CrowdStrike Falcon CrowdStrike Subreddit

Using the Discover service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation IDDescription
combined_applications
PEP8query_combined_applications
Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria.
combined_hosts
PEP8query_combined_hosts
Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria.
get_accounts
PEP8get_accounts
Get details on accounts by providing one or more IDs.
get_applications
PEP8get_applications
Get details on applications by providing one or more IDs.
get_hosts
PEP8get_hosts
Get details on assets by providing one or more IDs.
get_iot_hosts
PEP8get_iot_hosts
Get details on IoT assets by providing one or more IDs.
get_logins
PEP8get_logins
Get details on logins by providing one or more IDs.
query_accounts
PEP8query_accounts
Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_applications
PEP8query_applications
Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.
query_hosts
PEP8query_hosts
Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts
PEP8query_iot_hosts
Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hostsV2
PEP8query_iot_hosts_v2
Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_logins
PEP8query_logins
Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

combined_applications

Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria.

PEP8 method name

query_combined_applications

Endpoint

MethodRoute
GET/discover/combined/applications/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter applications using a FQL query. A list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of account IDs to return in this response (Max: 1000, Default: 100).

Use with the after parameter to manage pagination of results.
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort accounts by their properties. A single sort field is allowed. Common sort options include:
  • username|asc
  • last_failed_login_timestamp|desc
Available filters

The following properties can be using for filtering and sorting.

NameDescription
idUnique ID of the application. Each application ID represents a particular instance of an application on a particular asset.

Example:
  • id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
cidThe application's customer ID. In multi-CID environments:
  • You can filter on both parent and child CIDs.
  • If you're in a parent CID and leave this filter empty, the response includes data about the parent CID and all its child CIDs.
  • If you're in a parent CID and use this filter, the response includes data for only the CIDs you filtered on.
  • If you're in a child CID, this property will only show data for that CID.
Examples:
  • cid:'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4'
  • cid:!'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4'
  • cid:'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4',cid:'dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx5'
nameName of the application.

Example: name:'Chrome'
vendorName of the application vendor.

Examples:
  • vendor:'Microsoft Corporation'
  • vendor:'CrowdStrike'
versionApplication version.

Examples:
  • version:'4.8.4320.0'
  • version:'108.0.5359.99'
name_vendorThe app name and vendor name for all application IDs with this application name, this field can be used to group results by application. .

Examples:
  • name_vendor:'Chrome-Google'
  • name_vendor:'Tools-VMware'
name_vendor_versionThe app name, vendor name, and vendor version for all application IDs with this application name, this field can be used to group results by application version.

Examples:
  • name_vendor_version:'Chrome-Google-108.0.5359.99'
  • name_vendor_version:'Flash Player-Adobe-32.0.0.387'
versioning_schemeVersioning scheme of the application.

Example: versioning_scheme:'semver'
groupsAll application groups the application is assigned to. For more info, see Create application groups.

Example: groups:'ExampleAppGroup'
categoryCategory the application is in. For more info, see Understanding applications.

Examples:
  • category:'IT/Security Apps'
  • category:'Web Browsers'
  • category:'Back up and Recovery'
architecturesApplication architecture.

Examples:
  • architectures:'x86'
  • architectures:!'x64'
installation_pathsFile paths of the application or executable file to the folder on the asset.

Examples:
  • installation_paths:'C:\Program Files\Internet Explorer\iexplore.exe'
  • installation_paths:'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
installation_timestampDate and time the application was installed, if available.

Example: installation_timestamp:'2023-01-11T00:00:00.000Z'
first_seen_timestampDate and time the application was first seen.

Example: first_seen_timestamp:'2022-12-22T12:41:47.417Z'
last_updated_timestampDate and time the installation fields of the application instance most recently changed.

Example: last_updated_timestamp:'2022-12-22T12:41:47.417Z'
last_used_user_sidFor Windows and macOS: Security identifier of the account that most recently used the application.

Example: last_used_user_sid:'S-1-x-x-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx1'
last_used_user_nameFor Windows and macOS: Username of the account that most recently used the application.

Examples:
  • last_used_user_name:'Administrator'
  • last_used_user_name:'xiany'
last_used_file_nameFor Windows and macOS: Most recent file name used for the application.

Examples:
  • last_used_file_name:'setup.exe'
  • last_used_file_name:'putty.exe'
last_used_file_hashFor Windows and macOS: Most recent file hash used for the application.

