=for-the-badge&labelColor=teal&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](authentication#aes-file-crypt) -#### API operations discussed +##### API operations discussed This sample does not communicate with the CrowdStrike API. --- -### Token Authentication +#### Token Authentication This sample demonstrates [Token Authentication](https://www.falconpy.io/Usage/Authenticating-to-the-API.html#legacy-authentication) (also known as Legacy Authentication) and how it can be leveraged to interact with multiple Service Classes. [![Token Authentication](https://img.shields.io/badge/Service%20Class-Token_Authentication-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](authentication#token-authentication) -#### API operations discussed +##### API operations discussed This sample interacts with seven different Service Classes to authenticate and perform a connectivity test using multiple Service Classes. | Service Class | Operation | Description | | :--- | :--- | :--- | | CloudConnectAWS | [QueryAWSAccounts](https://www.falconpy.io/Service-Collections/Cloud-Connect-AWS.html#queryawsaccounts) | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria. | | Detects | [QueryDetects](https://www.falconpy.io/Service-Collections/Detects.html#querydetects) | Search for detection IDs that match a given query. | -| Hosts | [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) (using the `query_devices` alias). | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | +| Hosts | [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) (using the `query_devices` alias) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | | Incidents | [QueryIncidents](https://www.falconpy.io/Service-Collections/Incidents.html#queryincidents) | Search for incidents by providing a FQL filter, sorting, and paging details. | | Intel | [QueryIntelActorEntities](https://www.falconpy.io/Service-Collections/Intel.html#queryintelactorentities) | Get info about actors that match provided FQL filters. | | IOC | [indicator_combined_v1](https://www.falconpy.io/Service-Collections/IOC.html#indicator_combined_v1) | Get combined for indicators. | | OAuth2 | [token](https://www.falconpy.io/Service-Collections/OAuth2.html#oauth2accesstoken) | Generate an OAuth2 access token. | +
---- - -## Custom IOA -This category demonstrates using CrowdStrike's Custom IOA service collection. +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#general-toc) -### Custom IOA Cloner -The [Custom IOA Cloner](custom_ioa#custom-ioa-cloner) demonstrates displaying, deleting and cloning Custom IOA rule groups. +--- -[![Custom IOA](https://img.shields.io/badge/Service%20Class-Custom_IOA_Cloner-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](custom_ioa#custom-ioa-cloner) +
-#### Custom IOA API operations discussed -This sample demonstrates the following CrowdStrike Custom IOA API operations: + -| Operation | Description | -| :--- | :--- | -| [create_rule](https://www.falconpy.io/Service-Collections/Custom-IOA.html#create_rule) | Create a rule within a rule group. Returns the rule. | -| [create_rule_groupMixin0](https://www.falconpy.io/Service-Collections/Custom-IOA.html#create_rule_groupmixin0) | Create a rule group for a platform with a name and an optional description. Returns the rule group. | -| [delete_rule_groupsMixin0](https://www.falconpy.io/Service-Collections/Custom-IOA.html#delete_rule_groupsmixin0) | Delete rule groups by ID. | -| [query_rule_groups_full](https://www.falconpy.io/Service-Collections/Custom-IOA.html#query_rule_groups_full) | Find all rule groups matching the query with optional filter. | + +
+

Deployment and Management

 ---- + +
+

Hosts

(click to expand)
+The samples collected in this section demonstrate leveraging CrowdStrike's Hosts and Host Group API service collections to secure your endpoints. + -## Detects -The CrowdStrike Detects API service collection is the sole focus of this category. +- [List sensors by hostname](#list-sensors-by-hostname) +- [CUSSED (Stale sensor detector)](#cussed-manage-stale-sensors) +- [Match usernames to hosts](#match-usernames-to-hosts) +- [Offset vs. Token](#offset-vs-token) +- [Quarantine a host](#quarantine-a-host) +- [Quarantine a host (updated)](#quarantine-a-host-updated-version) -### Detects Advisor -[Detects Advisor](detects#detects-advisor) is an example application for triaging inbound detections in your CrowdStrike Falcon tenant. +#### List sensors by hostname +This [example](hosts#list-sensors-by-hostname) will demonstrate how to retrieve a list of sensors by hostname. -[![Detects](https://img.shields.io/badge/Service%20Class-Detects%20Advisor-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](detects#detects-advisor) +[![Hosts](https://img.shields.io/badge/Service%20Class-List%20Sensors%20By%20Hostname-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts#list-sensors-by-hostname) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](hosts#list-sensors-by-hostname) -#### Detects API operations discussed -This sample demonstrates the following CrowdStrike Detects API operations: +##### Hosts API operations discussed +This sample demonstrates the following CrowdStrike Hosts API operations: | Operation | Description | | :--- | :--- | -| [GetDetectSummaries](https://falconpy.io/Service-Collections/Detects.html#getdetectsummaries) | View information about detections. | -| [QueryDetects](https://falconpy.io/Service-Collections/Detects.html#querydetects) | Search for detection IDs that match a given query. | -| [UpdateDetectsByIdsV2](https://falconpy.io/Service-Collections/Detects.html#updatedetectsbyidsv2) | Modify the state, assignee, and visibility of detections. | +| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | +| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | --- -## Event Streams -This category is focused on the CrowdStrike Event Streams API service collection. - -### Send detections to AWS Security Hub -This [example](https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub) demonstrates publishing AWS Security Hub findings from CrowdStrike Falcon Event Streams API. +#### Manage duplicate sensors +Identify and optionally remove duplicate sensors using this [example](https://github.com/CrowdStrike/falconpy/tree/main/samples/hosts#list-duplicate-sensors). -[![Event Streams](https://img.shields.io/badge/Uber%20Class-Send%20Detections%20to%20AWS%20Security%20Hub-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub) +[![Hosts](https://img.shields.io/badge/Service%20Class-Find%20Duplicate%20Sensors-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/hosts#list-duplicate-sensors) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](https://github.com/CrowdStrike/falconpy/tree/main/samples/hosts#list-duplicate-sensors) -#### Event Streams API operations discussed -This sample demonstrates the following CrowdStrike Event Streams API operations: +##### Hosts API operations discussed +This sample demonstrates the following CrowdStrike Hosts API operations: | Operation | Description | | :--- | :--- | -| [listAvailableStreamsOAuth2](https://falconpy.io/Service-Collections/Event-Streams.html#listavailablestreamsoauth2) | Discover all event streams in your environment. | -| [refreshActiveStreamSession](https://falconpy.io/Service-Collections/Event-Streams.html#refreshactivestreamsession) | Refresh an active event stream. Use the URL shown in a [listAvailableStreamsOAuth2](https://falconpy.io/Service-Collections/Event-Streams.html#listavailablestreamsoauth2) response. | +| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | +| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | +| [QueryDevicesByFilterScroll](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | --- -## Falcon Discover -The samples in this section focus on the CrowdStrike Falcon Discover API service collection. - -### List discovered hosts - -In this [example](discover/list_discovered_hosts.py), we demonstrate listing up to the first 100 hosts identified by Falcon Discover. +#### CUSSED (Manage stale sensors) +Identify and optionally remove stale sensors using this [example](hosts#list-stale-sensors). -[![Falcon Discover](https://img.shields.io/badge/Service%20Class-List%20Discovered%20Hosts-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](discover/list_discovered_hosts.py) +[![Hosts](https://img.shields.io/badge/Service%20Class-Find%20Stale%20Sensors-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts#list-stale-sensors) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](hosts#list-stale-sensors) -#### Discover API operations discussed -This sample demonstrates the following CrowdStrike Discover API operations: +##### Hosts API operations discussed +This sample demonstrates the following CrowdStrike Hosts API operations: | Operation | Description | | :--- | :--- | -| [get_hosts](https://falconpy.io/Service-Collections/Discover.html#get_hosts) | Get details on assets by providing one or more IDs. | -| [query_hosts](https://falconpy.io/Service-Collections/Discover.html#query_hosts) | Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | +| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | +| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | +| [QueryDevicesByFilterScroll](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | --- -### Spyglass - -In this [example](discover/spyglass.py), we demonstrate running a full Falcon Discover audit report (accounts, applications, hosts and logins). +#### Match usernames to hosts +Submitted by `@micgoetz`, the [Match Username to Host](hosts#match-usernames-to-hosts) sample demonstrates mapping usernames to hosts with Falcon Grouping tags. -[![Falcon Discover](https://img.shields.io/badge/Service%20Class-Spyglass-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/discover#spyglass) +[![Hosts](https://img.shields.io/badge/Service%20Class-Match_Username_to_Host-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts#match-usernames-to-hosts) -#### Discover API operations discussed -This sample demonstrates the following CrowdStrike Discover API operations: +##### Hosts API operations discussed +This sample demonstrates the following CrowdStrike Hosts API operations: | Operation | Description | | :--- | :--- | -| [get_accounts](https://falconpy.io/Service-Collections/Discover.html#get_accounts) | Get details on accounts by providing one or more IDs. | -| [get_applications](https://falconpy.io/Service-Collections/Discover.html#get_applications) | Get details on applications by providing one or more IDs. | -| [get_hosts](https://falconpy.io/Service-Collections/Discover.html#get_hosts) | Get details on assets by providing one or more IDs. | -| [get_logins](https://falconpy.io/Service-Collections/Discover.html#get_logins) | Get details on logins by providing one or more IDs. | -| [query_accounts](https://falconpy.io/Service-Collections/Discover.html#query_accounts) | Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of account IDs which match the filter criteria. | -| [query_applications](https://falconpy.io/Service-Collections/Discover.html#query_applications) | Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria. | -| [query_hosts](https://falconpy.io/Service-Collections/Discover.html#query_hosts) | Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | -| [query_logins](https://falconpy.io/Service-Collections/Discover.html#query_logins) | Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of login IDs which match the filter criteria. | +| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | +| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | +| [QueryDeviceLoginHistory](https://www.falconpy.io/Service-Collections/Hosts.html#querydeviceloginhistory) | Retrieve details about recent login sessions for a set of devices. | +| [UpdateDeviceTags](https://www.falconpy.io/Service-Collections/Hosts.html#updatedevicetags) | Append or remove one or more Falcon Grouping Tags on one or more hosts. | --- -## Falcon Discover for Cloud and Containers (AWS Accounts) -This section discusses Falcon Discover for Cloud and Containers, and the two API service collections, Cloud Connect AWS and D4C Registration. - -### Manage Discover accounts -This example demonstrates using FalconPy to register and remove accounts managed by CrowdStrike Falcon Discover for Cloud (AWS). Both [Service Class](discover_aws/manage_discover_accounts_service.py) and [Uber Class](discover_aws/manage_discover_accounts_uber.py) examples are provided. +#### Offset vs. Token +This [demonstration](hosts#comparing-querydevicesbyfilter-and-querydevicesbyfilterscroll-offset-vs-token) discusses the [pagination](https://falconpy.io/Usage/Response-Handling.html#paginating-json-responses) differences when using [`QueryDevicesByFilter`](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) versus [`QueryDevicesByFilterScroll`](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll). -[![Falcon Discover for Cloud (AWS)](https://img.shields.io/badge/Service%20Class-Manage%20Discover%20Accounts-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](discover_aws/manage_discover_accounts_service.py) -[![Falcon Discover for Cloud (AWS)](https://img.shields.io/badge/Uber%20Class-Manage%20Discover%20Accounts-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](discover_aws/manage_discover_accounts_uber.py) +[![Hosts](https://img.shields.io/badge/Service%20Class-Offset%20vs.%20Token-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts#comparing-querydevicesbyfilter-and-querydevicesbyfilterscroll-offset-vs-token) -#### Cloud Connect AWS API operations discussed -These samples demonstrate the following CrowdStrike Cloud Connect AWS (Discover for Cloud and Containers) API operations: +##### Hosts API operations discussed +This sample demonstrates the following CrowdStrike Hosts API operations: | Operation | Description | | :--- | :--- | -| [DeleteAWSAccounts](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#deleteawsaccounts) | Delete a set of AWS Accounts by specifying their IDs. | -| [ProvisionAWSAccounts](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#provisionawsaccounts) | Provision AWS Accounts by specifying details about the accounts to provision. | -| [QueryAWSAccounts](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#queryawsaccounts) | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria. | -| [UpdateAWSAccounts](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#updateawsaccounts) | Update AWS Accounts by specifying the ID of the account and details to update. | -| [VerifyAWSAccountAccess](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#verifyawsaccountaccess) | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria. | +| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | +| [QueryDevicesByFilterScroll](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | --- -## Falcon Horizon -These samples focus on CrowdStrike Falcon Horizon and the available API operations within the CSPM Registration service collection. - -### Get CSPM policies -Submitted by `@mccbryan3`, this [example](cspm_registration/get_cspm_policies.py) uses FalconPy to report or export as CSV, all or selective Falcon Horizon CSPM Policies. +#### Prune Hosts by Hostname or AID +This sample demonstrates [removing and restoring hosts by hostname or AID](hosts/prune_hosts.py). -[![Falcon Horizon](https://img.shields.io/badge/Service%20Class-Report%20Horizon%20Policies-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](cspm_registration/get_cspm_policies.py) +[![Hosts](https://img.shields.io/badge/Service%20Class-Hosts_Pruner-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/hosts#prune-hosts-by-hostname-or-aid) -#### CSPM Registration API operations discussed -This sample demonstrates the following CrowdStrike CSPM Registration (Horizon) API operations: +##### Hosts API operations discussed +This sample demonstrates the following CrowdStrike Hosts API operations: | Operation | Description | | :--- | :--- | -| [GetCSPMPolicySettings](https://falconpy.io/Service-Collections/CSPM-Registration.html#getcspmpolicysettings) | Returns information about current policy settings. | +| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | +| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | +| [QueryDevicesByFilterScroll](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | --- -## Falcon Flight Control -The samples in this category demonstrate functionality for MSSP scenarios using the Falcon Flight Control API service collection. - -### Find child CID -This [example](flight_control/find_child_cid.py) demonstrates retrieving a child CID using the CrowdStrike Falcon Flight Control API. +#### Quarantine a host +Developed by one of our maintainers `@soggysec`, this example demonstrates how to [quarantine target hosts](rtr/quarantine_hosts.py). -[![Falcon Flight Control](https://img.shields.io/badge/Service%20Class-Find%20Child%20CID-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](flight_control/find_child_cid.py) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](flight_control/find_child_cid.py) +[![Hosts](https://img.shields.io/badge/Service%20Class-Quarantine%20Target%20Host-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr/quarantine_hosts.py) -#### Flight Control API operations discussed -This sample demonstrates the following CrowdStrike Flight Control API operations: +##### Hosts API operations discussed +This sample demonstrates the following CrowdStrike Hosts API operations: | Operation | Description | | :--- | :--- | -| [QueryChildren](https://falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | +| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | +| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | --- -### Get Child Prevention Policies -This [example](flight_control/get_child_prevention_policies.py) uses the Flight Control and Prevention Policies Host Group APIs to demonstrate retrieving prevention policies for some or all child tenants. +#### Quarantine a host (updated version) +This is the same solution, but [updated](hosts/quarantine_hosts_new.py) to demonstrate [Direct Authentication](https://www.falconpy.io/Usage/Authenticating-to-the-API.html#direct-authentication), [Body Payload Abstraction](https://www.falconpy.io/Usage/Payload-Handling.html#body-payload-abstraction) and [Parameter Abstraction](https://www.falconpy.io/Usage/Payload-Handling.html#parameter-abstraction). -[![Falcon Flight Control](https://img.shields.io/badge/Service%20Class-Get_Child_Prevention_Policies-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](flight_control/get_child_prevention_policies.py) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](flight_control/get_child_prevention_policies.py) +[![Hosts](https://img.shields.io/badge/Service%20Class-Quarantine%20Target%20Host%20(Updated)-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts/quarantine_hosts_new.py) -#### Flight Control and Prevention Policies API operations discussed -This sample demonstrates the following CrowdStrike Flight Control and Prevention Policies API operations: +##### Hosts API operations discussed +This sample demonstrates the following CrowdStrike Hosts API operations: | Operation | Description | | :--- | :--- | -| [QueryChildren](https://falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | -| [queryCombinedPreventionPolicies](https://www.falconpy.io/Service-Collections/Prevention-Policy.html#querycombinedpreventionpolicies) | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria. | - ---- +| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | +| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | -### Host Group Duplicator -This [example](flight_control/host_group_duplicator.py) uses the Flight Control and Host Group APIs to demonstrate duplicating a Host Group from a Parent to all Children. +
-[![Falcon Flight Control](https://img.shields.io/badge/Service%20Class-Host_Group_Duplicator-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](flight_control/host_group_duplicator.py) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](flight_control/host_group_duplicator.py) +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#deployment-and-management-toc) -#### Flight Control and Host Group API operations discussed -This sample demonstrates the following CrowdStrike Flight Control and Host Group API operations: +--- -| Operation | Description | -| :--- | :--- | -| [QueryChildren](https://falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | -| [createHostGroups](https://www.falconpy.io/Service-Collections/Host-Group.html#createhostgroups) | Create Host Groups by specifying details about the group to create. | -| [queryCombinedHostGroups](https://www.falconpy.io/Service-Collections/Host-Group.html#querycombinedhostgroups) | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria. | + +
+

