CrowdStrike Falcon CrowdStrike Subreddit

Using the Recon service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
AggregateNotificationsExposedDataRecordsV1
PEP8aggregate_notifications_exposed_data_records
Get notification exposed data record aggregates as specified via JSON in request body.
AggregateNotificationsV1
PEP 8aggregate_notifications
Get notification aggregates as specified via JSON in request body.
PreviewRuleV1
PEP 8preview_rule
Preview rules notification count and distribution. This will return aggregations on: channel, count, site.
GetActionsV1
PEP 8get_actions
Get actions based on their IDs. IDs can be retrieved using the QueryActionsV1 operation.
CreateActionsV1
PEP 8create_actions
Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
DeleteActionV1
PEP 8delete_action
Delete an action from a monitoring rule based on the action ID.
UpdateActionV1
PEP 8update_action
Update an action for a monitoring rule.
GetFileContentForExportJobsV1
PEP8get_export_job_file_contents
Download the file associated with a job ID.
GetExportJobsV1
PEP8get_export_jobs
Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1.
CreateExportJobsV1
PEP8create_export_jobs
Launch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1.
DeleteExportJobsV1
PEP8delete_export_jobs
Delete export jobs (and their associated file(s)) based on their IDs.
GetNotificationsDetailedTranslatedV1
PEP 8get_notifications_detailed_translated
Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request
GetNotificationsDetailedV1
PEP 8get_notifications_detailed
Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
GetNotificationsExposedDataRecordsV1
PEP8get_notifications_exposed_data_records
Get notifications exposed data records based on their IDs. IDs can be retrieved using the QueryNotificationsExposedDataRecordsV1 operation. The associate notification can be fetched using the notifications operations.
GetNotificationsTranslatedV1
PEP 8get_notifications_translated
Get notifications based on their IDs. IDs can be retrieved using the QueryNotificationsV1 operation. This endpoint will return translated notification content. The only target language available is English.
GetNotificationsV1
PEP 8get_notifications
Get notifications based on their IDs. IDs can be retrieved using the QueryNotificationsV1 operation.
DeleteNotificationsV1
PEP 8delete_notifications
Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.
UpdateNotificationsV1
PEP 8update_notifications
Update notification status or assignee. Accepts bulk requests
GetRulesV1
PEP 8get_rules
Get monitoring rules rules by provided IDs.
CreateRulesV1
PEP 8create_rules
Create monitoring rules.
DeleteRulesV1
PEP 8delete_rules
Delete monitoring rules.
UpdateRulesV1
PEP 8update_rules
Update monitoring rules.
QueryActionsV1
PEP 8query_actions
Query actions based on provided criteria. Use the IDs from this response to get the action entities on GetActionsV1.
QueryNotificationsExposedDataRecordsV1
PEP8query_notifications_exposed_data_records
Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GetNotificationsExposedDataRecordsV1.
QueryNotificationsV1
PEP 8query_notifications
Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GetNotificationsV1 or GetNotificationsDetailedV1.
QueryRulesV1
PEP 8query_rules
Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on GetRulesV1.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

AggregateNotificationsExposedDataRecordsV1

Get notification exposed data record aggregates as specified via JSON in request body.

PEP8 method name

aggregate_notifications_exposed_data_records

Endpoint

MethodRoute
POST/recon/aggregates/notifications-exposed-data-records/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy.recon import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_notifications_exposed_data_records(date_ranges=date_ranges,
                                                               exclude="string",
                                                               field="string",
                                                               filter="string",
                                                               from=integer,
                                                               include="string",
                                                               interval="string",
                                                               max_doc_count=integer,
                                                               min_doc_count=integer,
                                                               missing="string",
                                                               name="string",
                                                               q="string",
                                                               ranges=ranges,
                                                               size=integer,
                                                               sort="string",
                                                               time_zone="string",
                                                               type="string"
                                                               )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateNotificationsExposedDataRecordsV1(date_ranges=date_ranges,
                                                             exclude="string",
                                                             field="string",
                                                             filter="string",
                                                             from=integer,
                                                             include="string",
                                                             interval="string",
                                                             max_doc_count=integer,
                                                             min_doc_count=integer,
                                                             missing="string",
                                                             name="string",
                                                             q="string",
                                                             ranges=ranges,
                                                             size=integer,
                                                             sort="string",
                                                             time_zone="string",
                                                             type="string"
                                                             )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateNotificationsExposedDataRecordsV1", body=BODY)

print(response)

