CrowdStrike Falcon CrowdStrike Subreddit

Using the Exposure Management service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
aggregate_external_assets
PEP8aggregate_assets
Returns external assets aggregates.
blob_download_external_assets
PEP8download_assets
Download the entire contents of the blob. The relative link to this endpoint is returned in the GET /entities/external-assets/v1 request.
blob_preview_external_assets
PEP8preview_assets
Download a preview of the blob. The relative link to this endpoint is returned in the GET /entities/external-assets/v1 request.
get_external_assets
PEP8get_assets
Get details on external assets by providing one or more IDs.
delete_external_assets
PEP8delete_assets
Delete multiple external assets.
patch_external_assets
PEP8update_assets
Update the details of external assets.
query_external_assets
PEP8query_assets
Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the /entities/external-assets/v1 endpoints

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

aggregate_external_assets

Returns external assets aggregates.

PEP8 method name

aggregate_assets

Endpoint

MethodRoute
POST/fem/aggregates/external-assets/v1

Required Scope

assets:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
bodyService Class SupportUber Class SupportbodydictionaryFull body payload as a dictionary. Not required when using other keywords.
date_rangesService Class SupportNo Uber Class Supportbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
excludeService Class SupportNo Uber Class SupportbodystringElements to exclude.
fieldService Class SupportNo Uber Class SupportbodystringThe field on which to compute the aggregation.
filterService Class SupportNo Uber Class SupportbodystringFQL syntax formatted string to use to filter the results.
fromService Class SupportNo Uber Class SupportbodyintegerStarting position.
includeService Class SupportNo Uber Class SupportbodystringElements to include.
intervalService Class SupportNo Uber Class SupportbodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_countService Class SupportNo Uber Class SupportbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countService Class SupportNo Uber Class SupportbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingService Class SupportNo Uber Class SupportbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
nameService Class SupportNo Uber Class SupportbodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qService Class SupportNo Uber Class SupportbodystringFull text search across all metadata fields.
rangesService Class SupportNo Uber Class Supportbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
sizeService Class SupportNo Uber Class SupportbodyintegerThe max number of term buckets to be returned.
sub_aggregatesService Class SupportNo Uber Class Supportbodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sortService Class SupportNo Uber Class SupportbodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zoneService Class SupportNo Uber Class SupportbodystringTime zone for bucket results.
typeService Class SupportNo Uber Class SupportbodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) date_range = { "from": "string", "to": "string" } search_range = { "From": integer, "To": integer } response = falcon.aggregate_assets(date_ranges=[date_range], exclude="string", field="string", filter="string", from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", q="string", ranges=[search_range], size=integer, sort="string", time_zone="string", type="string" ) print(response)
Service class example (Operation ID syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) date_range = { "from": "string", "to": "string" } search_range = { "From": integer, "To": integer } response = falcon.aggregate_external_assets(date_ranges=[date_range], exclude="string", field="string", filter="string", from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", q="string", ranges=[search_range], size=integer, sort="string", time_zone="string", type="string" ) print(response)
Uber class example
from falconpy import APIHarnessV2 falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) body_payload = [{ "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "field": "string", "filter": "string", "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "q": "string", "ranges": [ { "From": integer, "To": integer } ], "size": integer, "sort": "string", "sub_aggregates": [] "time_zone": "string", "type": "string" }] response = falcon.command("aggregate_external_assets", body=body_payload) print(response)

Back to Table of Contents

blob_download_external_assets

Download the entire contents of the blob. The relative link to this endpoint is returned in the get_external_assets request.

