CrowdStrike Falcon Twitter URL

Using the Discover service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation IDDescription
get_accounts
PEP8get_accounts
Get details on accounts by providing one or more IDs.
get_applications
PEP8get_applications
Get details on applications by providing one or more IDs.
get_hosts
PEP8get_hosts
Get details on assets by providing one or more IDs.
get_logins
PEP8get_logins
Get details on logins by providing one or more IDs.
query_accounts
PEP8query_accounts
Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_applications
PEP8query_applications
Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.
query_hosts
PEP8query_hosts
Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_logins
PEP8query_logins
Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

get_accounts

Get details on assets by providing one or more IDs.

PEP8 method name

get_accounts

Endpoint

MethodRoute
GET/discover/entities/accounts/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsOne or more account IDs. (Max: 100)

Find account IDs with query_accounts.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_accounts(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_accounts", ids=id_list)
print(response)

get_applications

Get details on applications by providing one or more IDs.

PEP8 method name

get_applications

Endpoint

MethodRoute
GET/discover/entities/applications/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsOne or more account IDs. (Max: 100)

Find account IDs with query_accounts.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_applications(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_applications", ids=id_list)
print(response)

get_hosts

Get details on assets by providing one or more IDs.

PEP8 method name

get_hosts

Endpoint

MethodRoute
GET/discover/entities/hosts/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsOne or more asset IDs. (Max: 100)

Find asset IDs with query_hosts.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_hosts(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_hosts", ids=id_list)
print(response)

get_logins

Get details on assets by providing one or more IDs.

PEP8 method name

get_logins

Endpoint

MethodRoute
GET/discover/entities/logins/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsOne or more login IDs. (Max: 100)

Find login IDs with query_logins.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_logins(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_logins", ids=id_list)
print(response)

query_accounts

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_accounts

Endpoint

MethodRoute
GET/discover/queries/accounts/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter accounts using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of account IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort accounts by their properties. A single sort field is allowed. Common sort options include:
  • username|asc
  • last_failed_login_timestamp|desc
Available FQL Filters

Common filters include:

  • account_type:'Local'
  • admin_privileges:'Yes'
  • first_seen_timestamp:<'now-7d'
  • last_successful_login_type:'Terminal server'

The following table lists acceptable values for the filter keyword described above.

idlast_successful_login_timestamp
cidlast_successful_login_hostname
user_sidlast_successful_login_remote_ip
login_domainlast_successful_login_host_country
account_namelast_successful_login_host_city
usernamelast_failed_login_type
account_typelast_failed_login_timestamp
admin_privilegeslast_failed_login_hostname
first_seen_timestamppassword_last_set_timestamp
last_successful_login_type 

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_accounts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("query_accounts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_applications

Search for applications in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.

PEP8 method name

query_applications

Endpoint

MethodRoute
GET/discover/queries/applications/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter applications using a FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe number of account IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort accounts by their properties. A single sort field is allowed. Common sort options include:
  • username|asc
  • last_failed_login_timestamp|desc

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_applications(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string"
                                     )
print(response)
Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("query_applications",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_hosts

Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_hosts

Endpoint

MethodRoute
GET/discover/queries/hosts/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter assets using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of asset IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort assets by their properties. A single sort field is allowed. Common sort options include:
  • hostname|asc
  • product_type_desc|desc
Available FQL Filters

The following table lists acceptable values for the filter keyword described above.

agent_versionkernel_version
aidlast_discoverer_aid
bios_manufacturerlast_seen_timestamp
bios_versionlocal_ips_count
cidmachine_domain
citynetwork_interfaces
confidencenetwork_interfaces.interface_alias
countrynetwork_interfaces.interface_description
current_local_ipnetwork_interfaces.local_ip
discoverer_aidsnetwork_interfaces.mac_address
discoverer_countnetwork_interfaces.network_prefix
discoverer_platform_namesos_version
discoverer_product_type_descsou
discoverer_tagsplatform_name
entity_typeproduct_type
external_ipproduct_type_desc
first_discoverer_aidsite_name
first_discoverer_ipsystem_manufacturer
first_seen_timestampsystem_product_name
groupssystem_serial_number
hostnametags
id 

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_hosts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("query_hosts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_logins

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_logins

Endpoint

MethodRoute
GET/discover/queries/logins/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFilter logins using a FQL query.

A complete list of available filters can be found here.
limit
Service Class Support

Uber Class Support
queryintegerThe number of login IDs to return in this response (Max: 100, Default: 100).

Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
querystringAn offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringSort logins by their properties. A single sort field is allowed. Common sort options include:
  • account_name|asc
  • login_timestamp|desc
Available FQL Filters

Common filters include:

  • account_type:'Local'
  • login_type:'Interactive'
  • first_seen_timestamp:<'now-7d'
  • admin_privileges:'No'

The following table lists acceptable values for the filter keyword described above.

idlogin_timestamp
cidlogin_domain
login_statusadmin_privileges
account_idlocal_ip
host_idremote_ip
user_sidhost_country
aidhost_city
account_nameis_suspicious
usernamefailure_description
hostnamelogin_event_count
account_typeaggregation_time_interval
login_type 

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_logins(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("query_logins",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)