Back to Table of Contents

AggregateNotificationsV1

Get notification aggregates as specified via JSON in request body.

PEP8 method name

aggregate_notifications

Endpoint

MethodRoute
POST/recon/aggregates/notifications/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_notifications(date_ranges=date_ranges,
                                          exclude="string",
                                          field="string",
                                          filter="string",
                                          from=integer,
                                          include="string",
                                          interval="string",
                                          max_doc_count=integer,
                                          min_doc_count=integer,
                                          missing="string",
                                          name="string",
                                          q="string",
                                          ranges=ranges,
                                          size=integer,
                                          sort="string",
                                          time_zone="string",
                                          type="string"
                                          )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateNotificationsV1(date_ranges=date_ranges,
                                           exclude="string",
                                           field="string",
                                           filter="string",
                                           from=integer,
                                           include="string",
                                           interval="string",
                                           max_doc_count=integer,
                                           min_doc_count=integer,
                                           missing="string",
                                           name="string",
                                           q="string",
                                           ranges=ranges,
                                           size=integer,
                                           sort="string",
                                           time_zone="string",
                                           type="string"
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateNotificationsV1", body=BODY)

print(response)

Back to Table of Contents

PreviewRuleV1

Preview rules notification count and distribution. This will return aggregations on: channel, count, site.

PEP8 method name

preview_rule

Endpoint

MethodRoute
POST/recon/aggregates/rules-preview/GET/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
filter
Service Class Support

Uber Class Support
bodystringFQL Syntax formatted string used to limit results.
topic
Service Class Support

Uber Class Support
bodystringRestricts results to the topic specified.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.preview_rule(filter="string", topic="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.PreviewRuleV1(filter="string", topic="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
  "filter": "string",
  "topic": "string"
}

response = falcon.command("PreviewRuleV1", body=BODY)

print(response)

Back to Table of Contents

GetActionsV1

Get actions based on their IDs. IDs can be retrieved using the QueryActionsV1 operation.

PEP8 method name

get_actions

Endpoint

MethodRoute
GET/recon/entities/actions/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsAction IDs to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_actions(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetActionsV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetActionsV1", ids=id_list)

print(response)

Back to Table of Contents

CreateActionsV1

Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.

PEP8 method name

create_actions

Endpoint

MethodRoute
POST/recon/entities/actions/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
actions
Service Class Support

Uber Class Support
bodylist of dictionariesList of actions to attach to the monitoring rule. When provided, actions overrides other keywords (excluding body).
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
content_format
Service Class Support

Uber Class Support
bodystringContent format.
frequency
Service Class Support

Uber Class Support
bodystringFrequency of the action.

Only one action can be applied when using this keyword.
recipients
Service Class Support

Uber Class Support
bodylist of stringsList of action recipients.

Only one action can be applied when using this keyword.
rule_id
Service Class Support

Uber Class Support
bodystringRule ID to attach action(s) to.
trigger_matchless
Service Class Support

Uber Class Support
bodybooleanTrigger matchless.
type
Service Class Support

Uber Class Support
bodystringAction type.