Example: last_used_file_hash:'0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa'
last_used_timestampFor Windows and macOS: Date and time the application was most recently used.

Example: last_used_timestamp:'2023-01-10T23:00:00.000Z'
is_normalizedFor Windows: Whether the application name is normalized (true or false).

Applications can have different naming variations that result in different records for each variation, for example, Acrobat Reader, Adobe Acrobat Reader, and Acrobat. To avoid this duplication, the most common applications are listed under a single normalized application name, for example, Acrobat.

Example: is_normalized:true
is_suspiciousWhether the application is suspicious based on how often it's been seen in a detection on that asset (true or false).

Examples: is_suspicious:true or is_suspicious:!false
host.idUnique ID of the asset the application is on.

Example: host.id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
host.aidID of the Falcon sensor installed on the asset the application is on.

Example: host.aid:'14xxxxxxxxxxxxxxxxxxxxxxxxxxxx2f'
host.countryName of the country where the asset the application is on is located.

Examples: host.country:'United States Of America' or host.country:!'Germany'
host.platform_nameThe platform name of the asset the application is on (Windows, Mac, Linux).

Examples: host.platform_name:'Windows' or host.platform_name:!'Linux'
host.os_versionOS version of the asset the application is on.

Examples:
  • host.os_version:'Windows 10'
  • host.os_version:!'Ubuntu 16.04'
  • host.os_version:*'Win*'
host.kernel_versionFor Linux and Mac: The major version, minor version, and patch version of the kernel for the asset the application is on.

For Windows: the build number of the asset the application is on.

Examples:
  • host.kernel_version:'7601'
  • host.kernel_version:!'7601'
  • host.kernel_version:*'*01'
host.product_type_descThe product type of the asset the application is on (Workstation, Domain Controller, Server).

Examples:
  • host.product_type_desc:'Workstation'
  • host.product_type_desc:!'Domain Controller'
  • host.product_type_desc:'Server'
host.tagsSensor and cloud tags of the asset the application is on.

Examples:
  • host.tags:'FalconTag/Tag1'
  • host.tags:!'FalconTag/Tag1'
  • host.tags:*'Falcon*'
host.groupsHost management groups the asset the application is on is part of.

Examples:
  • host.groups:'Workstations'
  • host.groups:!'QA Computers'
  • host.groups:*'Windows*'
host.agent_versionVersion of the Falcon sensor that's installed on the asset the application is on.

Examples:
  • host.agent_version:'6.24.13806.0'
  • host.agent_version:!'6.24.13806.0'
  • host.agent_version:*'6.24.*'
host.system_manufacturerSystem manufacturer of the asset the application is on.

Examples:
  • host.system_manufacturer:'VMware, Inc.'
  • host.system_manufacturer:!'VMware, Inc.'
  • host.system_manufacturer:*'*VMware*'
host.ouOrganizational unit of the asset the application is on.

Examples: host.ou:'Endpoints' or host.ou:!'Endpoints'
host.machine_domainDomain name the asset the application is on is currently joined to.

Examples:
  • host.machine_domain:'domain.example.com'
  • host.machine_domain:!'domain.example.com'
  • host.machine_domain:*'*example.com'
host.site_nameSite name of the domain the asset the asset the application is on is joined to (applies only to Windows hosts).

Examples:
  • host.site_name:'web-120.example.com'
  • host.site_name:!'web-120.examplee.com'
  • host.site_name:*'web-120.*'
host.external_ipExternal IPv4 address of the asset the application is on.

Examples:
  • host.external_ip:'192.0.2.71'
  • host.external_ip:!'192.0.2.71'
  • host.external_ip:'192.0.2.71/24'
host.hostnameHostname of the asset the application is on.

Examples: host.hostname:'ABC-123-DEF-456' or host.hostname:!'ABC-123-DEF-456'
host.current_network_prefixMost recent network prefix of the asset the application is on.

Examples: host.network_prefix:'192.0' or host.network_prefix:!'192.0'
host.internet_exposureWhether the asset the application is on is exposed to the internet (Yes or Unknown).

Examples: host.internet_exposure:'Yes' or host.internet_exposure:!'Unknown'
host.current_mac_addressMost recent MAC address of the asset the application is on.