Report Executions

(click to expand)
+These samples focus on CrowdStrike's Falcon Report Executions API service collection. + ---- +- [Retrieve all report results](#retrieve-all-report-results) -### Execute a command on hosts across multiple children -Execute a single RTR command across multiple hosts within multiple child tenants. This demonstration leverages operations from the Hosts, Flight Control, Real Time Response and Real Time Response APIs. +#### Retrieve all report results +This sample will accept a schedule report ID and download all results for every successful execution of the report. -[![Falcon Flight Control](https://img.shields.io/badge/Service%20Class-Execute_Command_Across_Child_Hosts-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](flight_control/multicid.py) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](flight_control/multicid.py) +[![Report Executions](https://img.shields.io/badge/Service%20Class-Retrieve_all_report_results-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](report_executions/get_report_results.py) -#### Flight Control, Hosts, and Real Time Response API operations discussed -This sample demonstrates the following CrowdStrike Flight Control, Hosts and Real Time Response API operations: +##### Report Executions API operations discussed +This sample demonstrates the following CrowdStrike Report Executions API operations: | Operation | Description | | :--- | :--- | -| [QueryChildren](https://falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | -| [BatchInitSessions](https://www.falconpy.io/Service-Collections/Real-Time-Response.html#batchinitsessions) | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. | -| [RTR_DeleteSession](https://www.falconpy.io/Service-Collections/Real-Time-Response.html#rtr_deletesession) | Delete a RTR session. | -| [BatchAdminCmd](https://www.falconpy.io/Service-Collections/Real-Time-Response-Admin.html#batchadmincmd) | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. | -| [RTR_CheckAdminCommandStatus](https://www.falconpy.io/Service-Collections/Real-Time-Response-Admin.html#rtr_checkadmincommandstatus) | Get status of an executed RTR administrator command on a single host. | -| [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria.| +| [report_executions_download_get](https://www.falconpy.io/Service-Collections/Report-Executions.html#report_executions_download_get) | Get report entity download. | +| [report_executions_get](https://www.falconpy.io/Service-Collections/Report-Executions.html#report_executions_get) | Retrieve report details for the provided report IDs. | +| [report_executions_query](https://www.falconpy.io/Service-Collections/Report-Executions.html#report_executions_query) | Find all report execution IDs matching the query with filter. | ---- +
-## Falcon Intelligence -This category is dedicated to Falcon Intelligence, and discusses the Falcon Intelligence Sandbox, Quick Scan, and Sample Uploads API service collections. +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#deployment-and-management-toc) -- [Manage sandbox uploads](#manage-sandbox-uploads) -- [Falcon Intelligence Sandbox scan](#falcon-intelligence-sandbox-scan) -- [Get all artifacts](#get-all-artifacts) -- [Quick Scan a target](#quick-scan-a-target) -- [S3 Bucket Protection](#s3-bucket-protection) +--- -### Manage sandbox uploads -These samples use the CrowdStrike Sample Uploads API to upload, retrieve and delete files from Falcon Intelligence Sandbox. An example for using the [Service Class](sample_uploads/sample_uploads_service.py) and the [Uber Class](sample_uploads/sample_uploads_uber.py) is provided. + +
+

Sensor Download

(click to expand)
+The samples in this section focus on CrowdStrike Sensor Download API service collection. + -[![Sample Uploads](https://img.shields.io/badge/Service%20Class-Handle%20Sandbox%20Files-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](sample_uploads/sample_uploads_service.py) -[![Sample Uploads](https://img.shields.io/badge/Uber%20Class-Handle%20Sandbox%20Files-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](sample_uploads/sample_uploads_uber.py) +#### Download the CrowdStrike sensor +Use the Uber Class to [list or download versions of the CrowdStrike sensor](sensor_download/download_sensor.py). -#### Sample Uploads API operations discussed -These samples demonstrate the following CrowdStrike Sample Uploads API operations: +[![Sensor Download](https://img.shields.io/badge/Uber%20Class-List%20or%20Download%20Falcon%20Sensor-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](sensor_download/download_sensor.py) + +##### Sensor Download API operations discussed +This sample demonstrates the following CrowdStrike Sensor Download API operations: | Operation | Description | | :--- | :--- | -| [GetSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#getsamplev3) | Retrieves the file associated with the given ID (SHA256). | -| [UploadSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#uploadsamplev3) | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. | -| [DeleteSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#deletesamplev3) | Removes a sample, including file, meta and submissions from the collection. | +| [DownloadSensorInstallerById](https://falconpy.io/Service-Collections/Sensor-Download.html#downloadsensorinstallerbyid) | Get sensor installer details by providing a query. | +| [GetCombinedSensorInstallersByQuery](https://falconpy.io/Service-Collections/Sensor-Download.html#getcombinedsensorinstallersbyquery) | Download sensor installer by SHA256 ID. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#deployment-and-management-toc) --- -### Falcon Intelligence Sandbox scan + +
+

Sensor Update Policies

(click to expand)
+This section has samples that focus on the CrowdStrike Sensor Update Policies API service collection. + -Analyze a single file for malware using the Falcon Intelligence Sandbox API with these [examples](falconx_sandbox/single_scan). A sample using the [Service Class](https://github.com/CrowdStrike/falconpy/blob/samples/samples/falconx_sandbox/single_scan/falconx_scan_example.py) and one using the [Uber Class](https://github.com/CrowdStrike/falconpy/blob/samples/samples/falconx_sandbox/single_scan/falconx_scan_example_uber.py) is provided. +#### Policy Wonk +Manage your sensor update policies with our [Policy Wonk](sensor_update_policies#manage-sensor-update-policies-with-policy-wonk) sample. -[![Falcon Intelligence Sandbox](https://img.shields.io/badge/Service%20Class-Analyze%20a%20Single%20file-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](falconx_sandbox/single_scan) -[![Falcon Intelligence Sandbox](https://img.shields.io/badge/Uber%20Class-Analyze%20a%20Single%20File-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](falconx_sandbox/single_scan) +[![Sensor Update Policies](https://img.shields.io/badge/Service%20Class-Policy%20Wonk-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](sensor_update_policies#manage-sensor-update-policies-with-policy-wonk) -#### Falcon Intelligence Sandbox API operations discussed -These samples demonstrates the following CrowdStrike Falcon Intelligence Sandbox API operations: +##### Sensor Update Policies API operations discussed +This sample demonstrates the following CrowdStrike Sensor Update Policies API operations: | Operation | Description | | :--- | :--- | -| [DeleteSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#deletesamplev3) | Removes a sample, including file, meta and submissions from the collection. | -| [GetReports](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#getreports) | Get a full sandbox report. | -| [GetSubmissions](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#getsubmissions) | Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | -| [UploadSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#uploadsamplev3) | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. | -| [Submit](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#submit) | Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | +| [createSensorUpdatePoliciesV2](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#createsensorupdatepoliciesv2) | Create Sensor Update Policies by specifying details about the policy to create. | +| [deleteSensorUpdatePolicies](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#deletesensorupdatepolicies) | Delete a set of Sensor Update Policies by specifying their IDs. | +| [performSensorUpdatePoliciesAction](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#performsensorupdatepoliciesaction) | Perform the specified action on the Sensor Update Policies specified in the request. | +| [queryCombinedSensorUpdateBuilds](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#querycombinedsensorupdatebuilds) | Retrieve available builds for use with Sensor Update Policies. | +| [queryCombinedSensorUpdateKernels](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#querycombinedsensorupdatekernels) | Retrieve kernel compatibility info for Sensor Update Builds. | +| [queryCombinedSensorUpdatePolicyMembers](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#querycombinedsensorupdatepolicymembers) | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria. | +| [queryCombinedSensorUpdatePoliciesV2](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#querycombinedsensorupdatepoliciesv2) | Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria. | +| [revealUninstallToken](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#revealuninstalltoken) | Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value `MAINTENANCE` as the value for `device_id`. | +| [setSensorUpdatePoliciesPrecedence](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#setsensorupdatepoliciesprecedence) | Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence. | +| [updateSensorUpdatePoliciesV2](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#updatesensorupdatepolicies) | Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection. | + +
+[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#deployment-and-management-toc) --- -### Get all artifacts + +
+

Installation Tokens

(click to expand)
+This category is dedicated to demonstrating the functionality provided by the CrowdStrike Installation Tokens API service collection. + -This [example](falconx_sandbox/get_all_artifacts.py) demonstrates retrieving all artifacts for all reports (in all supported formats). +#### Token Dispenser +Easily manage installation tokens within your tenant or across child tenants with the [Token Dispenser](installation_tokens#token-dispenser). -[![Falcon Intelligence Sandbox](https://img.shields.io/badge/Service%20Class-Get%20All%20Artifacts-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](falconx_sandbox/get_all_artifacts.py) +[![Installation Tokens](https://img.shields.io/badge/Service%20Class-Token_Dispenser-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](installation_tokens#token-dispenser) +[![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](installation_tokens#token-dispenser) -#### Falcon Intelligence Sandbox API operations discussed -This sample demonstrates the following CrowdStrike Falcon Intelligence Sandbox API operations: +##### Installation Tokens API operations discussed +This sample demonstrates the following CrowdStrike Installation Tokens API operations: | Operation | Description | | :--- | :--- | -| [GetArtifacts](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#getartifacts) | Download IOC packs, PCAP files, and other analysis artifacts. | -| [GetReports](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#getreports) | Get a full sandbox report. | -| [QueryReports](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#queryreports) | Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. | - ---- - -### Quick Scan a target - -This [demonstration](quick_scan/scan_target.py) leverages the Falcon Quick Scan and Sample Uploads APIs to scan the contents of a target folder. (Either on the local filesystem or a bucket in S3.) - -[![Quick Scan / Sample Uploads](https://img.shields.io/badge/Service%20Class-Scan%20a%20target-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](quick_scan/scan_target.py) +| [tokens_create](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_create) | Creates a token. | +| [tokens_delete](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_delete) | Deletes a token immediately. To revoke a token, use `token_update` instead. | +| [tokens_read](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_read) | Get the details of one or more tokens by ID. | +| [tokens_update](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_update) | Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore. | -#### Quick Scan and Sample Uploads API operations discussed -This sample demonstrates the following CrowdStrike Quick Scan and Sample Uploads API operations: +##### Flight Control API operations discussed +This sample demonstrates the following CrowdStrike Flight Control API operations: +| Operation | Description | +| :--- | :--- | +| [queryChildren](https://www.falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | +##### Sensor Download API operations discussed +This sample demonstrates the following CrowdStrike Sensor Download API operations: | Operation | Description | | :--- | :--- | -| [DeleteSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#deletesamplev3) | Removes a sample, including file, meta and submissions from the collection. | -| [GetScans](https://falconpy.io/Service-Collections/Quick-Scan.html#getscans) | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | -| [ScanSamples](https://falconpy.io/Service-Collections/Quick-Scan.html#scansamples) | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | -| [UploadSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#uploadsamplev3) | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. | +| [GetSensorInstallersCCIDByQuery](https://www.falconpy.io/Service-Collections/Sensor-Download.html#getsensorinstallersccidbyquery) | Get CCID to use with sensor installers. | ---- +
-### Quick Scan quota check +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#deployment-and-management-toc) -This [demonstration](quick_scan/quota_check.py) will report your current scan quota. +--- -[![Quick Scan](https://img.shields.io/badge/Service%20Class-Quota_Check-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/quick_scan#quota-check) + +
+

Quarantine

(click to expand)
+This category provides samples that demonstrate the CrowdStrike Falcon Quarantine API service collection. + -#### Quick Scan API operations discussed -This sample demonstrates the following CrowdStrike Quick Scan API operations: +#### Get Quarantined Files +Contributed by @tsullivan06, this sample leverages the Quarantine and Sample Upload APIs to retrieve all quarantined files within your environment and then stores them to a subfolder. +Files can be downloaded raw, or archived with a password (`infected`). + +[![Quarantine](https://img.shields.io/badge/Uber%20Class-Get_Quarantined_Files-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/quarantine#get-quarantined-files) + + +##### Quarantine and Sample Uploads API operations discussed +This sample demonstrates the following CrowdStrike Quarantine and Sample Uploads API operations: | Operation | Description | | :--- | :--- | -| [GetScans](https://falconpy.io/Service-Collections/Quick-Scan.html#getscans) | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | +| [GetQuarantineFiles](https://www.falconpy.io/Service-Collections/Quarantine.html#getquarantinefiles) | Get quarantine file metadata for specified ids. | +| [QueryQuarantineFiles](https://www.falconpy.io/Service-Collections/Quarantine.html#queryquarantinefiles) | Get quarantine file ids that match the provided filter criteria. | +| [GetSampleV3](https://www.falconpy.io/Service-Collections/Sample-Uploads.html#getsamplev3) | Retrieves the file associated with the given ID (SHA256). | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#deployment-and-management-toc) --- -### S3 Bucket Protection + +
+