Only one action can be applied when using this keyword.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

recips = ["RECIP1", "RECIP2", "RECIP3"]

response = falcon.create_actions(frequency="string",
                                 recipients=recips,
                                 rule_id="string",
                                 content_format="string",
                                 trigger_matchless=boolean,
                                 type="string"
                                 )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

recips = ["RECIP1", "RECIP2", "RECIP3"]

response = falcon.CreateActionsV1(frequency="string",
                                 recipients=recips,
                                 rule_id="string",
                                 content_format="string",
                                 trigger_matchless=boolean,
                                 type="string"
                                 )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

recips = ["RECIP1", "RECIP2", "RECIP3"]

BODY = {
  "actions": [
    {
      "content_format": "string",
      "frequency": "string",
      "recipients": recips,
      "trigger_matchless": boolean,
      "type": "string"
    }
  ],
  "rule_id": "string"
}

response = falcon.command("CreateActionsV1", body=BODY)

print(response)

Back to Table of Contents

DeleteActionV1

Delete an action from a monitoring rule based on the action ID.

PEP8 method name

delete_action

Endpoint

MethodRoute
DELETE/recon/entities/actions/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
id
Service Class Support

Uber Class Support
querystringAction ID to delete.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.delete_action(id="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.DeleteActionV1(id="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DeleteActionV1", id="string")

print(response)

Back to Table of Contents

UpdateActionV1

Update an action for a monitoring rule.

PEP8 method name

update_action

Endpoint

MethodRoute
PATCH/recon/entities/actions/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
content_format
Service Class Support

Uber Class Support
bodystringContent format.
frequency
Service Class Support

Uber Class Support
bodystringFrequency of the action.
recipients
Service Class Support

Uber Class Support
bodylist of stringsList of action recipients.
id
Service Class Support

Uber Class Support
bodystringAction ID to update.
status
Service Class Support

Uber Class Support
bodystringAction status.
trigger_matchless
Service Class Support

Uber Class Support
bodybooleanTrigger matchless.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

recips = ["RECIP1", "RECIP2", "RECIP3"]

response = falcon.update_action(frequency="string",
                                content_format="string",
                                recipients=recips,
                                id="string",
                                status="string",
                                trigger_matchless=boolean
                                )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

recips = ["RECIP1", "RECIP2", "RECIP3"]

response = falcon.UpdateActionV1(frequency="string",
                                 content_format="string",
                                 recipients=recips,
                                 id="string",
                                 status="string",
                                 trigger_matchless=boolean
                                 )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

recips = ["RECIP1", "RECIP2", "RECIP3"]

BODY = {
    "content_format": "string",
    "frequency": "string",
    "id": "string",
    "recipients": recips,
    "status": "string",
    "trigger_matchless": boolean
}

response = falcon.command("UpdateActionV1", body=BODY)

print(response)

Back to Table of Contents

GetFileContentForExportJobsV1

Download the file associated with a job ID.

PEP8 method name

get_export_job_file_contents

Endpoint

MethodRoute
GET/recon/entities/export-files/v1

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

NameServiceUberTypeData typeDescription
id
Service Class Support

Uber Class Support
querystringExport job ID.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.recon import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.get_export_job_file_contents(id="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.GetFileContentForExportJobsV1(id="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.ext"

response = falcon.command("GetFileContentForExportJobsV1", id="string")
open(save_file, 'wb').write(response)

Back to Table of Contents

GetExportJobsV1

Get the status of export jobs based on their IDs. Export jobs can be launched by calling CreateExportJobsV1. When a job is complete, use the job ID to download the file(s) associated with it using GetFileContentForExportJobsV1.

PEP8 method name

get_export_jobs

Endpoint

MethodRoute
GET/recon/entities/exports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsExport job IDs to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.recon import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_export_jobs(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetExportJobsV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetExportJobsV1", ids=id_list)

print(response)

Back to Table of Contents

CreateExportJobsV1

Launch asynchronous export job. Use the job ID to poll the status of the job using GetExportJobsV1.