PEP8 method name

download_assets

Endpoint

MethodRoute
GET/fem/entities/blobs-download/v1

Required Scope

assets:read

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

NameServiceUberTypeData typeDescription
assetIdService Class SupportUber Class SupportquerystringThe Asset ID
hashService Class SupportUber Class SupportquerystringThe File Hash
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload as a dictionary. Not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) with open("some_file.ext", "wb") as save_file: save_file.write(falcon.download_assets(assetId="string", hash="string"))
Service class example (Operation ID syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) with open("some_file.ext", "wb") as save_file: save_file.write(falcon.download_assets(assetId="string", hash="string"))
Uber class example
from falconpy import APIHarnessV2 falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) with open("some_file.ext", "wb") as save_file: save_file.write(falcon.command("blob_download_external_assets", assetId="string", hash="string"))

Back to Table of Contents

blob_preview_external_assets

Download a preview of the blob. The relative link to this endpoint is returned in the get_external_assets request.

PEP8 method name

preview_assets

Endpoint

MethodRoute
GET/fem/entities/blobs-preview/v1

Required Scope

assets:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
assetIdService Class SupportUber Class SupportquerystringThe Asset ID
hashService Class SupportUber Class SupportquerystringThe File Hash
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload as a dictionary. Not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) response = falcon.preview_assets(assetId="string", hash="string") print(response)
Service class example (Operation ID syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) response = falcon.blob_preview_external_assets(assetId="string", hash="string") print(response)
Uber class example
from falconpy import APIHarnessV2 falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) response = falcon.command("blob_preview_external_assets", assetId="string", hash="string") print(response)

Back to Table of Contents

get_external_assets

Get details on external assets by providing one or more IDs.

PEP8 method name

get_assets

Endpoint

MethodRoute
GET/fem/entities/external-assets/v1

Required Scope

assets:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
idsService Class SupportUber Class Supportquerystring or list of stringsOne or more asset IDs (max: 100). Find asset IDs with query_external_assets.
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload as a dictionary. Not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3'] response = falcon.get_assets(ids=id_list) print(response)
Service class example (Operation ID syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3'] response = falcon.get_external_assets(ids=id_list) print(response)
Uber class example
from falconpy import APIHarnessV2 falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3'] response = falcon.command("get_external_assets", ids=id_list) print(response)

Back to Table of Contents

delete_external_assets

Delete multiple external assets.

PEP8 method name

delete_assets

Endpoint

MethodRoute
DELETE/fem/entities/external-assets/v1

Required Scope

assets:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
bodyService Class SupportUber Class SupportbodydictionariesFull body payload in JSON format.
descriptionService Class SupportNo Uber Class SupportbodystringDelete description.
idsService Class SupportUber Class Supportquerystring or list of stringsOne or more asset IDs (max: 100). Find asset IDs with query_external_assets.
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload as a dictionary. Not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3'] response = falcon.delete_assets(ids=id_list, description="string") print(response)
Service class example (Operation ID syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3'] response = falcon.delete_external_assets(ids=id_list, description="string") print(response)
Uber class example
from falconpy import APIHarnessV2 falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3'] body_payload = { "description": "string" } response = falcon.command("delete_external_assets", ids=id_list, body=body_payload) print(response)

Back to Table of Contents

patch_external_assets

Update the details of external assets.

PEP8 method name

update_assets

Endpoint

MethodRoute
PATCH/fem/entities/external-assets/v1

Required Scope

assets:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
actionService Class SupportUber Class SupportbodystringThe asset triage action.
assigned_toService Class SupportUber Class SupportbodystringThe user assigned to triage the asset.
bodyService Class SupportUber Class SupportbodydictionaryFull body payload as a dictionary. Not required when using other keywords.
cidService Class SupportUber Class SupportbodystringAsset customer ID.
criticalityService Class SupportUber Class SupportbodystringThe criticality level manually assigned to this asset.
criticality_descriptionService Class SupportUber Class SupportbodystringThe criticality description manually assigned to this asset.
descriptionService Class SupportUber Class SupportbodystringThe asset triage description
idService Class SupportUber Class SupportbodystringThe unique ID of the asset.
statusService Class SupportUber Class SupportbodystringThe asset triage status.