User Management

(click to expand)
+This sample category is focused on examples that leverage CrowdStrike's User Management API service collection. + -Building on the previous example, this [solution](https://github.com/CrowdStrike/Cloud-AWS/tree/main/s3-bucket-protection) demonstrates a complete integration with AWS Lambda, AWS S3 and AWS Security Hub that scans files as they are uploaded to the bucket. Files that are found to be malicious are removed from the bucket and a finding is published to AWS Security Hub. +- [Bulk user administration](#bulk-user-administration) +- [Get user grants](#get-user-grants) -[![Quick Scan / Sample Uploads](https://img.shields.io/badge/Service%20Class-S3%20Bucket%20Protection-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/Cloud-AWS/tree/main/s3-bucket-protection) +#### Bulk user administration +This [sample](user_management#bulk-import-update-and-remove-users) demonstrates adding, updating and removing users in bulk using the User Management Service Class. -#### Quick Scan and Sample Uploads API operations discussed -This sample demonstrates the following CrowdStrike Quick Scan and Sample Uploads API operations: +[![User Management](https://img.shields.io/badge/Service%20Class-Bulk%20Edit%20Users-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](user_management#bulk-import-update-and-remove-users) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](user_management#bulk-import-update-and-remove-users) + +##### User Management API operations discussed +This sample demonstrates the following CrowdStrike User Management API operations: | Operation | Description | | :--- | :--- | -| [DeleteSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#deletesamplev3) | Removes a sample, including file, meta and submissions from the collection. | -| [GetScans](https://falconpy.io/Service-Collections/Quick-Scan.html#getscans) | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | -| [ScanSamples](https://falconpy.io/Service-Collections/Quick-Scan.html#scansamples) | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | -| [UploadSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#uploadsamplev3) | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. | +| [CreateUser](https://falconpy.io/Service-Collections/User-Management.html#createuser) | Create a new user. After creating a user, assign one or more roles with [GrantUserRoleIds](https://falconpy.io/Service-Collections/User-Management.html#grantuserroleids). | +| [DeleteUser](https://falconpy.io/Service-Collections/User-Management.html#deleteuser) | Delete a user permanently. | +| [GetAvailableRoleIds](https://falconpy.io/Service-Collections/User-Management.html#getavailableroleids) | Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to [GetRoles](https://falconpy.io/Service-Collections/User-Management.html#getroles). | +| [GetUserRoleIds](https://falconpy.io/Service-Collections/User-Management.html#getuserroleids) | Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to [GetRoles](https://falconpy.io/Service-Collections/User-Management.html#getroles). | +| [GrantUserRoleIds](https://falconpy.io/Service-Collections/User-Management.html#grantuserroleids) | Assign one or more roles to a user. | +| [RetrieveUser](https://falconpy.io/Service-Collections/User-Management.html#retrieveuser) | Get info about a user. | +| [RetrieveUserUUID](https://falconpy.io/Service-Collections/User-Management.html#retrieveuseruuid) | Get a user's ID by providing a username (usually an email address). | +| [RetrieveUserUUIDsByCID](https://falconpy.io/Service-Collections/User-Management.html#retrieveuseruuidsbycid) | List user IDs for all users in your customer account. For more information on each user, provide the user ID to [RetrieveUser](https://falconpy.io/Service-Collections/User-Management.html#retrieveuser). | +| [RevokeUserRoleIds](https://falconpy.io/Service-Collections/User-Management.html#revokeuserroleids) | Revoke one or more roles from a user. | --- -## Firewall Management -The CrowdStrike Falcon Firewall Management and Firewall Policies APIs are the focus of this section. - -### Export Firewall events to a file -Developed by `@wozboz`, this [example](firewall_management/get_firewall_events.py) demonstrates exporting Firewall events using the Firewall Management Service Class. This sample also provides an example of _tokenized pagination_ leveraging the `after` return parameter found in the `meta` branch. More details regarding this style of pagination can be found [here](https://falconpy.io/Usage/Response-Handling.html#paginating-json-responses). +#### Get user grants +This [sample](user_management#get-user-grants) demonstrates retrieving a list of all user grants asynchronously using the User Management Service Class. -[![Firewall Management](https://img.shields.io/badge/Service%20Class-Export_Firewall_Events-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](firewall_management/get_firewall_events.py) +[![User Management](https://img.shields.io/badge/Service%20Class-Get_User_Grants-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](user_management#get-user-grants) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](user_management#get-user-grants) -#### Firewall Management operations discussed -This sample demonstrates the following CrowdStrike Firewall Management API operations: +##### User Management API operations discussed +This sample demonstrates the following CrowdStrike User Management API operations: | Operation | Description | | :--- | :--- | -| [get_events](https://falconpy.io/Service-Collections/Firewall-Management.html#get_events) | Get events entities by ID and optionally version. | -| [query_events](https://falconpy.io/Service-Collections/Firewall-Management.html#query_events) | Find all event IDs matching the query with filter. | +| [queryUserV1](https://falconpy.io/Service-Collections/User-Management.html#queryuserv1) | List user IDs for all users in your customer account. | +| [combinedUserRolesV1](https://falconpy.io/Service-Collections/User-Management.html#combineduserrolesv1) | Get User Grant(s). This operation lists both direct as well as flight control grants between a user and a customer. | +| [retrieveUsersGETV1](https://falconpy.io/Service-Collections/User-Management.html#retrieveusersgetv1) | Get information about users including their name, UID, and CID by providing user UUIDs. | ---- +
-## Hosts -The samples collected in this section demonstrate leveraging CrowdStrike's Hosts and Host Group API service collections to secure your endpoints. +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#deployment-and-management-toc) -- [List sensors by hostname](#list-sensors-by-hostname) -- [CUSSED (Stale sensor detector)](#cussed-manage-stale-sensors) -- [Match usernames to hosts](#match-usernames-to-hosts) -- [Offset vs. Token](#offset-vs-token) -- [Quarantine a host](#quarantine-a-host) -- [Quarantine a host (updated)](#quarantine-a-host-updated-version) +--- -### List sensors by hostname -This [example](hosts#list-sensors-by-hostname) will demonstrate how to retrieve a list of sensors by hostname. + +
+

Event Streams

(click to expand)
+This category is focused on the CrowdStrike Event Streams API service collection. + -[![Hosts](https://img.shields.io/badge/Service%20Class-List%20Sensors%20By%20Hostname-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts#list-sensors-by-hostname) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](hosts#list-sensors-by-hostname) +#### Send detections to AWS Security Hub +This [example](https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub) demonstrates publishing AWS Security Hub findings from CrowdStrike Falcon Event Streams API. -#### Hosts API operations discussed -This sample demonstrates the following CrowdStrike Hosts API operations: +[![Event Streams](https://img.shields.io/badge/Uber%20Class-Send%20Detections%20to%20AWS%20Security%20Hub-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub) + +##### Event Streams API operations discussed +This sample demonstrates the following CrowdStrike Event Streams API operations: | Operation | Description | | :--- | :--- | -| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | -| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | +| [listAvailableStreamsOAuth2](https://falconpy.io/Service-Collections/Event-Streams.html#listavailablestreamsoauth2) | Discover all event streams in your environment. | +| [refreshActiveStreamSession](https://falconpy.io/Service-Collections/Event-Streams.html#refreshactivestreamsession) | Refresh an active event stream. Use the URL shown in a [listAvailableStreamsOAuth2](https://falconpy.io/Service-Collections/Event-Streams.html#listavailablestreamsoauth2) response. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#deployment-and-management-toc) --- -### Manage duplicate sensors -Identify and optionally remove duplicate sensors using this [example](https://github.com/CrowdStrike/falconpy/tree/main/samples/hosts#list-duplicate-sensors). + +
+

Flight Control

(click to expand)
+The samples in this category demonstrate functionality for MSSP scenarios using the Falcon Flight Control API service collection. + -[![Hosts](https://img.shields.io/badge/Service%20Class-Find%20Duplicate%20Sensors-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/hosts#list-duplicate-sensors) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](https://github.com/CrowdStrike/falconpy/tree/main/samples/hosts#list-duplicate-sensors) +#### Find child CID +This [example](flight_control/find_child_cid.py) demonstrates retrieving a child CID using the CrowdStrike Falcon Flight Control API. -#### Hosts API operations discussed -This sample demonstrates the following CrowdStrike Hosts API operations: +[![Falcon Flight Control](https://img.shields.io/badge/Service%20Class-Find%20Child%20CID-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](flight_control/find_child_cid.py) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](flight_control/find_child_cid.py) + +##### Flight Control API operations discussed +This sample demonstrates the following CrowdStrike Flight Control API operations: | Operation | Description | | :--- | :--- | -| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | -| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | -| [QueryDevicesByFilterScroll](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | +| [QueryChildren](https://falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | --- -### CUSSED (Manage stale sensors) -Identify and optionally remove stale sensors using this [example](hosts#list-stale-sensors). +#### Get Child Prevention Policies +This [example](flight_control/get_child_prevention_policies.py) uses the Flight Control and Prevention Policies Host Group APIs to demonstrate retrieving prevention policies for some or all child tenants. -[![Hosts](https://img.shields.io/badge/Service%20Class-Find%20Stale%20Sensors-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts#list-stale-sensors) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](hosts#list-stale-sensors) +[![Falcon Flight Control](https://img.shields.io/badge/Service%20Class-Get_Child_Prevention_Policies-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](flight_control/get_child_prevention_policies.py) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](flight_control/get_child_prevention_policies.py) -#### Hosts API operations discussed -This sample demonstrates the following CrowdStrike Hosts API operations: +##### Flight Control and Prevention Policies API operations discussed +This sample demonstrates the following CrowdStrike Flight Control and Prevention Policies API operations: | Operation | Description | | :--- | :--- | -| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | -| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | -| [QueryDevicesByFilterScroll](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | +| [QueryChildren](https://falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | +| [queryCombinedPreventionPolicies](https://www.falconpy.io/Service-Collections/Prevention-Policy.html#querycombinedpreventionpolicies) | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria. | --- -### Match usernames to hosts -Submitted by `@micgoetz`, the [Match Username to Host](hosts#match-usernames-to-hosts) sample demonstrates mapping usernames to hosts with Falcon Grouping tags. +#### Host Group Duplicator +This [example](flight_control/host_group_duplicator.py) uses the Flight Control and Host Group APIs to demonstrate duplicating a Host Group from a Parent to all Children. -[![Hosts](https://img.shields.io/badge/Service%20Class-Match_Username_to_Host-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts#match-usernames-to-hosts) +[![Falcon Flight Control](https://img.shields.io/badge/Service%20Class-Host_Group_Duplicator-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](flight_control/host_group_duplicator.py) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](flight_control/host_group_duplicator.py) -#### Hosts API operations discussed -This sample demonstrates the following CrowdStrike Hosts API operations: +##### Flight Control and Host Group API operations discussed +This sample demonstrates the following CrowdStrike Flight Control and Host Group API operations: | Operation | Description | | :--- | :--- | -| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | -| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | -| [QueryDeviceLoginHistory](https://www.falconpy.io/Service-Collections/Hosts.html#querydeviceloginhistory) | Retrieve details about recent login sessions for a set of devices. | -| [UpdateDeviceTags](https://www.falconpy.io/Service-Collections/Hosts.html#updatedevicetags) | Append or remove one or more Falcon Grouping Tags on one or more hosts. | +| [QueryChildren](https://falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | +| [createHostGroups](https://www.falconpy.io/Service-Collections/Host-Group.html#createhostgroups) | Create Host Groups by specifying details about the group to create. | +| [queryCombinedHostGroups](https://www.falconpy.io/Service-Collections/Host-Group.html#querycombinedhostgroups) | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria. | --- -### Offset vs. Token -This [demonstration](hosts#comparing-querydevicesbyfilter-and-querydevicesbyfilterscroll-offset-vs-token) discusses the [pagination](https://falconpy.io/Usage/Response-Handling.html#paginating-json-responses) differences when using [`QueryDevicesByFilter`](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) versus [`QueryDevicesByFilterScroll`](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll). +#### Execute a command on hosts across multiple children +Execute a single RTR command across multiple hosts within multiple child tenants. This demonstration leverages operations from the Hosts, Flight Control, Real Time Response and Real Time Response APIs. -[![Hosts](https://img.shields.io/badge/Service%20Class-Offset%20vs.%20Token-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts#comparing-querydevicesbyfilter-and-querydevicesbyfilterscroll-offset-vs-token) +[![Falcon Flight Control](https://img.shields.io/badge/Service%20Class-Execute_Command_Across_Child_Hosts-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](flight_control/multicid.py) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](flight_control/multicid.py) -#### Hosts API operations discussed -This sample demonstrates the following CrowdStrike Hosts API operations: +##### Flight Control, Hosts, and Real Time Response API operations discussed +This sample demonstrates the following CrowdStrike Flight Control, Hosts and Real Time Response API operations: | Operation | Description | | :--- | :--- | -| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | -| [QueryDevicesByFilterScroll](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | +| [QueryChildren](https://falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | +| [BatchInitSessions](https://www.falconpy.io/Service-Collections/Real-Time-Response.html#batchinitsessions) | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. | +| [RTR_DeleteSession](https://www.falconpy.io/Service-Collections/Real-Time-Response.html#rtr_deletesession) | Delete a RTR session. | +| [BatchAdminCmd](https://www.falconpy.io/Service-Collections/Real-Time-Response-Admin.html#batchadmincmd) | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. | +| [RTR_CheckAdminCommandStatus](https://www.falconpy.io/Service-Collections/Real-Time-Response-Admin.html#rtr_checkadmincommandstatus) | Get status of an executed RTR administrator command on a single host. | +| [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria.| + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#deployment-and-management-toc) --- -### Prune Hosts by Hostname or AID -This sample demonstrates [removing and restoring hosts by hostname or AID](hosts/prune_hosts.py). +
-[![Hosts](https://img.shields.io/badge/Service%20Class-Hosts_Pruner-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/hosts#prune-hosts-by-hostname-or-aid) -#### Hosts API operations discussed -This sample demonstrates the following CrowdStrike Hosts API operations: + + + +
+

