Using the Discover service collection
This service collection has code examples posted to the repository.
Table of Contents
| Operation ID | Description | ||||
|---|---|---|---|---|---|
| Get details on accounts by providing one or more IDs. | ||||
| Get details on applications by providing one or more IDs. | ||||
| Get details on assets by providing one or more IDs. | ||||
| Get details on logins by providing one or more IDs. | ||||
| Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
| Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria. | ||||
| Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
| Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
Passing credentials
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
get_accounts
Get details on assets by providing one or more IDs.
PEP8 method name
get_accounts
Endpoint
| Method | Route |
|---|---|
 | /discover/entities/accounts/v1 |
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |  | | query | string or list of strings | One or more account IDs. (Max: 100) Find account IDs with query_accounts. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_accounts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_accounts", ids=id_list)
print(response)
get_applications
Get details on applications by providing one or more IDs.
PEP8 method name
get_applications
Endpoint
| Method | Route |
|---|---|
| /discover/entities/applications/v1 |
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more account IDs. (Max: 100) Find account IDs with query_accounts. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_applications(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_applications", ids=id_list)
print(response)
get_hosts
Get details on assets by providing one or more IDs.
PEP8 method name
get_hosts
Endpoint
| Method | Route |
|---|---|
| /discover/entities/hosts/v1 |
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more asset IDs. (Max: 100) Find asset IDs with query_hosts. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_hosts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_hosts", ids=id_list)
print(response)
get_logins
Get details on assets by providing one or more IDs.
PEP8 method name
get_logins
Endpoint
| Method | Route |
|---|---|
| /discover/entities/logins/v1 |
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more login IDs. (Max: 100) Find login IDs with query_logins. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_logins(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_logins", ids=id_list)
print(response)
query_accounts
Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
PEP8 method name
query_accounts
Endpoint
| Method | Route |
|---|---|
| /discover/queries/accounts/v1 |
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter accounts using a FQL query. A complete list of available filters can be found here. |
| limit | | | query | integer | The number of account IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort accounts by their properties. A single sort field is allowed. Common sort options include:
|
Available FQL Filters
Common filters include:
account_type:'Local'admin_privileges:'Yes'first_seen_timestamp:<'now-7d'last_successful_login_type:'Terminal server'
The following table lists acceptable values for the filter keyword described above.
| id | last_successful_login_timestamp |
| cid | last_successful_login_hostname |
| user_sid | last_successful_login_remote_ip |
| login_domain | last_successful_login_host_country |
| account_name | last_successful_login_host_city |
| username | last_failed_login_type |
| account_type | last_failed_login_timestamp |
| admin_privileges | last_failed_login_hostname |
| first_seen_timestamp | password_last_set_timestamp |
| last_successful_login_type |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_accounts(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_accounts",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
query_applications
Search for applications in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.
PEP8 method name
query_applications
Endpoint
| Method | Route |
|---|---|
| /discover/queries/applications/v1 |
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter applications using a FQL query. |
| limit | | | query | integer | The number of account IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort accounts by their properties. A single sort field is allowed. Common sort options include:
|
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_applications(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_applications",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
query_hosts
Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
PEP8 method name
query_hosts
Endpoint
| Method | Route |
|---|---|
| /discover/queries/hosts/v1 |
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter assets using a FQL query. A complete list of available filters can be found here. |
| limit | | | query | integer | The number of asset IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort assets by their properties. A single sort field is allowed. Common sort options include:
|
Available FQL Filters
The following table lists acceptable values for the filter keyword described above.
| agent_version | kernel_version |
| aid | last_discoverer_aid |
| bios_manufacturer | last_seen_timestamp |
| bios_version | local_ips_count |
| cid | machine_domain |
| city | network_interfaces |
| confidence | network_interfaces.interface_alias |
| country | network_interfaces.interface_description |
| current_local_ip | network_interfaces.local_ip |
| discoverer_aids | network_interfaces.mac_address |
| discoverer_count | network_interfaces.network_prefix |
| discoverer_platform_names | os_version |
| discoverer_product_type_descs | ou |
| discoverer_tags | platform_name |
| entity_type | product_type |
| external_ip | product_type_desc |
| first_discoverer_aid | site_name |
| first_discoverer_ip | system_manufacturer |
| first_seen_timestamp | system_product_name |
| groups | system_serial_number |
| hostname | tags |
| id |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_hosts(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_hosts",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
query_logins
Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
PEP8 method name
query_logins
Endpoint
| Method | Route |
|---|---|
| /discover/queries/logins/v1 |
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter logins using a FQL query. A complete list of available filters can be found here. |
| limit | | | query | integer | The number of login IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort logins by their properties. A single sort field is allowed. Common sort options include:
|
Available FQL Filters
Common filters include:
account_type:'Local'login_type:'Interactive'first_seen_timestamp:<'now-7d'admin_privileges:'No'
The following table lists acceptable values for the filter keyword described above.
| id | login_timestamp |
| cid | login_domain |
| login_status | admin_privileges |
| account_id | local_ip |
| host_id | remote_ip |
| user_sid | host_country |
| aid | host_city |
| account_name | is_suspicious |
| username | failure_description |
| hostname | login_event_count |
| account_type | aggregation_time_interval |
| login_type |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_logins(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarness
# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_logins",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)