Examples:
  • host.current_mac_address:'A1-B2-C4-D5-E5-F6'
  • host.current_mac_address:*'A1-B2-C4*'

Usage

Service class example (PEP8 syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_combined_applications(after="string",
                                              limit=integer,
                                              sort="string",
                                              filter="string"
                                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.combined_applications(after="string",
                                        limit=integer,
                                        sort="string",
                                        filter="string"
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_applications",
                          after="string",
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

combined_hosts

Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria.

PEP8 method name

query_combined_hosts

Endpoint

MethodRoute
GET/discover/combined/hosts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter assets using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of asset IDs to return in this response (Max: 1000, Default: 100).

Use with the after parameter to manage pagination of results.
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort assets by their properties. A single sort field is allowed. Common sort options include:
  • hostname|asc
  • product_type_desc|desc
Available FQL Filters

Available filter fields that support exact match: id, aid, entity_type, country, city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, local_ips_count, network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, discoverer_count, discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, data_providers, data_providers_count, mac_addresses, local_ip_addresses, reduced_functionality_mode, number_of_disk_drives, processor_package_count, physical_core_count, logical_core_count, total_disk_space, disk_sizes.disk_name, disk_sizes.disk_space, cpu_processor_name, total_memory, encryption_status, encrypted_drives, encrypted_drives_count, unencrypted_drives, unencrypted_drives_count, os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, os_security.iommu_protection_status, os_security.secure_boot_enabled_status, os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, os_security.kernel_dma_protection_status, total_bios_files, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, bios_id, average_processor_usage, average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.mount_path, mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, discovering_by

Available filter fields that supports wildcard (*): id, aid, entity_type, country, city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, os_security.iommu_protection_status, os_security.secure_boot_enabled_status, os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, cpu_manufacturer, discovering_by

Available filter fields that supports range comparisons (>, <, >=, <=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.used_space, mount_storage_info.available_space, ad_user_account_control, creation_timestamp

All filter fields and operations supports negation (!).

Usage

Service class example (PEP8 syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_combined_hosts(after="string",
                                       limit=integer,
                                       sort="string",
                                       filter="string"
                                       )
print(response)
Service class example (Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.combined_hosts(after="string",
                                 limit=integer,
                                 sort="string",
                                 filter="string"
                                 )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_hosts",
                          after="string",
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

get_accounts

Get details on assets by providing one or more IDs.

PEP8 method name

get_accounts

Endpoint

MethodRoute
GET/discover/entities/accounts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsOne or more account IDs. (Max: 100)

Find account IDs with query_accounts.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_accounts(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_accounts", ids=id_list)
print(response)

get_applications

Get details on applications by providing one or more IDs.

PEP8 method name

get_applications

Endpoint

MethodRoute
GET/discover/entities/applications/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsOne or more account IDs. (Max: 100)

Find account IDs with query_accounts.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_applications(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_applications", ids=id_list)
print(response)

get_hosts

Get details on assets by providing one or more IDs.

PEP8 method name

get_hosts

Endpoint

MethodRoute
GET/discover/entities/hosts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsOne or more asset IDs. (Max: 100)

Find asset IDs with query_hosts.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_hosts(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_hosts", ids=id_list)
print(response)

get_iot_hosts

Get details on assets by providing one or more IDs.

PEP8 method name

get_iot_hosts

Endpoint

MethodRoute
GET/discover/entities/iot-hosts/v1

Required Scope

discover-iot:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsOne or more IoT asset IDs. (Max: 100)

Find asset IDs with query_iot_hosts.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_iot_hosts(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_iot_hosts", ids=id_list)

print(response)

get_logins

Get details on assets by providing one or more IDs.

PEP8 method name

get_logins

Endpoint

MethodRoute
GET/discover/entities/logins/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsOne or more login IDs. (Max: 100)

Find login IDs with query_logins.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_logins(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_logins", ids=id_list)
print(response)

query_accounts

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_accounts

Endpoint

MethodRoute
GET/discover/queries/accounts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter accounts using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of account IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort accounts by their properties. A single sort field is allowed. Common sort options include:
  • username|asc
  • last_failed_login_timestamp|desc
Available FQL Filters

Common filters include:

  • account_type:'Local'
  • admin_privileges:'Yes'
  • first_seen_timestamp:<'now-7d'
  • last_successful_login_type:'Terminal server'

The following table lists acceptable values for the filter keyword described above.

idlast_successful_login_timestamp
cidlast_successful_login_hostname
user_sidlast_successful_login_remote_ip
login_domainlast_successful_login_host_country
account_namelast_successful_login_host_city
usernamelast_failed_login_type
account_typelast_failed_login_timestamp
admin_privilegeslast_failed_login_hostname
first_seen_timestamppassword_last_set_timestamp
last_successful_login_type 

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_accounts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_accounts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_applications

Search for applications in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.