Usage

Service class example (PEP8 syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) response = falcon.update_assets(action="string", assigned_to="string", cid="string", criticality="string", criticality_description="string", description="string", id="string", status="string" ) print(response)
Service class example (Operation ID syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) response = falcon.patch_external_assets(action="string", assigned_to="string", cid="string", criticality="string", criticality_description="string", description="string", id="string", status="string" ) print(response)
Uber class example
from falconpy import APIHarnessV2 falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) body_payload = { "assets": [ { "cid": "string", "criticality": "string", "criticality_description": "string", "id": "string", "triage": { "action": "string", "assigned_to": "string", "description": "string", "status": "string" } } ] } response = falcon.command("patch_external_assets", body=body_payload) print(response)

Back to Table of Contents

query_external_assets

Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the GET and PATCH endpoints.

PEP8 method name

query_assets

Endpoint

MethodRoute
GET/fem/queries/external-assets/v1

Required Scope

assets:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filterService Class SupportUber Class SupportquerystringFilter assets using an FQL query. Common filter options include:
  • asset_type:'ip'
  • last_seen_timestamp:>'now-7d'
All filter fields and operations supports negation (!).
limitService Class SupportUber Class SupportqueryintegerNumber of IDs to return.
offsetService Class SupportUber Class SupportquerystringStarting index of result set from which to return IDs.
sortService Class SupportUber Class SupportquerystringOrder by fields.
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload as a dictionary. Not required when using other keywords.
Available filters (Exact Match)
asset_idasset_type
confidenceconnectivity_status
criticalitycriticality_description
criticality_timestampcriticality_username
data_providersdiscovered_by
dns_domain.fqdndns_domain.isps
dns_domain.parent_domaindns_domain.resolved_ips
dns_domain.services.applications.categorydns_domain.services.applications.cpe
dns_domain.services.applications.namedns_domain.services.applications.vendor
dns_domain.services.applications.versiondns_domain.services.cloud_provider
dns_domain.services.cpesdns_domain.services.hosting_provider
dns_domain.services.last_seendns_domain.services.platform_name
dns_domain.services.portdns_domain.services.protocol
dns_domain.services.protocol_portdns_domain.services.status
dns_domain.services.status_codedns_domain.services.transport
dns_domain.typefirst_seen
idinternet_exposure
ip.asnip.cloud_vm.description
ip.cloud_vm.instance_idip.cloud_vm.lifecycle
ip.cloud_vm.mac_addressip.cloud_vm.owner_id
ip.cloud_vm.platformip.cloud_vm.private_ip
ip.cloud_vm.public_ipip.cloud_vm.region
ip.cloud_vm.security_groupsip.cloud_vm.source
ip.cloud_vm.statusip.fqdns
ip.ip_addressip.isp
ip.location.area_codeip.location.city
ip.location.country_codeip.location.country_name
ip.location.postal_codeip.location.region_code
ip.location.region_nameip.location.timezone
ip.ptrip.aid
ip.services.applications.categoryip.services.applications.cpe
ip.services.applications.nameip.services.applications.vendor
ip.services.applications.versionip.services.cloud_provider
ip.services.cpesip.services.first_seen
ip.services.last_seenip.services.platform_name
ip.services.portip.services.protocol
ip.services.protocol_portip.services.status
ip.services.status_codeip.services.transport
last_seenmanual
perimetersubsidiaries.id
subsidiaries.nametriage.action
triage.assigned_totriage.status
triage.updated_bytriage.updated_timestamp
Available filter fields that support wildcard (*)
asset_idasset_type
confidenceconnectivity_status
criticalitycriticality_username
data_providersdiscovered_by
dns_domain.fqdndns_domain.isps
dns_domain.parent_domaindns_domain.resolved_ips
dns_domain.services.applications.categorydns_domain.services.applications.cpe