Endpoint Security

 + +
+

Custom IOA

(click to expand)
+These samples demonstrate using CrowdStrike's Custom IOA service collection. + + +#### Custom IOA Cloner +The [Custom IOA Cloner](custom_ioa#custom-ioa-cloner) demonstrates displaying, deleting and cloning Custom IOA rule groups. + +[![Custom IOA](https://img.shields.io/badge/Service%20Class-Custom_IOA_Cloner-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](custom_ioa#custom-ioa-cloner) + +##### Custom IOA API operations discussed +This sample demonstrates the following CrowdStrike Custom IOA API operations: | Operation | Description | | :--- | :--- | -| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | -| [GetDeviceDetails](https://falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the [QueryDevicesByFilter](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) operation, the Falcon console or the Streaming API. | -| [QueryDevicesByFilterScroll](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | +| [create_rule](https://www.falconpy.io/Service-Collections/Custom-IOA.html#create_rule) | Create a rule within a rule group. Returns the rule. | +| [create_rule_groupMixin0](https://www.falconpy.io/Service-Collections/Custom-IOA.html#create_rule_groupmixin0) | Create a rule group for a platform with a name and an optional description. Returns the rule group. | +| [delete_rule_groupsMixin0](https://www.falconpy.io/Service-Collections/Custom-IOA.html#delete_rule_groupsmixin0) | Delete rule groups by ID. | +| [query_rule_groups_full](https://www.falconpy.io/Service-Collections/Custom-IOA.html#query_rule_groups_full) | Find all rule groups matching the query with optional filter. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#endpoint-security-toc) --- -### Quarantine a host -Developed by one of our maintainers `@soggysec`, this example demonstrates how to [quarantine target hosts](rtr/quarantine_hosts.py). + +
+

Detects

(click to expand)
+The CrowdStrike Detects API service collection is the sole focus of these samples. + -[![Hosts](https://img.shields.io/badge/Service%20Class-Quarantine%20Target%20Host-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr/quarantine_hosts.py) +#### Detects Advisor +[Detects Advisor](detects#detects-advisor) is an example application for triaging inbound detections in your CrowdStrike Falcon tenant. -#### Hosts API operations discussed -This sample demonstrates the following CrowdStrike Hosts API operations: +[![Detects](https://img.shields.io/badge/Service%20Class-Detects%20Advisor-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](detects#detects-advisor) + +##### Detects API operations discussed +This sample demonstrates the following CrowdStrike Detects API operations: | Operation | Description | | :--- | :--- | -| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | -| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | +| [GetDetectSummaries](https://falconpy.io/Service-Collections/Detects.html#getdetectsummaries) | View information about detections. | +| [QueryDetects](https://falconpy.io/Service-Collections/Detects.html#querydetects) | Search for detection IDs that match a given query. | +| [UpdateDetectsByIdsV2](https://falconpy.io/Service-Collections/Detects.html#updatedetectsbyidsv2) | Modify the state, assignee, and visibility of detections. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#endpoint-security-toc) --- -### Quarantine a host (updated version) -This is the same solution, but [updated](hosts/quarantine_hosts_new.py) to demonstrate [Direct Authentication](https://www.falconpy.io/Usage/Authenticating-to-the-API.html#direct-authentication), [Body Payload Abstraction](https://www.falconpy.io/Usage/Payload-Handling.html#body-payload-abstraction) and [Parameter Abstraction](https://www.falconpy.io/Usage/Payload-Handling.html#parameter-abstraction). + +
+

IOC

(click to expand)
+The samples in this section focus on the CrowdStrike IOC API service collection. + -[![Hosts](https://img.shields.io/badge/Service%20Class-Quarantine%20Target%20Host%20(Updated)-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](hosts/quarantine_hosts_new.py) +#### Create indicators +Use this example to [create an Indicator of Compromise](ioc/create_ioc.py) (IOC). This example demonstrates the same operation using both the Service Class and the Uber Class. The Uber Class solution does not make use of [Body Payload Abstraction](https://falconpy.io/Usage/Payload-Handling.html#body-payload-abstraction). -#### Hosts API operations discussed -This sample demonstrates the following CrowdStrike Hosts API operations: +[![IOC](https://img.shields.io/badge/Service%20Class-Create%20An%20IOC-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](ioc/create_ioc.py) +[![IOC](https://img.shields.io/badge/Uber%20Class-Create%20An%20IOC-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](ioc/create_ioc.py) + +##### IOC API operations discussed +This sample demonstrates the following CrowdStrike IOC API operations: | Operation | Description | | :--- | :--- | -| [PerformActionV2](https://falconpy.io/Service-Collections/Hosts.html#performactionv2) | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. | -| [QueryDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. | +| [indicator_create_v1](https://falconpy.io/Service-Collections/IOC.html#indicator_create_v1) | Create indicators. | ---- +
-## Identity Protection -This category is dedicated to demonstrating the functionality provided by the CrowdStrike Identity Protection API service collection. +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#endpoint-security-toc) -- [GraphQL Pagination](#graphql-pagination) +--- -### GraphQL Pagination -This sample demonstrates pagination using GraphQL within the Identity Protection service collection. + +
+

Prevention Policy

(click to expand)
+The samples in this section demonstrate using CrowdStrike's Prevention Policy API service collection. + -[![Identity Protection](https://img.shields.io/badge/Service%20Class-GraphQL_Pagination-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/identity#graphql-pagination) +#### Prevention Policy Hawk +Manage your CrowdStrike prevention policy settings using the [Prevention Policy Hawk](prevention_policy#manage-prevention-policies-with-prevention-policy-hawk) sample. -#### Identity Protection API operations discussed -This sample demonstrates the following CrowdStrike Identity Protection API operations: +[![Prevention Policy](https://img.shields.io/badge/Service%20Class-Prevention_Policy_Hawk-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](prevention_policy#manage-prevention-policies-with-prevention-policy-hawk) + +##### Prevention Policy API operations discussed +This sample demonstrates the following CrowdStrike Prevention Policy API operations: | Operation | Description | | :--- | :--- | -| [api_preempt_proxy_post_graphql](https://www.falconpy.io/Service-Collections/Identity-Protection.html#api_preempt_proxy_post_graphql) | Identity Protection GraphQL API. Allows for retrieving entities, timeline activities, identity-based incidents and security assessment. Allows for performing actions on entities and identity-based incidents. | +| [deletePreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#deletepreventionpolicies) | Delete a set of Prevention Policies by specifying their IDs. | +| [performPreventionPoliciesAction](https://falconpy.io/Service-Collections/Prevention-Policy.html#performpreventionpoliciesaction) | Perform the specified action on the Prevention Policies specified in the request. | +| [queryCombinedPreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#querycombinedpreventionpolicies) | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria. | +| [getPreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#getpreventionpolicies) | Retrieve a set of Prevention Policies by specifying their IDs. | +| [queryPreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#querypreventionpolicies) | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria. | +| [updatePreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#updatepreventionpolicies) | Update Prevention Policies by specifying the ID of the policy and details to update. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#endpoint-security-toc) --- -## Incidents + +
+

Incidents

(click to expand)
This category is dedicated to demonstrating the functionality provided by the CrowdStrike Incidents API service collection. + - [CrowdScore QuickChart](#crowdscore-quickchart) - [Incidents Triage](#incident-triage) -### CrowdScore QuickChart +#### CrowdScore QuickChart Quickly chart your past 24 hours of CrowdScore results with the [CrowdScore QuickChart](incidents#chart-your-crowdscore-for-the-past-day) sample. [![Incidents](https://img.shields.io/badge/Service%20Class-CrowdScore_QuickChart-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](incidents#chart-your-crowdscore-for-the-past-day) -#### Incidents API operations discussed +##### Incidents API operations discussed This sample demonstrates the following CrowdStrike Incidents API operations: | Operation | Description | @@ -628,12 +764,12 @@ This sample demonstrates the following CrowdStrike Incidents API operations: --- -### Incident Triage +#### Incident Triage This example demonstrates triaging Incidents. You can assign / unassign responders, add / remove tags, and change name, description and status of an incident using the [Incident Triage](incidents#incident-triage) utility. [![Incidents](https://img.shields.io/badge/Service%20Class-Incident_Triage-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](incidents#incident-triage) -#### Incidents API operations discussed +##### Incidents API operations discussed This sample demonstrates the following CrowdStrike Incidents API operations: | Operation | Description | @@ -642,237 +778,67 @@ This sample demonstrates the following CrowdStrike Incidents API operations: | [GetIncidents](https://falconpy.io/Service-Collections/Incidents.html#getincidents) | Get details on incidents by providing incident IDs. | | [QueryIncidents](https://falconpy.io/Service-Collections/Incidents.html#queryincidents) | Search for incidents by providing a FQL filter, sorting, and paging details. | ---- +
-## Installation Tokens -This category is dedicated to demonstrating the functionality provided by the CrowdStrike Installation Tokens API service collection. +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#endpoint-security-toc) -- [Token Dispenser](#token-dispenser) +--- -### Token Dispenser -Easily manage installation tokens within your tenant or across child tenants with the [Token Dispenser](installation_tokens#token-dispenser). + +
+