PEP8 method name

create_export_jobs

Endpoint

MethodRoute
POST/recon/entities/exports/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
entity
Service Class Support

Uber Class Support
bodystringEntity to report on.
export_type
Service Class Support

Uber Class Support
bodystringType of export.
filter
Service Class Support

Uber Class Support
bodystringFQL filter used to limit report results.
human_readable
Service Class Support

Uber Class Support
bodybooleanFlag indicating if this report should be returned in human readable format.
sort
Service Class Support

Uber Class Support
bodystringSort the report results using a FQL formatted string.

Usage

Service class example (PEP8 syntax)
from falconpy.recon import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.create_export_jobs(entity="string",
                                     export_type="string",
                                     filter="string",
                                     human_readable=boolean,
                                     sort="string"
                                     )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.CreateExportJobsV1(entity="string",
                                     export_type="string",
                                     filter="string",
                                     human_readable=boolean,
                                     sort="string"
                                     )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "entity": "string",
    "export_type": "string",
    "filter": "string",
    "human_readable": boolean,
    "sort": "string"
}

response = falcon.command("CreateExportJobsV1", body=BODY)

print(response)

Back to Table of Contents

DeleteExportJobsV1

Delete export jobs (and their associated file(s)) based on their IDs.

PEP8 method name

delete_export_jobs

Endpoint

MethodRoute
DELETE/recon/entities/exports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsExport job IDs to delete.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.recon import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_export_jobs(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteExportJobsV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteExportJobsV1", ids=id_list)

print(response)

Back to Table of Contents

GetNotificationsDetailedTranslatedV1

Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match. This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request

PEP8 method name

get_notifications_detailed_translated

Endpoint

MethodRoute
GET/recon/entities/notifications-detailed-translated/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsNotification IDs to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_notifications_detailed_translated(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetNotificationsDetailedTranslatedV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetNotificationsDetailedTranslatedV1", ids=id_list)

print(response)

Back to Table of Contents

GetNotificationsDetailedV1

Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.

PEP8 method name

get_notifications_detailed

Endpoint

MethodRoute
GET/recon/entities/notifications-detailed/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsNotification IDs to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_notifications_detailed(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetNotificationsDetailedV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetNotificationsDetailedV1", ids=id_list)

print(response)

Back to Table of Contents

GetNotificationsExposedDataRecordsV1

Get notifications exposed data records based on their IDs. IDs can be retrieved using the QueryNotificationsExposedDataRecordsV1 operation. The associated notification can be fetched using the notifications operations.

PEP8 method name

get_notifications_exposed_data_records

Endpoint

MethodRoute
GET/recon/entities/notifications-exposed-data-records/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsNotifications exposed record IDs to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.recon import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_notifications_exposed_data_records(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetNotificationsExposedDataRecordsV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetNotificationsExposedDataRecordsV1", ids=id_list)

print(response)

Back to Table of Contents

GetNotificationsTranslatedV1

Get notifications based on their IDs. IDs can be retrieved using the QueryNotificationsV1 operation. This endpoint will return translated notification content. The only target language available is English.

PEP8 method name

get_notifications_translated

Endpoint

MethodRoute
GET/recon/entities/notifications-translated/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsNotification IDs to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_notifications_translated(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetNotificationsTranslatedV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetNotificationsTranslatedV1", ids=id_list)

print(response)

Back to Table of Contents

GetNotificationsV1

Get notifications based on their IDs. IDs can be retrieved using the QueryNotificationsV1 operation.

PEP8 method name

get_notifications

Endpoint

MethodRoute
GET/recon/entities/notifications/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsNotification IDs to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_notifications(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetNotificationsV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetNotificationsV1", ids=id_list)

print(response)

Back to Table of Contents

DeleteNotificationsV1

Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.

PEP8 method name

delete_notifications

Endpoint

MethodRoute
DELETE/recon/entities/notifications/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsNotification IDs to delete.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_notifications(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteNotificationsV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteNotificationsV1", ids=id_list)

print(response)

Back to Table of Contents

UpdateNotificationsV1

Update notification status or assignee. Accepts bulk requests.