dns_domain.services.applications.namedns_domain.services.applications.vendor
dns_domain.services.applications.versiondns_domain.services.cloud_provider
dns_domain.services.cpesdns_domain.services.hosting_provider
dns_domain.services.iddns_domain.services.platform_name
dns_domain.services.portdns_domain.services.protocol
dns_domain.services.protocol_portdns_domain.services.status
dns_domain.services.status_codedns_domain.services.transport
dns_domain.typeid
internet_exposureip.asn
ip.cloud_vm.instance_idip.cloud_vm.lifecycle
ip.cloud_vm.mac_addressip.cloud_vm.owner_id
ip.cloud_vm.platformip.cloud_vm.private_ip
ip.cloud_vm.public_ipip.cloud_vm.region
ip.cloud_vm.security_groupsip.cloud_vm.source
ip.cloud_vm.statusip.fqdns
ip.ip_addressip.isp
ip.location.area_codeip.location.city
ip.location.country_codeip.location.country_name
ip.location.postal_codeip.location.region_code
ip.location.region_nameip.location.timezone
ip.ptrip.aid
ip.services.applications.categoryip.services.applications.cpe
ip.services.applications.nameip.services.applications.vendor
ip.services.applications.versionip.services.cloud_provider
ip.services.cpesip.services.platform_name
ip.services.portip.services.protocol
ip.services.protocol_portip.services.status
ip.services.status_codeip.services.transport
manualperimeter
subsidiaries.idsubsidiaries.name
triage.actiontriage.assigned_to
triage.statustriage.updated_by
Available filter fields that support lists ([v1, v2])
asset_idasset_type
confidenceconnectivity_status
criticalitycriticality_username
data_providersdiscovered_by
dns_domain.fqdndns_domain.isps
dns_domain.parent_domaindns_domain.services.applications.category
dns_domain.services.applications.cpedns_domain.services.applications.name
dns_domain.services.applications.vendordns_domain.services.applications.version
dns_domain.services.cloud_providerdns_domain.services.cpes
dns_domain.services.iddns_domain.services.platform_name
dns_domain.services.portdns_domain.services.protocol
dns_domain.services.protocol_portdns_domain.services.status
dns_domain.services.status_codedns_domain.services.transport
dns_domain.typeid
internet_exposureip.asn
ip.cloud_vm.instance_idip.cloud_vm.lifecycle
ip.cloud_vm.mac_addressip.cloud_vm.owner_id
ip.cloud_vm.platformip.cloud_vm.region
ip.cloud_vm.security_groupsip.cloud_vm.source
ip.cloud_vm.statusip.fqdns
ip.ispip.location.area_code
ip.location.cityip.location.country_code
ip.location.country_nameip.location.postal_code
ip.location.region_codeip.location.region_name
ip.location.timezoneip.ptr
ip.aidip.services.applications.category
ip.services.applications.cpeip.services.applications.name
ip.services.applications.vendorip.services.applications.version
ip.services.cloud_providerip.services.cpes
ip.services.platform_nameip.services.port
ip.services.protocolip.services.protocol_port
ip.services.statusip.services.status_code
ip.services.transportmanual
perimetersubsidiaries.id
subsidiaries.nametriage.action
triage.assigned_totriage.status
triage.updated_by 
Available filter fields that support range comparisons (>, <, >=, <=)
criticality_timestampdns_domain.resolved_ips
dns_domain.services.first_seendns_domain.services.last_seen
dns_domain.services.portdns_domain.services.status_code
first_seenip.cloud_vm.private_ip
ip.cloud_vm.public_ipip.ip_address
ip.services.first_seenip.services.last_seen
ip.services.portip.services.status_code
last_seentriage.updated_timestamp

Usage

Service class example (PEP8 syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) response = falcon.query_assets(offset="string", limit=integer, sort="string", filter="string" ) print(response)
Service class example (Operation ID syntax)
from falconpy import ExposureManagement falcon = ExposureManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) response = falcon.query_external_assets(offset="string", limit=integer, sort="string", filter="string" ) print(response)
Uber class example
from falconpy import APIHarnessV2 falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) response = falcon.command("query_external_assets", offset="string", limit=integer, sort="string", filter="string" ) print(response)

Back to Table of Contents