Real Time Response

(click to expand)
+These samples focus on CrowdStrike's Real Time Response and Real Time Response Admin API service collections. + -[![Installation Tokens](https://img.shields.io/badge/Service%20Class-Token_Dispenser-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](installation_tokens#token-dispenser) -[![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](installation_tokens#token-dispenser) +- [Bulk execute a command](#bulk-execute-a-command) +- [Bulk execute a command (queued)](#bulk-execute-a-command-queued) +- [Get RTR result](#get-rtr-result) +- [Dump memory for a running process](#dump-memory-for-a-running-process) +- [My Little RTR](#my-little-rtr) +- [ProxyTool](#proxytool) -#### Installation Tokens API operations discussed -This sample demonstrates the following CrowdStrike Installation Tokens API operations: +#### Bulk execute a command +Using this [demonstration](rtr#bulk-execute-a-command-on-matched-hosts), you can execute a command on multiple hosts that have a hostname matching a search string you provide. -| Operation | Description | -| :--- | :--- | -| [tokens_create](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_create) | Creates a token. | -| [tokens_delete](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_delete) | Deletes a token immediately. To revoke a token, use `token_update` instead. | -| [tokens_read](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_read) | Get the details of one or more tokens by ID. | -| [tokens_update](https://www.falconpy.io/Service-Collections/Installation-Tokens.html#tokens_update) | Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore. | +[![Real Time Response](https://img.shields.io/badge/Service%20Class-Bulk%20execute%20a%20command-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr#bulk-execute-a-command-on-matched-hosts) -#### Flight Control API operations discussed -This sample demonstrates the following CrowdStrike Flight Control API operations: -| Operation | Description | -| :--- | :--- | -| [queryChildren](https://www.falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. | +##### Real Time Response API operations discussed +This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations: -#### Sensor Download API operations discussed -This sample demonstrates the following CrowdStrike Sensor Download API operations: | Operation | Description | | :--- | :--- | -| [GetSensorInstallersCCIDByQuery](https://www.falconpy.io/Service-Collections/Sensor-Download.html#getsensorinstallersccidbyquery) | Get CCID to use with sensor installers. | +| [BatchAdminCmd](https://falconpy.io/Service-Collections/Real-Time-Response-Admin.html#batchadmincmd) | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. | +| [BatchInitSessions](https://falconpy.io/Service-Collections/Real-Time-Response.html#batchinitsessions) | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. | +| [RTR_DeleteSession](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_deletesession) | Delete a session. | --- -## Intel -This category provides samples that demonstrate the CrowdStrike Falcon Intel API service collection. +#### Bulk execute a command (queued) -### Get MITRE ATT&CK Reports -Retrieve some or all available adversary MITRE ATT&CK reports. +Building on the previous demonstration, this [sample](rtr/queued_execute.py) also executes a command on multiple hosts that have a hostname matching a search string, with the addition of queuing the commands for later processing should the host be offline. -[![Intel](https://img.shields.io/badge/Service%20Class-Get_MITRE_ATT&CK_Reports-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/intel#get-mitre-attck-reports) +[![Real Time Response](https://img.shields.io/badge/Service%20Class-Bulk%20execute%20a%20command_with_queuing-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr/queued_execute.py) -#### Intel API operations discussed -This sample demonstrates the following CrowdStrike Intel API operations: +##### Real Time Response API operations discussed +This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations: | Operation | Description | | :--- | :--- | -| [GetIntelActorEntities](https://falconpy.io/Service-Collections/Intel.html#getintelactorentities) | Retrieve specific actors using their actor IDs. | -| [GetMitreReport](https://www.falconpy.io/Service-Collections/Intel.html#getmitrereport) | Export Mitre ATT&CK information for a given actor. | -| [QueryMitreAttacks](https://www.falconpy.io/Service-Collections/Intel.html#querymitreattacks) | Gets MITRE tactics and techniques for the given actor. | +| [BatchAdminCmd](https://falconpy.io/Service-Collections/Real-Time-Response-Admin.html#batchadmincmd) | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. | +| [BatchInitSessions](https://falconpy.io/Service-Collections/Real-Time-Response.html#batchinitsessions) | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. | +| [RTR_CheckAdminCommandStatus](https://falconpy.io/Service-Collections/Real-Time-Response-Admin.html#rtr_checkadmincommandstatus) | Get status of an executed RTR administrator command on a single host. | +| [RTR_DeleteSession](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_deletesession) | Delete a session. | +| [RTR_ListQueuedSessions](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_listqueuedsessions) | Get queued session metadata by session ID. | +--- -### Intel Search -Quickly search CrowdStrike Falcon Intelligence data for string matches. -Displays lists of matches and extended details for individual records when only one result is returned. -When a value for output prefix (`-o`) is provided, results will also be written to individual files in CSV format. +#### Get host uptime +Use the `runscript` command to retrieve host uptime. -[![Intel](https://img.shields.io/badge/Service%20Class-Intel_Search-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/intel#intel-search) +[![Real Time Response](https://img.shields.io/badge/Service%20Class-Get_Host_Uptime-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr/get_host_uptime.py) -#### Intel API operations discussed -This sample demonstrates the following CrowdStrike Intel API operations: - -| Operation | Description | -| :--- | :--- | -| [QueryIntelActorEntites](https://www.falconpy.io/Service-Collections/Intel.html#queryintelactorentities) | Get info about actors that match provided FQL filters. | -| [QueryIntelIndicatorEntities](https://www.falconpy.io/Service-Collections/Intel.html#queryintelindicatorentities) | Get info about indicators that match provided FQL filters. | -| [QueryIntelReportEntities](https://www.falconpy.io/Service-Collections/Intel.html#queryintelreportentities) | Get info about reports that match provided FQL filters. | -| [GetIntelActorEntities](https://falconpy.io/Service-Collections/Intel.html#getintelactorentities) | Retrieve specific actors using their actor IDs. | -| [GetIntelIndicatorEntities](https://www.falconpy.io/Service-Collections/Intel.html#getintelindicatorentities) | Retrieve specific indicators using their indicator IDs. | -| [GetIntelReportEntities](https://www.falconpy.io/Service-Collections/Intel.html#queryintelreportentities) | Retrieve specific reports using their report IDs. | - ---- - -### MISP Import -This [utility](https://github.com/CrowdStrike/MISP-tools#manual-import) will import CrowdStrike Intel Threat indicators (Actors, Indicators and Reports) into your instance of [MISP](https://github.com/MISP/MISP). - -[![Intel](https://img.shields.io/badge/Service%20Class-MISP_Import-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/MISP-tools#manual-import) - -#### Intel API operations discussed -This sample demonstrates the following CrowdStrike Intel API operations: - -| Operation | Description | -| :--- | :--- | -| [GetIntelActorEntities](https://falconpy.io/Service-Collections/Intel.html#getintelactorentities) | Retrieve specific actors using their actor IDs. | -| [GetIntelIndicatorEntities](https://falconpy.io/Service-Collections/Intel.html#getintelindicatorentities) | Retrieve specific indicators using their indicator IDs. | -| [GetIntelReportEntities](https://falconpy.io/Service-Collections/Intel.html#getintelreportentities) | Retrieve specific reports using their report IDs. | -| [QueryIntelActorEntities](https://falconpy.io/Service-Collections/Intel.html#queryintelactorentities) | Get info about actors that match provided FQL filters. | -| [QueryIntelIndicatorEntities](https://falconpy.io/Service-Collections/Intel.html#queryintelindicatorentities) | Get info about indicators that match provided FQL filters. | -| [QueryIntelReportEntities](https://falconpy.io/Service-Collections/Intel.html#queryintelreportentities) | Get info about reports that match provided FQL filters. | - ---- - -## IOC -The samples in this section focus on the CrowdStrike IOC API service collection. - -### Create indicators -Use this example to [create an Indicator of Compromise](ioc/create_ioc.py) (IOC). This example demonstrates the same operation using both the Service Class and the Uber Class. The Uber Class solution does not make use of [Body Payload Abstraction](https://falconpy.io/Usage/Payload-Handling.html#body-payload-abstraction). - -[![IOC](https://img.shields.io/badge/Service%20Class-Create%20An%20IOC-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](ioc/create_ioc.py) -[![IOC](https://img.shields.io/badge/Uber%20Class-Create%20An%20IOC-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](ioc/create_ioc.py) - -#### IOC API operations discussed -This sample demonstrates the following CrowdStrike IOC API operations: - -| Operation | Description | -| :--- | :--- | -| [indicator_create_v1](https://falconpy.io/Service-Collections/IOC.html#indicator_create_v1) | Create indicators. | - ---- - -## MalQuery -This section is dedicated to the CrowdStrike MalQuery API service collection. - -### Malqueryinator -Coded by our [**Purveyor of Lint**](https://xkcd.com/1513/) `@jlangdev`, [Malqueryinator](malquery#search-and-download-samples-from-malquery) demonstrates how to use the CrowdStrike MalQuery API to search and download malware samples. - -[![MalQuery](https://img.shields.io/badge/Uber%20Class-Download%20Malware%20Samples%20with%20Malqueryinator-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](malquery#search-and-download-samples-from-malquery) - -> This sample has been used in other integrations! You can check out the related integration [here](https://github.com/CrowdStrike/Cloud-AWS/blob/main/s3-bucket-protection/demo/instance.tf#L45). - -#### MalQuery API operations discussed -This sample demonstrates the following CrowdStrike MalQuery API operations: - -| Operation | Description | -| :--- | :--- | -| [GetMalQueryEntitiesSamplesFetchV1](https://falconpy.io/Service-Collections/MalQuery.html#getmalqueryentitiessamplesfetchv1) | Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing. | -| [GetMalQueryRequestV1](https://falconpy.io/Service-Collections/MalQuery.html#getmalqueryrequestv1) | Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time. | -| [PostMalQueryEntitiesSamplesMultidownloadV1](https://falconpy.io/Service-Collections/MalQuery.html#postmalqueryentitiessamplesmultidownloadv1) | Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip. | -| [PostMalQueryFuzzySearchV1](https://falconpy.io/Service-Collections/MalQuery.html#postmalqueryfuzzysearchv1) | Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. | - ---- - -## Prevention Policy -The samples in this section demonstrate using CrowdStrike's Prevention Policy API service collection. - -### Prevention Policy Hawk -Manage your CrowdStrike prevention policy settings using the [Prevention Policy Hawk](prevention_policy#manage-prevention-policies-with-prevention-policy-hawk) sample. - -[![Prevention Policy](https://img.shields.io/badge/Service%20Class-Prevention_Policy_Hawk-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](prevention_policy#manage-prevention-policies-with-prevention-policy-hawk) - -#### Prevention Policy API operations discussed -This sample demonstrates the following CrowdStrike Prevention Policy API operations: - -| Operation | Description | -| :--- | :--- | -| [deletePreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#deletepreventionpolicies) | Delete a set of Prevention Policies by specifying their IDs. | -| [performPreventionPoliciesAction](https://falconpy.io/Service-Collections/Prevention-Policy.html#performpreventionpoliciesaction) | Perform the specified action on the Prevention Policies specified in the request. | -| [queryCombinedPreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#querycombinedpreventionpolicies) | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria. | -| [getPreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#getpreventionpolicies) | Retrieve a set of Prevention Policies by specifying their IDs. | -| [queryPreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#querypreventionpolicies) | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria. | -| [updatePreventionPolicies](https://falconpy.io/Service-Collections/Prevention-Policy.html#updatepreventionpolicies) | Update Prevention Policies by specifying the ID of the policy and details to update. | - ---- - -## Quarantine -This category provides samples that demonstrate the CrowdStrike Falcon Quarantine API service collection. - -### Get Quarantined Files -Contributed by @tsullivan06, this sample leverages the Quarantine and Sample Upload APIs to retrieve all quarantined files within your environment and then stores them to a subfolder. -Files can be downloaded raw, or archived with a password (`infected`). - -[![Quarantine](https://img.shields.io/badge/Uber%20Class-Get_Quarantined_Files-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/quarantine#get-quarantined-files) - - -#### Quarantine and Sample Uploads API operations discussed -This sample demonstrates the following CrowdStrike Quarantine and Sample Uploads API operations: - -| Operation | Description | -| :--- | :--- | -| [GetQuarantineFiles](https://www.falconpy.io/Service-Collections/Quarantine.html#getquarantinefiles) | Get quarantine file metadata for specified ids. | -| [QueryQuarantineFiles](https://www.falconpy.io/Service-Collections/Quarantine.html#queryquarantinefiles) | Get quarantine file ids that match the provided filter criteria. | -| [GetSampleV3](https://www.falconpy.io/Service-Collections/Sample-Uploads.html#getsamplev3) | Retrieves the file associated with the given ID (SHA256). | - ---- - - -## Real Time Response -These samples focus on CrowdStrike's Real Time Response and Real Time Response Admin API service collections. - -- [Bulk execute a command](#bulk-execute-a-command) -- [Bulk execute a command (queued)](#bulk-execute-a-command-queued) -- [Get RTR result](#get-rtr-result) -- [Dump memory for a running process](#dump-memory-for-a-running-process) -- [My Little RTR](#my-little-rtr) -- [ProxyTool](#proxytool) - -### Bulk execute a command -Using this [demonstration](rtr#bulk-execute-a-command-on-matched-hosts), you can execute a command on multiple hosts that have a hostname matching a search string you provide. - -[![Real Time Response](https://img.shields.io/badge/Service%20Class-Bulk%20execute%20a%20command-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr#bulk-execute-a-command-on-matched-hosts) - -#### Real Time Response API operations discussed -This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations: - -| Operation | Description | -| :--- | :--- | -| [BatchAdminCmd](https://falconpy.io/Service-Collections/Real-Time-Response-Admin.html#batchadmincmd) | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. | -| [BatchInitSessions](https://falconpy.io/Service-Collections/Real-Time-Response.html#batchinitsessions) | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. | -| [RTR_DeleteSession](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_deletesession) | Delete a session. | - ---- - -### Bulk execute a command (queued) - -Building on the previous demonstration, this [sample](rtr/queued_execute.py) also executes a command on multiple hosts that have a hostname matching a search string, with the addition of queuing the commands for later processing should the host be offline. - -[![Real Time Response](https://img.shields.io/badge/Service%20Class-Bulk%20execute%20a%20command_with_queuing-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr/queued_execute.py) - -#### Real Time Response API operations discussed -This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations: - -| Operation | Description | -| :--- | :--- | -| [BatchAdminCmd](https://falconpy.io/Service-Collections/Real-Time-Response-Admin.html#batchadmincmd) | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. | -| [BatchInitSessions](https://falconpy.io/Service-Collections/Real-Time-Response.html#batchinitsessions) | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. | -| [RTR_CheckAdminCommandStatus](https://falconpy.io/Service-Collections/Real-Time-Response-Admin.html#rtr_checkadmincommandstatus) | Get status of an executed RTR administrator command on a single host. | -| [RTR_DeleteSession](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_deletesession) | Delete a session. | -| [RTR_ListQueuedSessions](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_listqueuedsessions) | Get queued session metadata by session ID. | - ---- - -### Get host uptime -Use the `runscript` command to retrieve host uptime. - -[![Real Time Response](https://img.shields.io/badge/Service%20Class-Get_Host_Uptime-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr/get_host_uptime.py) - -#### Real Time Response, Real Time Response Admin and Hosts API operations discussed -This sample demonstrates the following CrowdStrike Hosts, Real Time Response and Real Time Response Admin API operations: +##### Real Time Response, Real Time Response Admin and Hosts API operations discussed +This sample demonstrates the following CrowdStrike Hosts, Real Time Response and Real Time Response Admin API operations: | Operation | Description | | :--- | :--- | @@ -885,12 +851,12 @@ This sample demonstrates the following CrowdStrike Hosts, Real Time Response and --- -### Get RTR result +#### Get RTR result Retrieve the results for previously executed RTR commands. [![Real Time Response](https://img.shields.io/badge/Service%20Class-Get_RTR_Result-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr/get_rtr_result.py) -#### Real Time Response API operations discussed +##### Real Time Response API operations discussed This sample demonstrates the following CrowdStrike Real Time Response Admin API operations: | Operation | Description | @@ -899,12 +865,12 @@ This sample demonstrates the following CrowdStrike Real Time Response Admin API --- -### Dump memory for a running process +#### Dump memory for a running process This [example](rtr/pid-dump) demonstrates using the CrowdStrike Real Time Response API to dump the memory contents of a specific process on the target host using the PID. [![Real Time Response](https://img.shields.io/badge/Service%20Class-Dump%20memory%20for%20a%20running%20process-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr/pid-dump) -#### Real Time Response API operations discussed +##### Real Time Response API operations discussed This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations: | Operation | Description | @@ -923,13 +889,13 @@ This sample demonstrates the following CrowdStrike Real Time Response and Real T --- -### My Little RTR +#### My Little RTR This [demonstration](rtr/pony) leverages the [ASCII-Pony](https://gitlab.com/mattia.basaglia/ASCII-Pony) open source project to retrieve basic system information from a target host (and draw My Little Ponies). [![Real Time Response](https://img.shields.io/badge/Service%20Class-My%20Little%20RTR-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr/pony) -#### Real Time Response API operations discussed +##### Real Time Response API operations discussed This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations: | Operation | Description | @@ -944,33 +910,33 @@ This sample demonstrates the following CrowdStrike Real Time Response and Real T --- -### ProxyTool +#### ProxyTool This [demonstration](proxytool) leverages the Hosts, Host Groups, Sensor Download, and Real-Time Response API to fetch CID or Host Group hosts, and uses the batch command and offline queuing of Real-Time Response API to centrally and conveniently issue Falcon sensor proxy configuration changes. [![Real Time Response](https://img.shields.io/badge/Service%20Class-ProxyTool-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](proxytool) -#### Hosts API operations discussed +##### Hosts API operations discussed This sample demonstrates the following CrowdStrike Hosts API operations: | Operation | Description | | :--- | :--- | | [QueryDevicesByFilterScroll](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | -#### Host Group API operations discussed +##### Host Group API operations discussed This sample demonstrates the following CrowdStrike Host Group API operations: | Operation | Description | | :--- | :--- | | [queryGroupMembers](https://www.falconpy.io/Service-Collections/Host-Group.html#querygroupmembers) | Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria. | -#### Sensor Download API operations discussed +##### Sensor Download API operations discussed This sample demonstrates the following CrowdStrike Sensor Download API operations: | Operation | Description | | :--- | :--- | | [GetSensorInstallersCCIDByQuery](https://falconpy.io/Service-Collections/Sensor-Download.html#getsensorinstallersccidbyquery) | Get CCID to use with sensor installers. | -#### Real Time Response API operations discussed +##### Real Time Response API operations discussed This sample demonstrates the following CrowdStrike Real Time Response API operations: | Operation | Description | @@ -978,105 +944,209 @@ This sample demonstrates the following CrowdStrike Real Time Response API operat | [BatchInitSessions](https://falconpy.io/Service-Collections/Real-Time-Response.html#batchinitsessions) | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. | | [BatchActiveResponderCmd](https://falconpy.io/Service-Collections/Real-Time-Response-Admin.html#batchactiverespondercmd) | Batch executes a RTR active-responder command across the hosts mapped to the given batch ID. | +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#endpoint-security-toc) + --- -## Recon -These samples focus on CrowdStrike's Falcon Intelligence Recon API service collection. + +
+

Firewall Management

(click to expand)
+The CrowdStrike Falcon Firewall Management and Firewall Policies APIs are the focus of this section. + -- [Create monitoring rules for an email list](#create-monitoring-rules-for-an-email-list) +#### Export Firewall events to a file +Developed by `@wozboz`, this [example](firewall_management/get_firewall_events.py) demonstrates exporting Firewall events using the Firewall Management Service Class. This sample also provides an example of _tokenized pagination_ leveraging the `after` return parameter found in the `meta` branch. More details regarding this style of pagination can be found [here](https://falconpy.io/Usage/Response-Handling.html#paginating-json-responses). -### Create monitoring rules for an email list -Provided by `@wozboz`, this example demonstrates creating Falcon Intelligence Recon monitoring rules for a list of email addresses provided in CSV format. +[![Firewall Management](https://img.shields.io/badge/Service%20Class-Export_Firewall_Events-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](firewall_management/get_firewall_events.py) -[![Recon](https://img.shields.io/badge/Service%20Class-Create_Monitoring_Rules_For_a_List-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](recon/email_monitoring_recon.py) +##### Firewall Management operations discussed +This sample demonstrates the following CrowdStrike Firewall Management API operations: -#### Recon API operations discussed -This sample demonstrates the following CrowdStrike Recon API operations: +| Operation | Description | +| :--- | :--- | +| [get_events](https://falconpy.io/Service-Collections/Firewall-Management.html#get_events) | Get events entities by ID and optionally version. | +| [query_events](https://falconpy.io/Service-Collections/Firewall-Management.html#query_events) | Find all event IDs matching the query with filter. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#endpoint-security-toc) + +--- + +
+ + + + +
+