PEP8 method name

update_notifications

Endpoint

MethodRoute
PATCH/recon/entities/notifications/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
assigned_to_uuid
Service Class Support

Uber Class Support
bodystringUUID of the assigned user.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
id
Service Class Support

Uber Class Support
bodystringNotification ID.
status
Service Class Support

Uber Class Support
bodystringNotification status.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.update_notifications(assigned_to_uuid="string",
                                       id="string",
                                       status="string"
                                       )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.UpdateNotificationsV1(assigned_to_uuid="string",
                                        id="string",
                                        status="string"
                                        )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = [
  {
    "assigned_to_uuid": "string",
    "id": "string",
    "status": "string"
  }
]

response = falcon.command("UpdateNotificationsV1", body=BODY)

print(response)

Back to Table of Contents

GetRulesV1

Get monitoring rules rules by provided IDs.

PEP8 method name

get_rules

Endpoint

MethodRoute
GET/recon/entities/rules/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsRule IDs to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetRulesV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetRulesV1", ids=id_list)

print(response)

Back to Table of Contents

CreateRulesV1

Create monitoring rules.

PEP8 method name

create_rules

Endpoint

MethodRoute
POST/recon/entities/rules/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
breach_monitoring_enabled
Service Class Support

Uber Class Support
bodybooleanFlag indicating if breach monitoring should be enabled.
filter
Service Class Support

Uber Class Support
bodystringRule filter.
name
Service Class Support

Uber Class Support
bodystringRule name.
permissions
Service Class Support

Uber Class Support
bodystringPermissions. private or public.
priority
Service Class Support

Uber Class Support
bodystringPriority. high, medium, low
substring_matching_enabled
Service Class Support

Uber Class Support
bodybooleanFlag indicating if substring matching should be enabled.
topic
Service Class Support

Uber Class Support
bodystringRule topic.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.create_rules(breach_monitoring_enabled=boolean,
                               filter="string",
                               name="string",
                               permissions="string",
                               priority="string",
                               substring_matching_enabled=boolean,
                               topic="string"
                               )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.CreateRulesV1(breach_monitoring_enabled=boolean,
                                filter="string",
                                name="string",
                                permissions="string",
                                priority="string",
                                substring_matching_enabled=boolean,
                                topic="string"
                                )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = [
    {
        "breach_monitoring_enabled": boolean,
        "filter": "string",
        "name": "string",
        "permissions": "string",
        "priority": "string",
        "substring_matching_enabled": boolean,
        "topic": "string"
    }
]

response = falcon.command("CreateRulesV1", body=BODY)

print(response)

Back to Table of Contents

DeleteRulesV1

Delete monitoring rules.

PEP8 method name

delete_rules

Endpoint

MethodRoute
DELETE/recon/entities/rules/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsRule IDs to delete.
notificationsDeletionRequested
Service Class Support

Uber Class Support
querybooleanFlag indicating if a delete notification should be generated by this rule.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rules(ids=id_list, notificationsDeletionRequested=boolean)

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteRulesV1(ids=id_list, notificationsDeletionRequested=boolean)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteRulesV1", ids=id_list, notificationsDeletionRequested=boolean)

print(response)

Back to Table of Contents

UpdateRulesV1

Update monitoring rules.

PEP8 method name

update_rules

Endpoint

MethodRoute
PATCH/recon/entities/rules/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
breach_monitoring_enabled
Service Class Support

Uber Class Support
bodybooleanFlag indicating if breach monitoring should be enabled.
filter
Service Class Support

Uber Class Support
bodystringRule filter.
name
Service Class Support

Uber Class Support
bodystringRule name.
permissions
Service Class Support

Uber Class Support
bodystringPermissions. private or public.
priority
Service Class Support

Uber Class Support
bodystringPriority. high, medium, low
id
Service Class Support

Uber Class Support
bodystringRule ID to update.
substring_matching_enabled
Service Class Support

