Using the Discover service collection
This service collection has code examples posted to the repository.
Table of Contents
| Operation ID | Description | ||||
|---|---|---|---|---|---|
| Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria. | ||||
| Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria. | ||||
| Get details on accounts by providing one or more IDs. | ||||
| Get details on applications by providing one or more IDs. | ||||
| Get details on assets by providing one or more IDs. | ||||
| Get details on IoT assets by providing one or more IDs. | ||||
| Get details on logins by providing one or more IDs. | ||||
| Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
| Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria. | ||||
| Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
| Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
| Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
| Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
Passing credentials
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
combined_applications
Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria.
PEP8 method name
query_combined_applications
Endpoint
| Method | Route |
|---|---|
 | /discover/combined/applications/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| facet |  | | query | string | Select various details blocks to be returned for each application entity. Supported values:
|
| filter | | | query | string | Filter applications using a FQL query. A list of available filters can be found here. |
| limit | | | query | integer | The number of account IDs to return in this response (Max: 1000, Default: 100). Use with the after parameter to manage pagination of results. |
| after | | | query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort accounts by their properties. A single sort field is allowed. Common sort options include:
|
Available filters
The following properties can be using for filtering and sorting.
| Name | Description |
|---|---|
id | Unique ID of the application. Each application ID represents a particular instance of an application on a particular asset. Example:
|
cid | The application's customer ID. In multi-CID environments:
|
name | Name of the application. Example: name:'Chrome' |
vendor | Name of the application vendor. Examples:
|
version | Application version. Examples:
|
name_vendor | The app name and vendor name for all application IDs with this application name, this field can be used to group results by application. . Examples:
|
name_vendor_version | The app name, vendor name, and vendor version for all application IDs with this application name, this field can be used to group results by application version. Examples:
|
versioning_scheme | Versioning scheme of the application. Example: versioning_scheme:'semver' |
groups | All application groups the application is assigned to. For more info, see Create application groups. Example: groups:'ExampleAppGroup' |
category | Category the application is in. For more info, see Understanding applications. Examples:
|
architectures | Application architecture. Examples:
|
installation_paths | File paths of the application or executable file to the folder on the asset. Examples:
|
installation_timestamp | Date and time the application was installed, if available. Example: installation_timestamp:'2023-01-11T00:00:00.000Z' |
first_seen_timestamp | Date and time the application was first seen. Example: first_seen_timestamp:'2022-12-22T12:41:47.417Z' |
last_updated_timestamp | Date and time the installation fields of the application instance most recently changed. Example: last_updated_timestamp:'2022-12-22T12:41:47.417Z' |
last_used_user_sid | For Windows and macOS: Security identifier of the account that most recently used the application. Example: last_used_user_sid:'S-1-x-x-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx1' |
last_used_user_name | For Windows and macOS: Username of the account that most recently used the application. Examples:
|
last_used_file_name | For Windows and macOS: Most recent file name used for the application. Examples:
|
last_used_file_hash | For Windows and macOS: Most recent file hash used for the application. Example: last_used_file_hash:'0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa' |
last_used_timestamp | For Windows and macOS: Date and time the application was most recently used. Example: last_used_timestamp:'2023-01-10T23:00:00.000Z' |
is_normalized | For Windows: Whether the application name is normalized (true or false). Applications can have different naming variations that result in different records for each variation, for example, Acrobat Reader, Adobe Acrobat Reader, and Acrobat. To avoid this duplication, the most common applications are listed under a single normalized application name, for example, Acrobat. Example: is_normalized:true |
is_suspicious | Whether the application is suspicious based on how often it's been seen in a detection on that asset (true or false). Examples: is_suspicious:true or is_suspicious:!false |
host.id | Unique ID of the asset the application is on. Example: host.id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191' |
host.aid | ID of the Falcon sensor installed on the asset the application is on. Example: host.aid:'14xxxxxxxxxxxxxxxxxxxxxxxxxxxx2f' |
host.country | Name of the country where the asset the application is on is located. Examples: host.country:'United States Of America' or host.country:!'Germany' |
host.platform_name | The platform name of the asset the application is on (Windows, Mac, Linux). Examples: host.platform_name:'Windows' or host.platform_name:!'Linux' |
host.os_version | OS version of the asset the application is on. Examples:
|
host.kernel_version | For Linux and Mac: The major version, minor version, and patch version of the kernel for the asset the application is on. For Windows: the build number of the asset the application is on. Examples:
|
host.product_type_desc | The product type of the asset the application is on (Workstation, Domain Controller, Server). Examples:
|
host.tags | Sensor and cloud tags of the asset the application is on. Examples:
|
host.groups | Host management groups the asset the application is on is part of. Examples:
|
host.agent_version | Version of the Falcon sensor that's installed on the asset the application is on. Examples:
|
host.system_manufacturer | System manufacturer of the asset the application is on. Examples:
|
host.ou | Organizational unit of the asset the application is on. Examples: host.ou:'Endpoints' or host.ou:!'Endpoints' |
host.machine_domain | Domain name the asset the application is on is currently joined to. Examples:
|
host.site_name | Site name of the domain the asset the asset the application is on is joined to (applies only to Windows hosts). Examples:
|
host.external_ip | External IPv4 address of the asset the application is on. Examples:
|
host.hostname | Hostname of the asset the application is on. Examples: host.hostname:'ABC-123-DEF-456' or host.hostname:!'ABC-123-DEF-456' |
host.current_network_prefix | Most recent network prefix of the asset the application is on. Examples: host.network_prefix:'192.0' or host.network_prefix:!'192.0' |
host.internet_exposure | Whether the asset the application is on is exposed to the internet (Yes or Unknown). Examples: host.internet_exposure:'Yes' or host.internet_exposure:!'Unknown' |
host.current_mac_address | Most recent MAC address of the asset the application is on. Examples:
|
Usage
Service class example (PEP8 syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_combined_applications(after="string",
limit=integer,
sort="string",
filter="string",
facet="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.combined_applications(after="string",
limit=integer,
sort="string",
filter="string",
facet="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("combined_applications",
after="string",
limit=integer,
sort="string",
filter="string",
facet="string"
)
print(response)
combined_hosts
Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria.