Cloud Security

 + + +
+

Cloud Workload Protection

(click to expand)
+This section discusses Falcon Discover for Cloud and Containers, and the two API service collections, Cloud Connect AWS and D4C Registration. + + +#### Manage Discover accounts +This example demonstrates using FalconPy to register and remove accounts managed by CrowdStrike Falcon Discover for Cloud (AWS). Both [Service Class](discover_aws/manage_discover_accounts_service.py) and [Uber Class](discover_aws/manage_discover_accounts_uber.py) examples are provided. + +[![Falcon Discover for Cloud (AWS)](https://img.shields.io/badge/Service%20Class-Manage%20Discover%20Accounts-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](discover_aws/manage_discover_accounts_service.py) +[![Falcon Discover for Cloud (AWS)](https://img.shields.io/badge/Uber%20Class-Manage%20Discover%20Accounts-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](discover_aws/manage_discover_accounts_uber.py) + +##### Cloud Connect AWS API operations discussed +These samples demonstrate the following CrowdStrike Cloud Connect AWS (Discover for Cloud and Containers) API operations: | Operation | Description | | :--- | :--- | -| [CreateRulesV1](https://www.falconpy.io/Service-Collections/Recon.html#createrulesv1) | Create monitoring rules. | +| [DeleteAWSAccounts](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#deleteawsaccounts) | Delete a set of AWS Accounts by specifying their IDs. | +| [ProvisionAWSAccounts](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#provisionawsaccounts) | Provision AWS Accounts by specifying details about the accounts to provision. | +| [QueryAWSAccounts](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#queryawsaccounts) | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria. | +| [UpdateAWSAccounts](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#updateawsaccounts) | Update AWS Accounts by specifying the ID of the account and details to update. | +| [VerifyAWSAccountAccess](https://falconpy.io/Service-Collections/Cloud-Connect-AWS.html#verifyawsaccountaccess) | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#cloud-security-toc) --- -## Report Executions -These samples focus on CrowdStrike's Falcon Report Executions API service collection. + +
+

Horizon

(click to expand)
+These samples focus on CrowdStrike Falcon Horizon and the available API operations within the CSPM Registration service collection. + -- [Retrieve all report results](#retrieve-all-report-results) +#### Get CSPM policies +Submitted by `@mccbryan3`, this [example](cspm_registration/get_cspm_policies.py) uses FalconPy to report or export as CSV, all or selective Falcon Horizon CSPM Policies. -### Retrieve all report results -This sample will accept a schedule report ID and download all results for every successful execution of the report. +[![Falcon Horizon](https://img.shields.io/badge/Service%20Class-Report%20Horizon%20Policies-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](cspm_registration/get_cspm_policies.py) -[![Report Executions](https://img.shields.io/badge/Service%20Class-Retrieve_all_report_results-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](report_executions/get_report_results.py) +##### CSPM Registration API operations discussed +This sample demonstrates the following CrowdStrike CSPM Registration (Horizon) API operations: -#### Report Executions API operations discussed -This sample demonstrates the following CrowdStrike Report Executions API operations: +| Operation | Description | +| :--- | :--- | +| [GetCSPMPolicySettings](https://falconpy.io/Service-Collections/CSPM-Registration.html#getcspmpolicysettings) | Returns information about current policy settings. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#cloud-security-toc) + +--- + +
+ + + + +
+

Identity Protection

 + + +
+

Identity Protection

(click to expand)
+This category is dedicated to demonstrating the functionality provided by the CrowdStrike Identity Protection API service collection. + + +#### GraphQL Pagination +This sample demonstrates pagination using GraphQL within the Identity Protection service collection. + +[![Identity Protection](https://img.shields.io/badge/Service%20Class-GraphQL_Pagination-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/identity#graphql-pagination) + +##### Identity Protection API operations discussed +This sample demonstrates the following CrowdStrike Identity Protection API operations: | Operation | Description | | :--- | :--- | -| [report_executions_download_get](https://www.falconpy.io/Service-Collections/Report-Executions.html#report_executions_download_get) | Get report entity download. | -| [report_executions_get](https://www.falconpy.io/Service-Collections/Report-Executions.html#report_executions_get) | Retrieve report details for the provided report IDs. | -| [report_executions_query](https://www.falconpy.io/Service-Collections/Report-Executions.html#report_executions_query) | Find all report execution IDs matching the query with filter. | +| [api_preempt_proxy_post_graphql](https://www.falconpy.io/Service-Collections/Identity-Protection.html#api_preempt_proxy_post_graphql) | Identity Protection GraphQL API. Allows for retrieving entities, timeline activities, identity-based incidents and security assessment. Allows for performing actions on entities and identity-based incidents. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#identity-protection-toc) --- -## Sensor Download -The samples in this section focus on CrowdStrike Sensor Download API service collection. +
-### Download the CrowdStrike sensor -Use the Uber Class to [list or download versions of the CrowdStrike sensor](sensor_download/download_sensor.py). -[![Sensor Download](https://img.shields.io/badge/Uber%20Class-List%20or%20Download%20Falcon%20Sensor-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](sensor_download/download_sensor.py) + -#### Sensor Download API operations discussed -This sample demonstrates the following CrowdStrike Sensor Download API operations: + +
+

Exposure Management

 + + +
+

Asset Management

(click to expand)
+The samples in this section focus on the CrowdStrike Falcon Discover API service collection. + + +- [List discovered hosts](#list-discovered-hosts) +- [Spyglass](#spyglass) + +#### List discovered hosts + +In this [example](discover/list_discovered_hosts.py), we demonstrate listing up to the first 100 hosts identified by Falcon Discover. + +[![Falcon Discover](https://img.shields.io/badge/Service%20Class-List%20Discovered%20Hosts-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](discover/list_discovered_hosts.py) + +##### Discover API operations discussed +This sample demonstrates the following CrowdStrike Discover API operations: | Operation | Description | | :--- | :--- | -| [DownloadSensorInstallerById](https://falconpy.io/Service-Collections/Sensor-Download.html#downloadsensorinstallerbyid) | Get sensor installer details by providing a query. | -| [GetCombinedSensorInstallersByQuery](https://falconpy.io/Service-Collections/Sensor-Download.html#getcombinedsensorinstallersbyquery) | Download sensor installer by SHA256 ID. | +| [get_hosts](https://falconpy.io/Service-Collections/Discover.html#get_hosts) | Get details on assets by providing one or more IDs. | +| [query_hosts](https://falconpy.io/Service-Collections/Discover.html#query_hosts) | Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | --- -## Sensor Update Policies -This section has samples that focus on the CrowdStrike Sensor Update Policies API service collection. +#### Spyglass -### Policy Wonk -Manage your sensor update policies with our [Policy Wonk](sensor_update_policies#manage-sensor-update-policies-with-policy-wonk) sample. +In this [example](discover/spyglass.py), we demonstrate running a full Falcon Discover audit report (accounts, applications, hosts and logins). -[![Sensor Update Policies](https://img.shields.io/badge/Service%20Class-Policy%20Wonk-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](sensor_update_policies#manage-sensor-update-policies-with-policy-wonk) +[![Falcon Discover](https://img.shields.io/badge/Service%20Class-Spyglass-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/discover#spyglass) -#### Sensor Update Policies API operations discussed -This sample demonstrates the following CrowdStrike Sensor Update Policies API operations: +##### Discover API operations discussed +This sample demonstrates the following CrowdStrike Discover API operations: | Operation | Description | | :--- | :--- | -| [createSensorUpdatePoliciesV2](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#createsensorupdatepoliciesv2) | Create Sensor Update Policies by specifying details about the policy to create. | -| [deleteSensorUpdatePolicies](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#deletesensorupdatepolicies) | Delete a set of Sensor Update Policies by specifying their IDs. | -| [performSensorUpdatePoliciesAction](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#performsensorupdatepoliciesaction) | Perform the specified action on the Sensor Update Policies specified in the request. | -| [queryCombinedSensorUpdateBuilds](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#querycombinedsensorupdatebuilds) | Retrieve available builds for use with Sensor Update Policies. | -| [queryCombinedSensorUpdateKernels](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#querycombinedsensorupdatekernels) | Retrieve kernel compatibility info for Sensor Update Builds. | -| [queryCombinedSensorUpdatePolicyMembers](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#querycombinedsensorupdatepolicymembers) | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria. | -| [queryCombinedSensorUpdatePoliciesV2](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#querycombinedsensorupdatepoliciesv2) | Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria. | -| [revealUninstallToken](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#revealuninstalltoken) | Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value `MAINTENANCE` as the value for `device_id`. | -| [setSensorUpdatePoliciesPrecedence](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#setsensorupdatepoliciesprecedence) | Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence. | -| [updateSensorUpdatePoliciesV2](https://falconpy.io/Service-Collections/Sensor-Update-Policy.html#updatesensorupdatepolicies) | Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection. | +| [get_accounts](https://falconpy.io/Service-Collections/Discover.html#get_accounts) | Get details on accounts by providing one or more IDs. | +| [get_applications](https://falconpy.io/Service-Collections/Discover.html#get_applications) | Get details on applications by providing one or more IDs. | +| [get_hosts](https://falconpy.io/Service-Collections/Discover.html#get_hosts) | Get details on assets by providing one or more IDs. | +| [get_logins](https://falconpy.io/Service-Collections/Discover.html#get_logins) | Get details on logins by providing one or more IDs. | +| [query_accounts](https://falconpy.io/Service-Collections/Discover.html#query_accounts) | Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of account IDs which match the filter criteria. | +| [query_applications](https://falconpy.io/Service-Collections/Discover.html#query_applications) | Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria. | +| [query_hosts](https://falconpy.io/Service-Collections/Discover.html#query_hosts) | Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | +| [query_logins](https://falconpy.io/Service-Collections/Discover.html#query_logins) | Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of login IDs which match the filter criteria. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#exposure-management-toc) + --- -## Spotlight + + + +
+

Vulnerability Management

(click to expand)
These samples discuss leveraging the CrowdStrike Spotlight Evaluation Logic and Spotlight Vulnerabilities API service collections. + - [Find vulnerable hosts by CVE ID](#find-vulnerable-hosts-by-cve-id) - [CISA DHS Known Exploited Vulnerabilities](#cisa-dhs-known-exploited-vulnerabilities) - [Spotlight Quick Report](#spotlight-quick-report) -### Find vulnerable hosts by CVE ID +#### Find vulnerable hosts by CVE ID In this [example](spotlight#identify-hosts-with-vulnerabilities-by-cve) we demonstrate searching Falcon Spotlight for vulnerable hosts based upon CVE ID. [![Spotlight Vulnerabilities](https://img.shields.io/badge/Service%20Class-Identify%20Vulnerable%20Hosts%20by%20CVE-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](spotlight#identify-hosts-with-vulnerabilities-by-cve) -#### Spotlight Vulnerabilities API operations discussed +##### Spotlight Vulnerabilities API operations discussed This sample demonstrates the following CrowdStrike Spotlight Vulnerability API operations: | Operation | Description | @@ -1087,12 +1157,12 @@ This sample demonstrates the following CrowdStrike Spotlight Vulnerability API o --- -### CISA DHS Known Exploited Vulnerabilities +#### CISA DHS Known Exploited Vulnerabilities Developed and submitted by `@ciberesponce`, this [solution](spotlight/CISA_known_exploited_vulns) provides simple CSV formatted output, sorting by DHS CISA's Due Date field, to allow for prioritization of mitigation actions across hosts. This is particularly useful for Departments and agencies (D/a) who are subject to CISA's due dates. [![Spotlight Vulnerabilities](https://img.shields.io/badge/Service%20Class-CISA%20Known%20Exploited%20Vulnerabilities-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](spotlight/CISA_known_exploited_vulns) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](spotlight/CISA_known_exploited_vulns) -#### Spotlight Vulnerabilities API operations discussed +##### Spotlight Vulnerabilities API operations discussed This sample demonstrates the following CrowdStrike Spotlight Vulnerability API operations: | Operation | Description | @@ -1101,12 +1171,12 @@ This sample demonstrates the following CrowdStrike Spotlight Vulnerability API o --- -### Spotlight Quick Report +#### Spotlight Quick Report In this [example](spotlight#spotlight-quick-report) we demonstrate generating a report of CVE matches within a Falcon tenant using the Spotlight and Hosts service collections. [![Spotlight Vulnerabilities](https://img.shields.io/badge/Service%20Class-Spotlight_Quick_report-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](spotlight#spotlight-quick-report) -#### Spotlight Vulnerabilities / Hosts API operations discussed +##### Spotlight Vulnerabilities / Hosts API operations discussed This sample demonstrates the following CrowdStrike Spotlight Vulnerability API and Hosts API operations: | Operation | Description | @@ -1115,52 +1185,267 @@ This sample demonstrates the following CrowdStrike Spotlight Vulnerability API a | [GetDeviceDetails](https://www.falconpy.io/Service-Collections/Hosts.html#getdevicedetails) | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilterScroll operation, the Falcon console or the Streaming API. | | [QueryDevicesByFilterScroll](https://www.falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll) | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). | -## User Management -This sample category is focused on examples that leverage CrowdStrike's User Management API service collection. +
-### Bulk user administration -This [sample](user_management#bulk-import-update-and-remove-users) demonstrates adding, updating and removing users in bulk using the User Management Service Class. +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#exposure-management-toc) -[![User Management](https://img.shields.io/badge/Service%20Class-Bulk%20Edit%20Users-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](user_management#bulk-import-update-and-remove-users) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](user_management#bulk-import-update-and-remove-users) +--- -#### User Management API operations discussed -This sample demonstrates the following CrowdStrike User Management API operations: +
+ + + + + + +
+