PEP8 method name

query_applications

Endpoint

MethodRoute
GET/discover/queries/applications/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter applications using a FQL query. A list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of account IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort accounts by their properties. A single sort field is allowed. Common sort options include:
  • username|asc
  • last_failed_login_timestamp|desc
Available filters

The following properties can be using for filtering and sorting.

NameDescription
idUnique ID of the application. Each application ID represents a particular instance of an application on a particular asset.

Example:
  • id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
cidThe application's customer ID. In multi-CID environments:
  • You can filter on both parent and child CIDs.
  • If you're in a parent CID and leave this filter empty, the response includes data about the parent CID and all its child CIDs.
  • If you're in a parent CID and use this filter, the response includes data for only the CIDs you filtered on.
  • If you're in a child CID, this property will only show data for that CID.
Examples:
  • cid:'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4'
  • cid:!'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4'
  • cid:'cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4',cid:'dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx5'
nameName of the application.

Example: name:'Chrome'
vendorName of the application vendor.

Examples:
  • vendor:'Microsoft Corporation'
  • vendor:'CrowdStrike'
versionApplication version.

Examples:
  • version:'4.8.4320.0'
  • version:'108.0.5359.99'
name_vendorThe app name and vendor name for all application IDs with this application name, this field can be used to group results by application. .

Examples:
  • name_vendor:'Chrome-Google'
  • name_vendor:'Tools-VMware'
name_vendor_versionThe app name, vendor name, and vendor version for all application IDs with this application name, this field can be used to group results by application version.

Examples:
  • name_vendor_version:'Chrome-Google-108.0.5359.99'
  • name_vendor_version:'Flash Player-Adobe-32.0.0.387'
versioning_schemeVersioning scheme of the application.

Example: versioning_scheme:'semver'
groupsAll application groups the application is assigned to. For more info, see Create application groups.

Example: groups:'ExampleAppGroup'
categoryCategory the application is in. For more info, see Understanding applications.

Examples:
  • category:'IT/Security Apps'
  • category:'Web Browsers'
  • category:'Back up and Recovery'
architecturesApplication architecture.

Examples:
  • architectures:'x86'
  • architectures:!'x64'
installation_pathsFile paths of the application or executable file to the folder on the asset.

Examples:
  • installation_paths:'C:\Program Files\Internet Explorer\iexplore.exe'
  • installation_paths:'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
installation_timestampDate and time the application was installed, if available.

Example: installation_timestamp:'2023-01-11T00:00:00.000Z'
first_seen_timestampDate and time the application was first seen.

Example: first_seen_timestamp:'2022-12-22T12:41:47.417Z'
last_updated_timestampDate and time the installation fields of the application instance most recently changed.

Example: last_updated_timestamp:'2022-12-22T12:41:47.417Z'
last_used_user_sidFor Windows and macOS: Security identifier of the account that most recently used the application.

Example: last_used_user_sid:'S-1-x-x-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx1'
last_used_user_nameFor Windows and macOS: Username of the account that most recently used the application.

Examples:
  • last_used_user_name:'Administrator'
  • last_used_user_name:'xiany'
last_used_file_nameFor Windows and macOS: Most recent file name used for the application.

Examples:
  • last_used_file_name:'setup.exe'
  • last_used_file_name:'putty.exe'
last_used_file_hashFor Windows and macOS: Most recent file hash used for the application.

Example: last_used_file_hash:'0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa'
last_used_timestampFor Windows and macOS: Date and time the application was most recently used.

Example: last_used_timestamp:'2023-01-10T23:00:00.000Z'
is_normalizedFor Windows: Whether the application name is normalized (true or false).

Applications can have different naming variations that result in different records for each variation, for example, Acrobat Reader, Adobe Acrobat Reader, and Acrobat. To avoid this duplication, the most common applications are listed under a single normalized application name, for example, Acrobat.

Example: is_normalized:true
is_suspiciousWhether the application is suspicious based on how often it's been seen in a detection on that asset (true or false).