Uber Class Support
bodybooleanFlag indicating if substring matching should be enabled.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.update_rules(breach_monitoring_enabled=boolean,
                               filter="string",
                               id="string",
                               name="string",
                               permissions="string",
                               priority="string",
                               substring_matching_enabled=boolean
                               )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.UpdateRulesV1(breach_monitoring_enabled=boolean,
                                filter="string",
                                id="string",
                                name="string",
                                permissions="string",
                                priority="string",
                                substring_matching_enabled=boolean
                                )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = [
  {
    "breach_monitoring_enabled": boolean,
    "filter": "string",
    "id": "string",
    "name": "string",
    "permissions": "string",
    "priority": "string",
    "substring_matching_enableD": boolean
  }
]

response = falcon.command("UpdateRulesV1", body=BODY)

print(response)

Back to Table of Contents

QueryActionsV1

Query actions based on provided criteria. Use the IDs from this response to get the action entities on GetActionsV1.

PEP8 method name

query_actions

Endpoint

MethodRoute
GET/recon/queries/actions/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return.
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actions(offset="string",
                                limit=integer,
                                sort="string",
                                filter="string",
                                q="string"
                                )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryActionsV1(offset="string",
                                 limit=integer,
                                 sort="string",
                                 filter="string",
                                 q="string"
                                 )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryActionsV1",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryNotificationsExposedDataRecordsV1

Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GetNotificationsExposedDataRecordsV1.

PEP8 method name

query_notifications_exposed_data_records

Endpoint

MethodRoute
GET/recon/queries/notifications-exposed-data-records/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results. Available filters:
  • id
  • cid
  • user_uuid
  • created_date
  • exposure_date
  • rule.id
  • rule.name
  • rule.topic
  • notification_id
  • source_category
  • site
  • site_id
  • author
  • author_id
  • user_id
  • user_name
  • impacted_url
  • impacted_domain
  • impacted_ip
  • email
  • email_domain
  • hash_type
  • display_name
  • full_name
  • user_ip
  • phone_number
  • company
  • job_position
  • file.name
  • file.complete_data_set
  • file.download_urls
  • location.postal_code
  • location.city
  • location.state
  • location.federal_district
  • location.federal_admin_region
  • location.country_code
  • social.twitter_id
  • social.facebook_id
  • social.vk_id
  • social.vk_token
  • social.aim_id
  • social.icq_id
  • social.msn_id
  • social.instagram_id
  • social.skype_id
  • financial.credit_card
  • financial.bank_account
  • financial.crypto_currency_addresses
  • login_id
  • _all
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return.
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. Either created_date or updated_date. (Example: `updated_date
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.recon import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_notifications_exposed_data_records(offset=integer,
                                                           limit=integer,
                                                           sort="string",
                                                           filter="string",
                                                           q="string"
                                                           )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryNotificationsExposedDataRecordsV1(offset=integer,
                                                         limit=integer,
                                                         sort="string",
                                                         filter="string",
                                                         q="string"
                                                         )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryNotificationsExposedDataRecordsV1",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryNotificationsV1

Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GetNotificationsV1 or GetNotificationsDetailedV1.

PEP8 method name

query_notifications

Endpoint

MethodRoute
GET/recon/queries/notifications/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return.
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_notifications(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string"
                                      )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryNotificationsV1(offset=integer,
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string"
                                       )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryNotificationsV1",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryRulesV1

Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on GetRulesV1.

PEP8 method name

query_rules

Endpoint

MethodRoute
GET/recon/queries/rules/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return.
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_rules(offset="string",
                              limit=integer,
                              sort="string",
                              filter="string",
                              q="string"
                              )

print(response)
Service class example (Operation ID syntax)
from falconpy import Recon

# Do not hardcode API credentials!
falcon = Recon(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryRulesV1(offset="string",
                               limit=integer,
                               sort="string",
                               filter="string",
                               q="string"
                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryRulesV1",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents