

This service collection has code examples posted to the repository.
Operation ID | Description |
| Returns information about the current status of an AWS account. |
| Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access. |
| Deletes an existing AWS account or organization in our system. |
| Patches a existing account in our system for a customer. |
| Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment. |
| Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment. |
| Return information about Azure account registration |
| Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access. |
| Deletes an Azure subscription from the system. |
| Update an Azure service account in our system by with the user-created client_id created with the public key we've provided |
| Update an Azure default subscription_id in our system for given tenant_id |
| Returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
| Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment |
| Retrieve a list of detected behaviors. |
| Retrieve a list of active misconfigurations. |
| For CSPM IOA events, gets list of IOA events. |
| For CSPM IOA users, gets list of IOA users. |
| Given a policy ID, returns detailed policy information. |
| Returns information about current policy settings. |
| Updates a policy setting - can be used to override policy severity or to disable a policy entirely. |
| Returns scan schedule configuration for one or more cloud platforms. |
| Updates scan schedule configuration for one or more cloud platforms. |
WARNING
client_id
and client_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)
CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Returns information about the current status of an AWS account.
get_aws_account
Method | Route |
 | /cloud-connect-cspm-aws/entities/account/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
group_by | ![]()

![]() | ![]()

![]() | query | string | The field to group by. |
ids | ![]()

![]() | ![]()

![]() | query | string or list of strings | AWS Account ID(s). |
limit | ![]()

![]() | ![]()

![]() | query | integer | Maximum number of results to return. (Default: 100) |
offset | ![]()

![]() | ![]()

![]() | query | integer | Starting record position. |
organization_ids | ![]()

![]() | ![]()

![]() | query | string or list of strings | AWS Organization ID(s). |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
scan_type | ![]()

![]() | ![]()

![]() | query | string | Type of scan to perform, dry or full . |
status | ![]()

![]() | ![]()

![]() | query | string | Account status to filter results by. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
orgs = 'ORG1,ORG2,ORG3' # Can also pass a list here: ['ORG1', 'ORG2', 'ORG3']
response = falcon.get_aws_account(scan_type="string",
organization_ids=orgs,
status="string",
limit=integer,
offset=integer,
group_by="string",
ids=id_list
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
orgs = 'ORG1,ORG2,ORG3' # Can also pass a list here: ['ORG1', 'ORG2', 'ORG3']
response = falcon.GetCSPMAwsAccount(scan_type="string",
organization_ids=orgs,
status="string",
limit=integer,
offset=integer,
group_by="string",
ids=id_list
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
orgs = 'ORG1,ORG2,ORG3' # Can also pass a list here: ['ORG1', 'ORG2', 'ORG3']
response = falcon.command("GetCSPMAwsAccount",
scan_type="string",
organization_ids=orgs,
status="string",
limit=integer,
offset=integer,
group_by="string",
ids=id_list
)
print(response)
Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
create_aws_account
Method | Route |
 | /cloud-connect-cspm-aws/entities/account/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
account_id | ![]()

![]() | ![]()

![]() | body | string | AWS Account ID. |
body | ![]()

![]() | ![]()

![]() | body | dictionary | Full body payload in JSON format. |
cloudtrail_region | ![]()

![]() | ![]()

![]() | body | string | AWS Cloudtrail Region. |
organization_id | ![]()

![]() | ![]()

![]() | body | string | AWS Organization ID. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_aws_account(account_id="string",
cloudtrail_region="string",
organization_id="string"
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateCSPMAwsAccount(account_id="string",
cloudtrail_region="string",
organization_id="string"
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"resources": [
{
"account_id": "string",
"cloudtrail_region": "string",
"organization_id": "string"
}
]
}
response = falcon.command("CreateCSPMAwsAccount", body=BODY)
print(response)
Deletes an existing AWS account or organization in our system.
delete_aws_account
Method | Route |
 | /cloud-connect-cspm-aws/entities/account/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
ids | ![]()

![]() | ![]()

![]() | query | string or list of strings | The AWS account IDs to remove. |
organization_ids | ![]()

![]() | ![]()

![]() | query | string or list of strings | The AWS organization ID(s) to delete. |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
orgs = 'ORG1,ORG2,ORG3' # Can also pass a list here: ['ORG1', 'ORG2', 'ORG3']
response = falcon.delete_aws_account(organization_ids=orgs, ids=id_list)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
orgs = 'ORG1,ORG2,ORG3' # Can also pass a list here: ['ORG1', 'ORG2', 'ORG3']
response = falcon.DeleteCSPMAwsAccount(organization_ids=orgs, ids=id_list)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PARAMS = {
"organization-ids": [
"string",
"string"
]
}
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
orgs = 'ORG1,ORG2,ORG3' # Can also pass a list here: ['ORG1', 'ORG2', 'ORG3']
response = falcon.command("DeleteCSPMAwsAccount", organization_ids=orgs, ids=id_list)
print(response)
Patches a existing account in our system for a customer.
update_aws_account
Method | Route |
 | /cloud-connect-cspm-aws/entities/account/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
account_id | ![]()

![]() | ![]()

![]() | body | string | AWS Account ID. |
body | ![]()

![]() | ![]()

![]() | body | dictionary | Full body payload in JSON format. |
cloudtrail_region | ![]()

![]() | ![]()

![]() | body | string | AWS Cloudtrail Region. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_aws_account(account_id="string", cloudtrail_region="string")
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.PatchCSPMAwsAccount(account_id="string", cloudtrail_region="string")
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"resources": [
{
"account_id": "string",
"cloudtrail_region": "string"
}
]
}
response = falcon.command("PatchCSPMAwsAccount", body=BODY)
print(response)
Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
get_aws_console_setup_urls
Method | Route |
 | /cloud-connect-cspm-aws/entities/console-setup-urls/v1 |
- Consumes: application/json
- Produces: application/json
No keywords or arguments are accepted.
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_aws_console_setup_urls()
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetCSPMAwsConsoleSetupURLs()
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetCSPMAwsConsoleSetupURLs")
print(response)
Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
get_aws_account_scripts_attachment
Method | Route |
 | /cloud-connect-cspm-aws/entities/user-scripts-download/v1 |
- Produces: application/json
No keywords or arguments are accepted.
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_aws_account_scripts_attachment()
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetCSPMAwsAccountScriptsAttachment()
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetCSPMAwsAccountScriptsAttachment")
print(response)
Return information about Azure account registration
get_azure_account
Method | Route |
 | /cloud-connect-azure/entities/account/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
ids | ![]()

![]() | ![]()

![]() | query | string or list of strings | Subscription ID(s). When empty, all accounts are returned. |
limit | ![]()

![]() | ![]()

![]() | query | integer | Maximum number of results to return. (Default: 100) |
offset | ![]()

![]() | ![]()

![]() | query | integer | Starting record position. |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
scan_type | ![]()

![]() | ![]()

![]() | query | string | Type of scan to perform, dry or full . |
status | ![]()

![]() | ![]()

![]() | query | string | Account status to filter results by. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_azure_account(scan_type="string",
status="string",
limit=integer,
offset=integer,
ids=id_list
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetCSPMAzureAccount(scan_type="string",
status="string",
limit=integer,
offset=integer,
ids=id_list
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetCSPMAzureAccount",
scan_type="string",
status="string",
limit=integer,
offset=integer,
ids=id_list
)
print(response)
Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
create_azure_account
Method | Route |
 | /cloud-connect-azure/entities/account/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
body | ![]()

![]() | ![]()

![]() | body | dictionary | Full body payload in JSON format. |
subscription_id | ![]()

![]() | ![]()

![]() | body | string | Azure Subscription ID. |
tenant_id | ![]()

![]() | ![]()

![]() | body | string | Azure tenant ID. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_azure_account(subscription_id="string", tenant_id="string")
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateCSPMAzureAccount(subscription_id="string", tenant_id="string")
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"resources": [
{
"tenant_id": "string",
"subscription_id": "string"
}
]
}
response = falcon.command("CreateCSPMAzureAccount", body=BODY)
print(response)
Deletes an Azure subscription from the system.
delete_azure_account
Method | Route |
 | /cloud-connect-cspm-azure/entities/account/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
ids | ![]()

![]() | ![]()

![]() | query | string or list of strings | Azure subscription IDs to remove. |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_azure_account(ids=id_list)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.DeleteCSPMAzureAccount(ids=id_list)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("DeleteCSPMAzureAccount", ids=id_list)
print(response)
Update an Azure service account in our system by with the user-created client_id created with the public key we've provided
update_azure_account_client_id
Method | Route |
 | /cloud-connect-azure/entities/client-id/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
body | ![]()

![]() | ![]()

![]() | body | string | This field is not used. Ignore. |
id | ![]()

![]() | ![]()

![]() | query | string or list of strings | The Azure Client ID to use for the Service Principal associated with the Azure account. |
tenant_id | ![]()

![]() | ![]()

![]() | query | string or list of strings | The Azure tenant ID to update the Client ID for. Required if multiple tenants are registered. |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_azure_account_client_id(id="string", tenant_id="string")
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UpdateCSPMAzureAccountClientID(id="string", tenant_id="string")
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("UpdateCSPMAzureAccountClientID", id="string", tenant_id="string")
print(response)
Update an Azure default subscription_id in our system for given tenant_id
update_azure_tenant_default_subscription_id
Method | Route |
 | /cloud-connect-cspm-azure/entities/default-subscription-id/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
body | ![]()

![]() | ![]()

![]() | body | string | This field is not used. Ignore. |
subscription_id | ![]()

![]() | ![]()

![]() | query | string or list of strings | The Azure subscription ID to use as a default for all subscriptions within the tenant. |
tenant_id | ![]()

![]() | ![]()

![]() | query | string or list of strings | The Azure tenant ID to update the Client ID for. Required if multiple tenants are registered. |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_azure_tenant_default_subscription_id(tenant_id="string",
subscription_id="string"
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UpdateCSPMAzureTenantDefaultSubscriptionID(tenant_id="string",
subscription_id="string"
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("UpdateCSPMAzureTenantDefaultSubscriptionID",
tenant_id="string",
subscription_id="string"
)
print(response)
Returns JSON object(s) that contain the base64 encoded certificate for a service principal.
azure_download_certificate
Method | Route |
 | /cloud-connect-cspm-azure/entities/download-certificate/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
refresh | ![]()

![]() | ![]()

![]() | query | boolean | Force a refresh of the certificate. Defaults to False . |
tenant_id | ![]()

![]() | ![]()

![]() | query | string or list of strings | The Azure Client ID to generate script for. Defaults to the most recently registered tenant. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.azure_download_certificate(refresh=boolean, tenant_id="string")
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.AzureDownloadCertificate(refresh=boolean, tenant_id="string")
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("AzureDownloadCertificate", refresh=boolean, tenant_id="string")
print(response)
Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
get_azure_user_scripts_attachment
Method | Route |
 | /cloud-connect-azure/entities/user-scripts-download/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
tenant_id | ![]()

![]() | ![]()

![]() | query | string or list of strings | The Azure tenant ID. |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_azure_user_scripts_attachment(tenant_id="string")
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetCSPMAzureUserScriptsAttachment(tenant_id="string")
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetCSPMAzureUserScriptsAttachment", tenant_id="string")
print(response)
Retrieve list of detected behaviors.
get_behavior_detections
Method | Route |
 | /detects/entities/ioa/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
account_id | ![]()

![]() | ![]()

![]() | query | string | Cloud account ID (e.g.: AWS AccountID, Azure SubscriptionID). |
aws_account_id | ![]()

![]() | ![]()

![]() | query | string | AWS Account ID. |
azure_subscription_id | ![]()

![]() | ![]()

![]() | query | string | Azure Subscription ID. |
azure_tenant_id | ![]()

![]() | ![]()

![]() | query | string | Azure Tenant ID. |
cloud_provider | ![]()

![]() | ![]()

![]() | query | string | Cloud Provider (azure, aws, gcp). |
date_time_since | ![]()

![]() | ![]()

![]() | query | string | Filter to retrieve all events after specified date. RFC3339 format. Example: 2006-01-01T12:00:01Z07:00 . |
limit | ![]()

![]() | ![]()

![]() | query | integer | Maximum number of results to return. (Max: 500) |
next_token | ![]()

![]() | ![]()

![]() | query | string | String to get next page of results, associated with the previous execution. Must include all filters from previous execution. |
service | ![]()

![]() | ![]()

![]() | query | string | Filter by Cloud Service. A list of available services can be found here. |
severity | ![]()

![]() | ![]()

![]() | query | string | Filter by severity. Example: High , Medium or Informational . |
state | ![]()

![]() | ![]()

![]() | query | string | Filter by state. Example: open or closed . |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
| |
ACM | Identity |
ACR | KMS |
Any | KeyVault |
App Engine | Kinesis |
BigQuery | Kubernetes |
Cloud Load Balancing | Lambda |
Cloud Logging | LoadBalancer |
Cloud SQL | Monitor |
Cloud Storage | NLB/ALB |
CloudFormation | NetworkSecurityGroup |
CloudTrail | PostgreSQL |
CloudWatch Logs | RDS |
Cloudfront | Redshift |
Compute Engine | S3 |
Config | SES |
Disk | SNS |
DynamoDB | SQLDatabase |
EBS | SQLServer |
EC2 | SQS |
ECR | SSM |
EFS | Serverless Application Repository |
EKS | StorageAccount |
ELB | Subscriptions |
EMR | VPC |
Elasticache | VirtualMachine |
GuardDuty | VirtualNetwork |
IAM | |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_behavior_detections(account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string",
cloud_provider="string",
date_time_since="string",
limit=integer,
next_token="string",
service="string",
severity="string",
state="string"
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetBehaviorDetections(account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string",
cloud_provider="string",
date_time_since="string",
limit=integer,
next_token="string",
service="string",
severity="string",
state="string"
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetBehaviorDetections",
account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string",
cloud_provider="string",
date_time_since="string",
limit=integer,
next_token="string",
service="string",
severity="string",
state="string"
)
print(response)
Retrieve list of detected behaviors.
get_configuration_detections
Method | Route |
 | /detects/entities/iom/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
account_id | ![]()

![]() | ![]()

![]() | query | string | Cloud account ID (e.g.: AWS AccountID, Azure SubscriptionID). |
aws_account_id | ![]()

![]() | ![]()

![]() | query | string | AWS Account ID. |
azure_subscription_id | ![]()

![]() | ![]()

![]() | query | string | Azure Subscription ID. |
azure_tenant_id | ![]()

![]() | ![]()

![]() | query | string | Azure Tenant ID. |
cloud_provider | ![]()

![]() | ![]()

![]() | query | string | Cloud Provider (azure, aws, gcp). |
limit | ![]()

![]() | ![]()

![]() | query | integer | Maximum number of results to return. (Max: 500) |
next_token | ![]()

![]() | ![]()

![]() | query | string | String to get next page of results, associated with the previous execution. Must include all filters from previous execution. |
region | ![]()

![]() | ![]()

![]() | query | string | Cloud Provider Region. Example: us-east-1 . |
service | ![]()

![]() | ![]()

![]() | query | string | Filter by Cloud Service. A list of available services can be found here. |
severity | ![]()

![]() | ![]()

![]() | query | string | Filter by severity. Example: High , Medium or Informational . |
status | ![]()

![]() | ![]()

![]() | query | string | Filter by status. Example: new , reoccurring or all . |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
| |
ACM | Identity |
ACR | KMS |
Any | KeyVault |
App Engine | Kinesis |
BigQuery | Kubernetes |
Cloud Load Balancing | Lambda |
Cloud Logging | LoadBalancer |
Cloud SQL | Monitor |
Cloud Storage | NLB/ALB |
CloudFormation | NetworkSecurityGroup |
CloudTrail | PostgreSQL |
CloudWatch Logs | RDS |
Cloudfront | Redshift |
Compute Engine | S3 |
Config | SES |
Disk | SNS |
DynamoDB | SQLDatabase |
EBS | SQLServer |
EC2 | SQS |
ECR | SSM |
EFS | Serverless Application Repository |
EKS | StorageAccount |
ELB | Subscriptions |
EMR | VPC |
Elasticache | VirtualMachine |
GuardDuty | VirtualNetwork |
IAM | |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_configuration_detections(account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string",
cloud_provider="string",
limit=integer,
next_token="string",
region="string,
service="string",
severity="string",
status="string"
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetConfigurationDetections(account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string",
cloud_provider="string",
limit=integer,
next_token="string",
region="string",
service="string",
severity="string",
status="string"
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetConfigurationDetections",
account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string",
cloud_provider="string",
limit=integer,
next_token="string",
region="string",
service="string",
severity="string",
status="string"
)
print(response)
For CSPM IOA events, gets list of IOA events.
get_ioa_events
Method | Route |
 | /ioa/entities/events/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
account_id | ![]()

![]() | ![]()

![]() | query | string | Cloud account ID (e.g.: AWS AccountID, Azure SubscriptionID). |
aws_account_id | ![]()

![]() | ![]()

![]() | query | string | AWS Account ID. |
azure_subscription_id | ![]()

![]() | ![]()

![]() | query | string | Azure Subscription ID. |
azure_tenant_id | ![]()

![]() | ![]()

![]() | query | string | Azure Tenant ID. |
cloud_provider | ![]()

![]() | ![]()

![]() | query | string | Cloud Provider (azure, aws, gcp). |
limit | ![]()

![]() | ![]()

![]() | query | integer | Maximum number of results to return. (Max: 500) |
offset | ![]()

![]() | ![]()

![]() | query | integer | Starting record position. |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
policy_id | ![]()

![]() | ![]()

![]() | query | string | IOA Policy ID. |
state | ![]()

![]() | ![]()

![]() | query | string | Filter by account state. |
user_ids | ![]()

![]() | ![]()

![]() | query | string or list of strings | User ID(s). |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_ioa_events(policy_id="string",
cloud_provider="string",
account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string",
user_ids=id_list,
state="string",
offset=integer,
limit=integer
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIOAEvents(policy_id="string",
cloud_provider="string",
account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string",
user_ids=id_list,
state="string",
offset=integer,
limit=integer
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIOAEvents",
policy_id="string",
cloud_provider="string",
account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string",
user_ids=id_list,
state="string",
offset=integer,
limit=integer
)
print(response)
For CSPM IOA users, gets list of IOA users.
get_ioa_users
Method | Route |
 | /ioa/entities/users/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
account_id | ![]()

![]() | ![]()

![]() | query | string | Cloud account ID (e.g.: AWS AccountID, Azure SubscriptionID). |
aws_account_id | ![]()

![]() | ![]()

![]() | query | string | AWS Account ID. |
azure_subscription_id | ![]()

![]() | ![]()

![]() | query | string | Azure Subscription ID. |
azure_tenant_id | ![]()

![]() | ![]()

![]() | query | string | Azure Tenant ID. |
cloud_provider | ![]()

![]() | ![]()

![]() | query | string | Cloud Provider (azure, aws, gcp). |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
policy_id | ![]()

![]() | ![]()

![]() | query | string | IOA Policy ID. |
state | ![]()

![]() | ![]()

![]() | query | string | Filter by account state. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_ioa_users(policy_id="string",
state="string",
cloud_provider="string",
account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string"
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetIOAUsers(policy_id="string",
state="string",
cloud_provider="string",
account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string"
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetIOAUsers",
policy_id="string",
state="string",
cloud_provider="string",
account_id="string",
aws_account_id="string",
azure_subscription_id="string",
azure_tenant_id="string"
)
print(response)
Given a policy ID, returns detailed policy information.
get_policy
Method | Route |
 | /settings/entities/policy-details/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
ids | ![]()

![]() | ![]()

![]() | query | string or list of strings | Policy IDs to retrieve. |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_policy(ids=id_list)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetCSPMPolicy(ids=id_list)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetCSPMPolicy", ids=id_list)
print(response)
Returns information about current policy settings.
get_policy_settings
Method | Route |
 | /settings/entities/policy/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
cloud_platform | ![]()

![]() | ![]()

![]() | query | string | Cloud Provider (azure, aws, gcp). |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
policy_id | ![]()

![]() | ![]()

![]() | query | string | IOA Policy ID. |
service | ![]()

![]() | ![]()

![]() | query | string | Filter by Service type. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_policy_settings(service="string",
policy_id="string",
cloud_platform="string"
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetCSPMPolicySettings(service="string",
policy_id="string",
cloud_platform="string"
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetCSPMPolicySettings",
service="string",
policy_id="string",
cloud_platform="string"
)
print(response)
Updates a policy setting - can be used to override policy severity or to disable a policy entirely.
update_policy_settings
Method | Route |
 | /settings/entities/policy/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
account_id | ![]()

![]() | ![]()

![]() | body | string | Cloud Account ID to impact. |
body | ![]()

![]() | ![]()

![]() | body | dictionary | Full body payload in JSON format. |
enabled | ![]()

![]() | ![]()

![]() | body | boolean | Flag indicating if this policy is enabled. |
policy_id | ![]()

![]() | ![]()

![]() | body | integer | Policy ID to be updated. |
regions | ![]()

![]() | ![]()

![]() | body | string or list of strings | List of regions where this policy is enforced. |
severity | ![]()

![]() | ![]()

![]() | body | string | Policy severity value. |
tag_excluded | ![]()

![]() | ![]()

![]() | body | boolean | Tag exclusion flag. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
region_list = 'REG1,REG2,REG3' # Can also pass a list here: ['REG1', 'REG2', 'REG3']
response = falcon.update_policy_settings(account_id="string",
enabled=boolean,
policy_id=integer,
regions=region_list
severity="string",
tag_excluded=boolean
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
region_list = 'REG1,REG2,REG3' # Can also pass a list here: ['REG1', 'REG2', 'REG3']
response = falcon.UpdateCSPMPolicySettings(account_id="string",
enabled=boolean,
policy_id=integer,
regions=region_list
severity="string",
tag_excluded=boolean
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"resources": [
{
"account_id": "string",
"enabled": boolean,
"policy_id": integer,
"regions": [
"string"
],
"severity": "string",
"tag_excluded": boolean
}
]
}
response = falcon.command("UpdateCSPMPolicySettings", body=BODY)
print(response)
Returns scan schedule configuration for one or more cloud platforms.
get_scan_schedule
Method | Route |
 | /settings/scan-schedule/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
cloud_platform | ![]()

![]() | ![]()

![]() | query | string or list of strings | The Cloud Platform. (Azure , AWS , GCP ) |
parameters | ![]()

![]() | ![]()

![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
clouds = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_scan_schedule(cloud_platform=clouds)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
clouds = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetCSPMScanSchedule(cloud_platform=clouds)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
clouds = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetCSPMScanSchedule", cloud_platform=clouds)
print(response)
Updates scan schedule configuration for one or more cloud platforms.
update_scan_schedule
Method | Route |
 | /settings/scan-schedule/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
body | ![]()

![]() | ![]()

![]() | body | dictionary | Full body payload in JSON format. |
cloud_platform | ![]()

![]() | ![]()

![]() | body | string | Cloud platform (Azure, AWS, GCP). |
next_scan_timestamp | ![]()

![]() | ![]()

![]() | body | string | UTC formatted string. |
scan_schedule | ![]()

![]() | ![]()

![]() | body | string | Scan schedule type. |
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_scan_schedule(cloud_platform="string",
next_scan_timestampt="string",
scan_schedule="string"
)
print(response)
from falconpy import CSPMRegistration
# Do not hardcode API credentials!
falcon = CSPMRegistration(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UpdateCSPMScanSchedule(cloud_platform="string",
next_scan_timestampt="string",
scan_schedule="string"
)
print(response)
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"resources": [
{
"cloud_platform": "string",
"next_scan_timestamp": "2021-10-25T05:22:27.365Z",
"scan_schedule": "string"
}
]
}
response = falcon.command("UpdateCSPMScanSchedule", body=BODY)
print(response)