Examples: is_suspicious:true or is_suspicious:!false
host.idUnique ID of the asset the application is on.

Example: host.id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
host.aidID of the Falcon sensor installed on the asset the application is on.

Example: host.aid:'14xxxxxxxxxxxxxxxxxxxxxxxxxxxx2f'
host.countryName of the country where the asset the application is on is located.

Examples: host.country:'United States Of America' or host.country:!'Germany'
host.platform_nameThe platform name of the asset the application is on (Windows, Mac, Linux).

Examples: host.platform_name:'Windows' or host.platform_name:!'Linux'
host.os_versionOS version of the asset the application is on.

Examples:
  • host.os_version:'Windows 10'
  • host.os_version:!'Ubuntu 16.04'
  • host.os_version:*'Win*'
host.kernel_versionFor Linux and Mac: The major version, minor version, and patch version of the kernel for the asset the application is on.

For Windows: the build number of the asset the application is on.

Examples:
  • host.kernel_version:'7601'
  • host.kernel_version:!'7601'
  • host.kernel_version:*'*01'
host.product_type_descThe product type of the asset the application is on (Workstation, Domain Controller, Server).

Examples:
  • host.product_type_desc:'Workstation'
  • host.product_type_desc:!'Domain Controller'
  • host.product_type_desc:'Server'
host.tagsSensor and cloud tags of the asset the application is on.

Examples:
  • host.tags:'FalconTag/Tag1'
  • host.tags:!'FalconTag/Tag1'
  • host.tags:*'Falcon*'
host.groupsHost management groups the asset the application is on is part of.

Examples:
  • host.groups:'Workstations'
  • host.groups:!'QA Computers'
  • host.groups:*'Windows*'
host.agent_versionVersion of the Falcon sensor that's installed on the asset the application is on.

Examples:
  • host.agent_version:'6.24.13806.0'
  • host.agent_version:!'6.24.13806.0'
  • host.agent_version:*'6.24.*'
host.system_manufacturerSystem manufacturer of the asset the application is on.

Examples:
  • host.system_manufacturer:'VMware, Inc.'
  • host.system_manufacturer:!'VMware, Inc.'
  • host.system_manufacturer:*'*VMware*'
host.ouOrganizational unit of the asset the application is on.

Examples: host.ou:'Endpoints' or host.ou:!'Endpoints'
host.machine_domainDomain name the asset the application is on is currently joined to.

Examples:
  • host.machine_domain:'domain.example.com'
  • host.machine_domain:!'domain.example.com'
  • host.machine_domain:*'*example.com'
host.site_nameSite name of the domain the asset the asset the application is on is joined to (applies only to Windows hosts).

Examples:
  • host.site_name:'web-120.example.com'
  • host.site_name:!'web-120.examplee.com'
  • host.site_name:*'web-120.*'
host.external_ipExternal IPv4 address of the asset the application is on.

Examples:
  • host.external_ip:'192.0.2.71'
  • host.external_ip:!'192.0.2.71'
  • host.external_ip:'192.0.2.71/24'
host.hostnameHostname of the asset the application is on.

Examples: host.hostname:'ABC-123-DEF-456' or host.hostname:!'ABC-123-DEF-456'
host.current_network_prefixMost recent network prefix of the asset the application is on.

Examples: host.network_prefix:'192.0' or host.network_prefix:!'192.0'
host.internet_exposureWhether the asset the application is on is exposed to the internet (Yes or Unknown).

Examples: host.internet_exposure:'Yes' or host.internet_exposure:!'Unknown'
host.current_mac_addressMost recent MAC address of the asset the application is on.

Examples:
  • host.current_mac_address:'A1-B2-C4-D5-E5-F6'
  • host.current_mac_address:*'A1-B2-C4*'

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_applications(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string"
                                     )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_applications",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_hosts

Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_hosts

Endpoint

MethodRoute
GET/discover/queries/hosts/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter assets using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of asset IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort assets by their properties. A single sort field is allowed. Common sort options include:
  • hostname|asc
  • product_type_desc|desc
Available FQL Filters

The following table lists acceptable values for the filter keyword described above.

agent_versionkernel_version
aidlast_discoverer_aid
bios_manufacturerlast_seen_timestamp
bios_versionlocal_ips_count
cidmachine_domain
citynetwork_interfaces
confidencenetwork_interfaces.interface_alias
countrynetwork_interfaces.interface_description
current_local_ipnetwork_interfaces.local_ip
discoverer_aidsnetwork_interfaces.mac_address
discoverer_countnetwork_interfaces.network_prefix
discoverer_platform_namesos_version
discoverer_product_type_descsou
discoverer_tagsplatform_name
entity_typeproduct_type
external_ipproduct_type_desc
first_discoverer_aidsite_name
first_discoverer_ipsystem_manufacturer
first_seen_timestampsystem_product_name
groupssystem_serial_number
hostnametags
id 

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_hosts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_hosts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_iot_hosts

Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_iot_hosts

Endpoint

MethodRoute
GET/discover/queries/iot-hosts/v1

Required Scope

discover-iot:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter assets using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of IoT asset IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort IoT assets by their properties. A single sort field is allowed. Common sort options include:
  • hostname|asc
  • product_type_desc|desc
Available FQL Filters

The following table lists acceptable values for the filter keyword described above.

agent_versionlocal_ips_count
aidmac_addresses
bios_manufacturermachine_domain
bios_versionnetwork_id
business_criticalitynetwork_interfaces
cidnetwork_interfaces.interface_alias
citynetwork_interfaces.interface_description
claroty_idnetwork_interfaces.local_ip
confidencenetwork_interfaces.mac_address
countrynetwork_interfaces.network_prefix
current_local_ipnumber_of_disk_drives
data_providersos_is_eol
data_providers_countos_version
device_classou
device_familyphysical_core_count
device_typeplatform_name
discoverer_countprocessor_package_count
discoverer_product_type_descsproduct_type_desc
discoverer_tagsprotocols
entity_typepurdue_level
external_ipreduced_functionality_mode
first_seen_timestampsite_name
groupssubnet
hostnamesystem_manufacturer
ics_idsystem_product_name
idsystem_serial_number
internet_exposuretags
kernel_versionvirtual_zone
last_seen_timestampvlan
local_ip_addresses 

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_iot_hosts(offset=integer,
                                  limit=integer,
                                  sort="string",
                                  filter="string"
                                  )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_iot_hosts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )

print(response)

query_logins

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_logins

Endpoint

MethodRoute
GET/discover/queries/logins/v1

Required Scope

discover:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter logins using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of login IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort logins by their properties. A single sort field is allowed. Common sort options include:
  • account_name|asc
  • login_timestamp|desc
Available FQL Filters

Common filters include:

  • account_type:'Local'
  • login_type:'Interactive'
  • first_seen_timestamp:<'now-7d'
  • admin_privileges:'No'

The following table lists acceptable values for the filter keyword described above.

idlogin_timestamp
cidlogin_domain
login_statusadmin_privileges
account_idlocal_ip
host_idremote_ip
user_sidhost_country
aidhost_city
account_nameis_suspicious
usernamefailure_description
hostnamelogin_event_count
account_typeaggregation_time_interval
login_type 

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_logins(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_logins",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_iot_hostsV2

Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_iot_hosts_v2

Endpoint

MethodRoute
GET/discover/queries/iot-hosts/v2

Required Scope

discover-iot:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter assets using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of IoT asset IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort IoT assets by their properties. A single sort field is allowed. Common sort options include:
  • hostname|asc
  • product_type_desc|desc
Available FQL Filters

The following table lists acceptable values for the filter keyword described above.

agent_versionlocal_ips_count
aidmac_addresses
bios_manufacturermachine_domain
bios_versionnetwork_id
business_criticalitynetwork_interfaces
cidnetwork_interfaces.interface_alias
citynetwork_interfaces.interface_description
claroty_idnetwork_interfaces.local_ip
confidencenetwork_interfaces.mac_address
countrynetwork_interfaces.network_prefix
current_local_ipnumber_of_disk_drives
data_providersos_is_eol
data_providers_countos_version
device_classou
device_familyphysical_core_count
device_typeplatform_name
discoverer_countprocessor_package_count
discoverer_product_type_descsproduct_type_desc
discoverer_tagsprotocols
entity_typepurdue_level
external_ipreduced_functionality_mode
first_seen_timestampsite_name
groupssubnet
hostnamesystem_manufacturer
ics_idsystem_product_name
idsystem_serial_number
internet_exposuretags
kernel_versionvirtual_zone
last_seen_timestampvlan
local_ip_addresses 

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_iot_hosts_v2(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string"
                                     )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_iot_hosts_v2",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)