Threat Intelligence

 + +
+

Falcon Intelligence

(click to expand)
+This category is dedicated to Falcon Intelligence, and discusses the Falcon Intelligence and MalQuery API service collections. + + +- [Get MITRE ATT&CK Reports](#get-mitre-attck-reports) +- [Intel Search](#intel-search) +- [MISP Import](#misp-import) +- [Malqueryinator](#malqueryinator) + +#### Get MITRE ATT&CK Reports +Retrieve some or all available adversary MITRE ATT&CK reports. + +[![Intel](https://img.shields.io/badge/Service%20Class-Get_MITRE_ATT&CK_Reports-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/intel#get-mitre-attck-reports) + +##### Intel API operations discussed +This sample demonstrates the following CrowdStrike Intel API operations: | Operation | Description | | :--- | :--- | -| [CreateUser](https://falconpy.io/Service-Collections/User-Management.html#createuser) | Create a new user. After creating a user, assign one or more roles with [GrantUserRoleIds](https://falconpy.io/Service-Collections/User-Management.html#grantuserroleids). | -| [DeleteUser](https://falconpy.io/Service-Collections/User-Management.html#deleteuser) | Delete a user permanently. | -| [GetAvailableRoleIds](https://falconpy.io/Service-Collections/User-Management.html#getavailableroleids) | Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to [GetRoles](https://falconpy.io/Service-Collections/User-Management.html#getroles). | -| [GetUserRoleIds](https://falconpy.io/Service-Collections/User-Management.html#getuserroleids) | Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to [GetRoles](https://falconpy.io/Service-Collections/User-Management.html#getroles). | -| [GrantUserRoleIds](https://falconpy.io/Service-Collections/User-Management.html#grantuserroleids) | Assign one or more roles to a user. | -| [RetrieveUser](https://falconpy.io/Service-Collections/User-Management.html#retrieveuser) | Get info about a user. | -| [RetrieveUserUUID](https://falconpy.io/Service-Collections/User-Management.html#retrieveuseruuid) | Get a user's ID by providing a username (usually an email address). | -| [RetrieveUserUUIDsByCID](https://falconpy.io/Service-Collections/User-Management.html#retrieveuseruuidsbycid) | List user IDs for all users in your customer account. For more information on each user, provide the user ID to [RetrieveUser](https://falconpy.io/Service-Collections/User-Management.html#retrieveuser). | -| [RevokeUserRoleIds](https://falconpy.io/Service-Collections/User-Management.html#revokeuserroleids) | Revoke one or more roles from a user. | +| [GetIntelActorEntities](https://falconpy.io/Service-Collections/Intel.html#getintelactorentities) | Retrieve specific actors using their actor IDs. | +| [GetMitreReport](https://www.falconpy.io/Service-Collections/Intel.html#getmitrereport) | Export Mitre ATT&CK information for a given actor. | +| [QueryMitreAttacks](https://www.falconpy.io/Service-Collections/Intel.html#querymitreattacks) | Gets MITRE tactics and techniques for the given actor. | + + +#### Intel Search +Quickly search CrowdStrike Falcon Intelligence data for string matches. +Displays lists of matches and extended details for individual records when only one result is returned. +When a value for output prefix (`-o`) is provided, results will also be written to individual files in CSV format. + +[![Intel](https://img.shields.io/badge/Service%20Class-Intel_Search-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/intel#intel-search) + +##### Intel API operations discussed +This sample demonstrates the following CrowdStrike Intel API operations: + +| Operation | Description | +| :--- | :--- | +| [QueryIntelActorEntites](https://www.falconpy.io/Service-Collections/Intel.html#queryintelactorentities) | Get info about actors that match provided FQL filters. | +| [QueryIntelIndicatorEntities](https://www.falconpy.io/Service-Collections/Intel.html#queryintelindicatorentities) | Get info about indicators that match provided FQL filters. | +| [QueryIntelReportEntities](https://www.falconpy.io/Service-Collections/Intel.html#queryintelreportentities) | Get info about reports that match provided FQL filters. | +| [GetIntelActorEntities](https://falconpy.io/Service-Collections/Intel.html#getintelactorentities) | Retrieve specific actors using their actor IDs. | +| [GetIntelIndicatorEntities](https://www.falconpy.io/Service-Collections/Intel.html#getintelindicatorentities) | Retrieve specific indicators using their indicator IDs. | +| [GetIntelReportEntities](https://www.falconpy.io/Service-Collections/Intel.html#queryintelreportentities) | Retrieve specific reports using their report IDs. | --- -### Get user grants -This [sample](user_management#get-user-grants) demonstrates retrieving a list of all user grants asynchronously using the User Management Service Class. +#### MISP Import +This [utility](https://github.com/CrowdStrike/MISP-tools#manual-import) will import CrowdStrike Intel Threat indicators (Actors, Indicators and Reports) into your instance of [MISP](https://github.com/MISP/MISP). -[![User Management](https://img.shields.io/badge/Service%20Class-Get_User_Grants-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](user_management#get-user-grants) [![MSSP Use supported](https://img.shields.io/badge/-Supports%20MSSP-darkblue?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==&style=for-the-badge)](user_management#get-user-grants) +[![Intel](https://img.shields.io/badge/Service%20Class-MISP_Import-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/MISP-tools#manual-import) -#### User Management API operations discussed -This sample demonstrates the following CrowdStrike User Management API operations: +##### Intel API operations discussed +This sample demonstrates the following CrowdStrike Intel API operations: | Operation | Description | | :--- | :--- | -| [queryUserV1](https://falconpy.io/Service-Collections/User-Management.html#queryuserv1) | List user IDs for all users in your customer account. | -| [combinedUserRolesV1](https://falconpy.io/Service-Collections/User-Management.html#combineduserrolesv1) | Get User Grant(s). This operation lists both direct as well as flight control grants between a user and a customer. | -| [retrieveUsersGETV1](https://falconpy.io/Service-Collections/User-Management.html#retrieveusersgetv1) | Get information about users including their name, UID, and CID by providing user UUIDs. | +| [GetIntelActorEntities](https://falconpy.io/Service-Collections/Intel.html#getintelactorentities) | Retrieve specific actors using their actor IDs. | +| [GetIntelIndicatorEntities](https://falconpy.io/Service-Collections/Intel.html#getintelindicatorentities) | Retrieve specific indicators using their indicator IDs. | +| [GetIntelReportEntities](https://falconpy.io/Service-Collections/Intel.html#getintelreportentities) | Retrieve specific reports using their report IDs. | +| [QueryIntelActorEntities](https://falconpy.io/Service-Collections/Intel.html#queryintelactorentities) | Get info about actors that match provided FQL filters. | +| [QueryIntelIndicatorEntities](https://falconpy.io/Service-Collections/Intel.html#queryintelindicatorentities) | Get info about indicators that match provided FQL filters. | +| [QueryIntelReportEntities](https://falconpy.io/Service-Collections/Intel.html#queryintelreportentities) | Get info about reports that match provided FQL filters. | + +--- + +#### Malqueryinator +Coded by our [**Purveyor of Lint**](https://xkcd.com/1513/) `@jlangdev`, [Malqueryinator](malquery#search-and-download-samples-from-malquery) demonstrates how to use the CrowdStrike MalQuery API to search and download malware samples. + +[![MalQuery](https://img.shields.io/badge/Uber%20Class-Download%20Malware%20Samples%20with%20Malqueryinator-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](malquery#search-and-download-samples-from-malquery) + +> This sample has been used in other integrations! You can check out the related integration [here](https://github.com/CrowdStrike/Cloud-AWS/blob/main/s3-bucket-protection/demo/instance.tf#L45). + +##### MalQuery API operations discussed +This sample demonstrates the following CrowdStrike MalQuery API operations: + +| Operation | Description | +| :--- | :--- | +| [GetMalQueryEntitiesSamplesFetchV1](https://falconpy.io/Service-Collections/MalQuery.html#getmalqueryentitiessamplesfetchv1) | Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing. | +| [GetMalQueryRequestV1](https://falconpy.io/Service-Collections/MalQuery.html#getmalqueryrequestv1) | Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time. | +| [PostMalQueryEntitiesSamplesMultidownloadV1](https://falconpy.io/Service-Collections/MalQuery.html#postmalqueryentitiessamplesmultidownloadv1) | Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip. | +| [PostMalQueryFuzzySearchV1](https://falconpy.io/Service-Collections/MalQuery.html#postmalqueryfuzzysearchv1) | Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#threat-intelligence-toc) + +--- + + + +
+

Falcon Intelligence Sandbox

(click to expand)
+These samples focus on CrowdStrike's Falcon Intelligence Sandbox API service collections. + + +- [Manage sandbox uploads](#manage-sandbox-uploads) +- [Falcon Intelligence Sandbox scan](#falcon-intelligence-sandbox-scan) +- [Get all artifacts](#get-all-artifacts) +- [Quick Scan a target](#quick-scan-a-target) +- [S3 Bucket Protection](#s3-bucket-protection) + +#### Manage sandbox uploads +These samples use the CrowdStrike Sample Uploads API to upload, retrieve and delete files from Falcon Intelligence Sandbox. An example for using the [Service Class](sample_uploads/sample_uploads_service.py) and the [Uber Class](sample_uploads/sample_uploads_uber.py) is provided. + +[![Sample Uploads](https://img.shields.io/badge/Service%20Class-Handle%20Sandbox%20Files-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](sample_uploads/sample_uploads_service.py) +[![Sample Uploads](https://img.shields.io/badge/Uber%20Class-Handle%20Sandbox%20Files-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](sample_uploads/sample_uploads_uber.py) + +##### Sample Uploads API operations discussed +These samples demonstrate the following CrowdStrike Sample Uploads API operations: + +| Operation | Description | +| :--- | :--- | +| [GetSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#getsamplev3) | Retrieves the file associated with the given ID (SHA256). | +| [UploadSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#uploadsamplev3) | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. | +| [DeleteSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#deletesamplev3) | Removes a sample, including file, meta and submissions from the collection. | + +--- + +#### Falcon Intelligence Sandbox scan + +Analyze a single file for malware using the Falcon Intelligence Sandbox API with these [examples](falconx_sandbox/single_scan). A sample using the [Service Class](https://github.com/CrowdStrike/falconpy/blob/samples/samples/falconx_sandbox/single_scan/falconx_scan_example.py) and one using the [Uber Class](https://github.com/CrowdStrike/falconpy/blob/samples/samples/falconx_sandbox/single_scan/falconx_scan_example_uber.py) is provided. + +[![Falcon Intelligence Sandbox](https://img.shields.io/badge/Service%20Class-Analyze%20a%20Single%20file-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](falconx_sandbox/single_scan) +[![Falcon Intelligence Sandbox](https://img.shields.io/badge/Uber%20Class-Analyze%20a%20Single%20File-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](falconx_sandbox/single_scan) + +##### Falcon Intelligence Sandbox API operations discussed +These samples demonstrates the following CrowdStrike Falcon Intelligence Sandbox API operations: + +| Operation | Description | +| :--- | :--- | +| [DeleteSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#deletesamplev3) | Removes a sample, including file, meta and submissions from the collection. | +| [GetReports](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#getreports) | Get a full sandbox report. | +| [GetSubmissions](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#getsubmissions) | Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | +| [UploadSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#uploadsamplev3) | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. | +| [Submit](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#submit) | Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | + + +--- + +#### Get all artifacts + +This [example](falconx_sandbox/get_all_artifacts.py) demonstrates retrieving all artifacts for all reports (in all supported formats). + +[![Falcon Intelligence Sandbox](https://img.shields.io/badge/Service%20Class-Get%20All%20Artifacts-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](falconx_sandbox/get_all_artifacts.py) + +##### Falcon Intelligence Sandbox API operations discussed +This sample demonstrates the following CrowdStrike Falcon Intelligence Sandbox API operations: + +| Operation | Description | +| :--- | :--- | +| [GetArtifacts](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#getartifacts) | Download IOC packs, PCAP files, and other analysis artifacts. | +| [GetReports](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#getreports) | Get a full sandbox report. | +| [QueryReports](https://falconpy.io/Service-Collections/Falconx-Sandbox.html#queryreports) | Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. | + +--- + +#### Quick Scan a target + +This [demonstration](quick_scan/scan_target.py) leverages the Falcon Quick Scan and Sample Uploads APIs to scan the contents of a target folder. (Either on the local filesystem or a bucket in S3.) + +[![Quick Scan / Sample Uploads](https://img.shields.io/badge/Service%20Class-Scan%20a%20target-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](quick_scan/scan_target.py) + +##### Quick Scan and Sample Uploads API operations discussed +This sample demonstrates the following CrowdStrike Quick Scan and Sample Uploads API operations: + +| Operation | Description | +| :--- | :--- | +| [DeleteSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#deletesamplev3) | Removes a sample, including file, meta and submissions from the collection. | +| [GetScans](https://falconpy.io/Service-Collections/Quick-Scan.html#getscans) | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | +| [ScanSamples](https://falconpy.io/Service-Collections/Quick-Scan.html#scansamples) | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | +| [UploadSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#uploadsamplev3) | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. | --- +#### Quick Scan quota check + +This [demonstration](quick_scan/quota_check.py) will report your current scan quota. + +[![Quick Scan](https://img.shields.io/badge/Service%20Class-Quota_Check-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/falconpy/tree/main/samples/quick_scan#quota-check) + +##### Quick Scan API operations discussed +This sample demonstrates the following CrowdStrike Quick Scan API operations: + +| Operation | Description | +| :--- | :--- | +| [GetScans](https://falconpy.io/Service-Collections/Quick-Scan.html#getscans) | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | + +--- + +#### S3 Bucket Protection + +Building on the previous example, this [solution](https://github.com/CrowdStrike/Cloud-AWS/tree/main/s3-bucket-protection) demonstrates a complete integration with AWS Lambda, AWS S3 and AWS Security Hub that scans files as they are uploaded to the bucket. Files that are found to be malicious are removed from the bucket and a finding is published to AWS Security Hub. + +[![Quick Scan / Sample Uploads](https://img.shields.io/badge/Service%20Class-S3%20Bucket%20Protection-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](https://github.com/CrowdStrike/Cloud-AWS/tree/main/s3-bucket-protection) + +##### Quick Scan and Sample Uploads API operations discussed +This sample demonstrates the following CrowdStrike Quick Scan and Sample Uploads API operations: + +| Operation | Description | +| :--- | :--- | +| [DeleteSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#deletesamplev3) | Removes a sample, including file, meta and submissions from the collection. | +| [GetScans](https://falconpy.io/Service-Collections/Quick-Scan.html#getscans) | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | +| [ScanSamples](https://falconpy.io/Service-Collections/Quick-Scan.html#scansamples) | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. | +| [UploadSampleV3](https://falconpy.io/Service-Collections/Sample-Uploads.html#uploadsamplev3) | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#threat-intelligence-toc) + +--- + + +
+

Falcon Intelligence Recon

(click to expand)
+These samples focus on CrowdStrike's Falcon Intelligence Recon API service collection. + + +#### Create monitoring rules for an email list +Provided by `@wozboz`, this example demonstrates creating Falcon Intelligence Recon monitoring rules for a list of email addresses provided in CSV format. + +[![Recon](https://img.shields.io/badge/Service%20Class-Create_Monitoring_Rules_For_a_List-silver?style=for-the-badge&labelColor=red&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](recon/email_monitoring_recon.py) + +##### Recon API operations discussed +This sample demonstrates the following CrowdStrike Recon API operations: + +| Operation | Description | +| :--- | :--- | +| [CreateRulesV1](https://www.falconpy.io/Service-Collections/Recon.html#createrulesv1) | Create monitoring rules. | + +
+ +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#threat-intelligence-toc) + +--- + +
+ + ## Suggestions Do you have a suggestion for an example you'd like to see? Are one of the examples not working as expected? Let us know by posting a message to our [discussion board](https://github.com/CrowdStrike/falconpy/discussions). Have an example you've developed yourself that you'd like to share? **_Excellent!_** Please review our [contributing guidelines](/CONTRIBUTING.md) and then submit a pull request. +[Back to top](#falconpy-sample-library) | [How to authenticate](#authentication-for-these-examples) | [Table of Contents](#toc) + ---


From 1e0d2025391a883840708fef97ab73ae4181c4f5 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Mon, 20 Nov 2023 02:23:15 -0500 Subject: [PATCH 13/16] Add app_id to CreateSavedSearchesIngestV1 --- CHANGELOG.md | 6 +++++- src/falconpy/foundry_logscale.py | 14 +++++++++----- tests/test_foundry_logscale.py | 2 +- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d006fd396..964ea1f48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,9 +10,13 @@ ``` - `_auth_object/_uber_interface.py` - `_service_class/_service_class.py` ++ Added: `app_id` keyword added to _CreateSavedSearchesIngestV1_ operation. + - `foundry_logscale.py` + > Unit testing expanded to complete code coverage. + - `tests/test_foundry_logscale.py` ## Issues resolved -+ Fixed: _update_policy_container_ operation payload handler is missing the `policy_id`` key. Closes #1068. ++ Fixed: _update_policy_container_ operation payload handler is missing the `policy_id` key. Closes #1068. - `_payload/_firewall.py` > Expanded unit testing to complete code coverage. - `tests/test_firewall_management.py` diff --git a/src/falconpy/foundry_logscale.py b/src/falconpy/foundry_logscale.py index 8e7ff3bb7..60c3d1c79 100644 --- a/src/falconpy/foundry_logscale.py +++ b/src/falconpy/foundry_logscale.py @@ -36,7 +36,7 @@ For more information, please refer to """ from typing import Dict, Union -from ._util import force_default, process_service_request +from ._util import force_default, process_service_request, handle_single_argument from ._payload import foundry_execute_search_payload, foundry_dynamic_search_payload from ._service_class import ServiceClass from ._endpoint._foundry_logscale import _foundry_logscale_endpoints as Endpoints @@ -282,13 +282,15 @@ def execute(self: object, params=parameters ) - def populate(self: object) -> Dict[str, Union[int, dict]]: + @force_default(defaults=["parameters"], default_types=["dict"]) + def populate(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Populate a saved search. Keyword arguments: - This method does not accept keyword arguments. + app_id -- Application ID. String. - This method does not accept arguments. + Arguments: When not specified, the first argument to this method is assumed to be 'app_id'. + All others are ignored. Returns: dict object containing API response. @@ -300,7 +302,9 @@ def populate(self: object) -> Dict[str, Union[int, dict]]: return process_service_request( calling_object=self, endpoints=Endpoints, - operation_id="CreateSavedSearchesIngestV1" + operation_id="CreateSavedSearchesIngestV1", + keywords=kwargs, + params=handle_single_argument(args, parameters, "app_id") ) @force_default(defaults=["parameters"], default_types=["dict"]) diff --git a/tests/test_foundry_logscale.py b/tests/test_foundry_logscale.py index 3d6e12d04..97972ca59 100644 --- a/tests/test_foundry_logscale.py +++ b/tests/test_foundry_logscale.py @@ -29,7 +29,7 @@ def run_all_tests(self): "CreateSavedSearchesDynamicExecuteV1" : falcon.execute_dynamic(end="10", start="1"), "GetSavedSearchesExecuteV1" : falcon.get_search_results(job_id="12345"), "CreateSavedSearchesExecuteV1" : falcon.execute(search_parameters={"something": "somethingElse"}, end="10", start="1"), - "CreateSavedSearchesIngestV1" : falcon.populate(), + "CreateSavedSearchesIngestV1" : falcon.populate(app_id="pommegranate"), "GetSavedSearchesJobResultsDownloadV1" : falcon.download_results(job_id="12345", result_format="json"), } for key in tests: From 2f2d2a6e55a18d05ca6aea159144a4192a0c963f Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Mon, 20 Nov 2023 08:54:43 -0500 Subject: [PATCH 14/16] Fix per operation pythonic override. Closes #1078. --- CHANGELOG.md | 2 ++ src/falconpy/_util/_functions.py | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 964ea1f48..7dde1119f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,8 @@ - `installation_tokens.py` + Fixed: API operations generating leveraging the raw attribute are not properly displaying results when leveraging result object expansion. Closes #1076. - `_result/_result.py` ++ Fixed: Per-operation pythonic override is not working as expected. Closes #1078. + - `_util/_functions.py` # Other + Changed: Updated field mapping for Uber Class path variables to a cleaner solution. diff --git a/src/falconpy/_util/_functions.py b/src/falconpy/_util/_functions.py index 43016515e..012276482 100644 --- a/src/falconpy/_util/_functions.py +++ b/src/falconpy/_util/_functions.py @@ -667,6 +667,9 @@ def process_service_request(calling_object, # pylint: disable=R0914 # (19/15) calling_object.pythonic ) expand_result = passed_keywords.get("expand_result", False) if passed_keywords else kwargs.get("expand_result", False) + do_pythonic = calling_object.pythonic + if passed_keywords.get("pythonic", None) is not None: + do_pythonic = passed_keywords.get("pythonic") new_keywords = { "caller": calling_object, "method": target_endpoint[1], @@ -681,7 +684,7 @@ def process_service_request(calling_object, # pylint: disable=R0914 # (19/15) "body_required": kwargs.get("body_required", None), "expand_result": expand_result, "container": container, - "pythonic": calling_object.pythonic, + "pythonic": do_pythonic, "perform": True } From 2f09cf9099b2ec57560162d111042b3d21ec2de6 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Mon, 20 Nov 2023 09:00:33 -0500 Subject: [PATCH 15/16] Expand unit testing to complete code coverage --- tests/test_service_class.py | 12 +++++++++++- tests/test_spotlight_vulnerabilities.py | 15 ++++++++++----- tests/test_uber.py | 8 ++++++++ 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/tests/test_service_class.py b/tests/test_service_class.py index 23c691c0b..7e884bcb9 100644 --- a/tests/test_service_class.py +++ b/tests/test_service_class.py @@ -114,13 +114,22 @@ def test_log_setup(self): @not_supported def test_property_debug_record_count(self): global _CLEAN - _CLEAN = Hosts(creds=config.creds, user_agent="clean/1.0", timeout=120, proxy={}) + _CLEAN = Hosts(creds=config.creds, user_agent="clean/1.0", timeout=120, proxy={}, base_url=config.base_url) if _CLEAN.token_status == 429: global _RATE_LIMITED _RATE_LIMITED = True assert bool(_CLEAN.debug_record_count) + @rate_limited + @not_supported + def test_service_class_context_manager(self): + _success = False + with _CLEAN as sdk: + if sdk.query_devices()["status_code"] == 200: + _success = True + assert _success + @rate_limited @not_supported def test_property_refreshable(self): @@ -193,6 +202,7 @@ def test_disable_ssl_verify_dynamic(self): _CLEAN.ssl_verify = False assert bool(not _CLEAN.ssl_verify) + @rate_limited @not_supported def test_property_base_service_class_proxy(self): diff --git a/tests/test_spotlight_vulnerabilities.py b/tests/test_spotlight_vulnerabilities.py index 426ae15b2..fd29a3189 100644 --- a/tests/test_spotlight_vulnerabilities.py +++ b/tests/test_spotlight_vulnerabilities.py @@ -20,11 +20,13 @@ class TestSpotlight: def spotlight_queryVulnerabilities(self): - if falcon.queryVulnerabilities( - parameters={"limit": 1, - "filter": "created_timestamp:>'2021-01-01T00:00:01Z'" - } - )["status_code"] in AllowedResponses: + result = falcon.queryVulnerabilities(parameters={"limit": 1, + "filter": "created_timestamp:>'2021-01-01T00:00:01Z'" + }, + pythonic=True + ) + if result.status_code in AllowedResponses: + _ = result.after return True else: return False @@ -69,6 +71,9 @@ def spotlight_GenerateErrors(self): errorChecks = False return errorChecks + @pytest.mark.skipif(config.base_url == "https://api.laggar.gcw.crowdstrike.com", + reason="Unit testing unavailable on US-GOV-1" + ) def test_queryVulnerabilities(self): assert self.spotlight_queryVulnerabilities() is True diff --git a/tests/test_uber.py b/tests/test_uber.py index d6d9f4055..c905bca31 100644 --- a/tests/test_uber.py +++ b/tests/test_uber.py @@ -45,6 +45,13 @@ class TestUber: + def test_uber_context_manager(self): + _success = False + with falcon as sdk: + if sdk.command("QueryDevicesByFilterScroll")["status_code"] == 200: + _success = True + assert _success + def uberCCAWS_GetAWSSettings(self): returned = False authenticated = falcon.authenticated() @@ -388,3 +395,4 @@ def test_pythonic_failure(self): except APIError: _success = True assert _success + From 4a3bca77c2daa4e757647e30892697fe8433cda6 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Mon, 20 Nov 2023 09:43:51 -0500 Subject: [PATCH 16/16] Update wordlist.txt --- .github/wordlist.txt | 279 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 278 insertions(+), 1 deletion(-) diff --git a/.github/wordlist.txt b/.github/wordlist.txt index 59095ff01..d468009b8 100644 --- a/.github/wordlist.txt +++ b/.github/wordlist.txt @@ -900,4 +900,281 @@ CreateSavedSearchesExecuteV CreateSavedSearchesIngestV GetSavedSearchesJobResultsDownloadV clobberer -UUIDs \ No newline at end of file +UUIDs +AAAAGYktHRAAAAAAAAPlDu +AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz +AAABhWlDQ +AENyZWF +AUhU +AuOe +BBIm +BJQ +BllzBbyJJBgDclVkO +COjZBi +Cmm +Cnate +CuffOubQVUXL +CzCcGPyWywAAAABJRU +EOFwAAAYBJREFUKM +ErkJggg +FlwWeGTHTqTniCLFYaGGlhVnR +HZIEAKiMj +HztO +ILMXTTGYVfaut +IgniKOqplO +Iw +JQOLiIU +Jh +KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi +KfPKlFdkGAMY +KhRTdx +Kukd +LCi +LWiOxljG +MZ +MgcHJvZmlsZQAAKJF +MyheKA +NK +Nsgmm +ODPYtXBxVlXB +OEvgJC +PhmzKrsTnL +QApADvu +QL +QQIPgNXetNfrgFTn +QV +QeJEQg +RBCBLjq +RXm +Tjy +TpaIVBzuIOGSoDmJBVEQ +TzwPsZjSkL +UYCNGp +VNRUuHy +XFIJ +XHnrWX +XRD +YHAdwB +YizdKNq +Yu +ZWQgd +aCBHSU +aP +aRuc +akhQXR +bbXapMy +bqURczGRXxNAruhAEMI +bzFWStVWKNO +cA +cAAAAGXRFWHRDb +cj +createrulesv +dBEPwBcXNzUnSREu +dNo +dYl +dg +eSyiBfOe +eWvnxMS +fIpdCrg +fcR +ftlJAD +hHg +hfHCGB +hmVnGrCQl +hq +iELI +iVBORw +ifPB +img +jrtASSwgEVIEKGggg +jvXkColZhmtY +kPFY +kT +kjrCirxOfEIyYVSPzIdcXjN +ktSur +ky +lOFcL +lR +labelColor +lkjFIlVEYht +mDzLkrxafSxySFKjSWX +mX +oCMAvnZgCcsF +oTmjKzz +pHAfaXxznYxAI +pehjAiaVfkN +pnCFP +png +quN +qyB +qzmLAQGReIYZpk +rUIRKoRaoVUHk +rXrcAAgs +sFkYYUyUnIRcemhCtCU +sNwTl +sTAHazSG +tSr +tZW +uOniJhivesLx +vN +vO +wOzbOx +wcAgMFSh +wcsyjDA +wefwe +wzx +xr +yBjDtfWORJZlNtFyo +zeffHa +zn +zuAH +zzkXJbeUljIldFTstsmSHM +pyfiglet +csv +ExampleToken +NewExampleToken +deletesamplev +getartifacts +getreports +getsamplev +getscans +getsubmissions +queryreports +scansamples +uploadsamplev +attck +getintelactorentities +getintelindicatorentities +getintelreportentities +getmalqueryentitiessamplesfetchv +getmalqueryrequestv +getmitrereport +malqueryinator +misp +mitre +postmalqueryentitiessamplesmultidownloadv +postmalqueryfuzzysearchv +queryintelactorentities +queryintelindicatorentities +queryintelreportentities +querymitreattacks +tf +xkcd +cisa +combinedqueryvulnerabilities +darkblue +dhs +getdevicedetails +getremediationsv +getvulnerabilities +querydevicesbyfilterscroll +queryvulnerabilities +getcspmpolicysettings +deleteawsaccounts +provisionawsaccounts +queryawsaccounts +updateawsaccounts +verifyawsaccountaccess +basaglia +batchactiverespondercmd +batchadmincmd +batchinitsessions +checkadmincommandstatus +createput +createscripts +deleteput +deletescripts +deletesession +executeadmincommand +getdevicedetails +getextractedfilecontents +getsensorinstallersccidbyquery +gitlab +initsession +listput +listqueuedsessions +listscripts +mattia +proxytool +querydevicesbyfilterscroll +querygroupmembers +rtr +runscript +crowdscore +getincidents +performincidentaction +queryincidents +quickchart +deletepreventionpolicies +getpreventionpolicies +performpreventionpoliciesaction +querycombinedpreventionpolicies +querypreventionpolicies +updatepreventionpolicies +getdetectsummaries +querydetects +updatedetectsbyidsv +cloner +groupmixin +groupsmixin +batchadmincmd +batchinitsessions +checkadmincommandstatus +createhostgroups +darkblue +deletesession +multicid +querychildren +querycombinedhostgroups +querycombinedpreventionpolicies +querydevicesbyfilter +rtr +listavailablestreamsoauth +refreshactivestreamsession +combineduserrolesv +createuser +darkblue +deleteuser +getavailableroleids +getuserroleids +grantuserroleids +queryuserv +retrieveuser +retrieveusersgetv +retrieveuseruuid +retrieveuseruuidsbycid +revokeuserroleids +getquarantinefiles +getsamplev +queryquarantinefiles +darkblue +getsensorinstallersccidbyquery +querychildren +createsensorupdatepoliciesv +deletesensorupdatepolicies +performsensorupdatepoliciesaction +querycombinedsensorupdatebuilds +querycombinedsensorupdatekernels +querycombinedsensorupdatepoliciesv +querycombinedsensorupdatepolicymembers +revealuninstalltoken +setsensorupdatepoliciesprecedence +updatesensorupdatepolicies +downloadsensorinstallerbyid +getcombinedsensorinstallersbyquery +getdevicedetails +micgoetz +performactionv +querydeviceloginhistory +querydevicesbyfilter +querydevicesbyfilterscroll +rtr +updatedevicetags +accesstoken +aes +queryawsaccounts +querydetects +querydevicesbyfilterscroll +queryincidents +queryintelactorentities +apis \ No newline at end of file