PEP8 method name
query_combined_hosts
Endpoint
| Method | Route |
|---|---|
| /discover/combined/hosts/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter assets using a FQL query. A complete list of available filters can be found here. |
| limit | | | query | integer | The number of asset IDs to return in this response (Max: 1000, Default: 100). Use with the after parameter to manage pagination of results. |
| after | | | query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort assets by their properties. A single sort field is allowed. Common sort options include:
|
Available FQL Filters
Available filter fields that support exact match: id, aid, entity_type, country, city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, local_ips_count, network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, discoverer_count, discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, data_providers, data_providers_count, mac_addresses, local_ip_addresses, reduced_functionality_mode, number_of_disk_drives, processor_package_count, physical_core_count, logical_core_count, total_disk_space, disk_sizes.disk_name, disk_sizes.disk_space, cpu_processor_name, total_memory, encryption_status, encrypted_drives, encrypted_drives_count, unencrypted_drives, unencrypted_drives_count, os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, os_security.iommu_protection_status, os_security.secure_boot_enabled_status, os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, os_security.kernel_dma_protection_status, total_bios_files, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, bios_id, average_processor_usage, average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.mount_path, mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, discovering_by
Available filter fields that supports wildcard (*): id, aid, entity_type, country, city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, os_security.iommu_protection_status, os_security.secure_boot_enabled_status, os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, cpu_manufacturer, discovering_by
Available filter fields that supports range comparisons (>, <, >=, <=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.used_space, mount_storage_info.available_space, ad_user_account_control, creation_timestamp
All filter fields and operations supports negation (!).
Usage
Service class example (PEP8 syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_combined_hosts(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.combined_hosts(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("combined_hosts",
after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
get_accounts
Get details on assets by providing one or more IDs.
PEP8 method name
get_accounts
Endpoint
| Method | Route |
|---|---|
| /discover/entities/accounts/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more account IDs. (Max: 100) Find account IDs with query_accounts. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_accounts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_accounts", ids=id_list)
print(response)
get_applications
Get details on applications by providing one or more IDs.
PEP8 method name
get_applications
Endpoint
| Method | Route |
|---|---|
| /discover/entities/applications/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more account IDs. (Max: 100) Find account IDs with query_accounts. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_applications(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_applications", ids=id_list)
print(response)
get_hosts
Get details on assets by providing one or more IDs.
PEP8 method name
get_hosts
Endpoint
| Method | Route |
|---|---|
| /discover/entities/hosts/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more asset IDs. (Max: 100) Find asset IDs with query_hosts. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_hosts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_hosts", ids=id_list)
print(response)
get_iot_hosts
Get details on assets by providing one or more IDs.
PEP8 method name
get_iot_hosts
Endpoint
| Method | Route |
|---|---|
| /discover/entities/iot-hosts/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more IoT asset IDs. (Max: 100) Find asset IDs with query_iot_hosts. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_iot_hosts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_iot_hosts", ids=id_list)
print(response)
get_logins
Get details on assets by providing one or more IDs.
PEP8 method name
get_logins
Endpoint
| Method | Route |
|---|---|
| /discover/entities/logins/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | One or more login IDs. (Max: 100) Find login IDs with query_logins. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_logins(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_logins", ids=id_list)
print(response)
query_accounts
Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
PEP8 method name
query_accounts
Endpoint
| Method | Route |
|---|---|
| /discover/queries/accounts/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter accounts using a FQL query. A complete list of available filters can be found here. |
| limit | | | query | integer | The number of account IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort accounts by their properties. A single sort field is allowed. Common sort options include:
|
Available FQL Filters
Common filters include:
account_type:'Local'admin_privileges:'Yes'first_seen_timestamp:<'now-7d'last_successful_login_type:'Terminal server'
The following table lists acceptable values for the filter keyword described above.
| id | last_successful_login_timestamp |
| cid | last_successful_login_hostname |
| user_sid | last_successful_login_remote_ip |
| login_domain | last_successful_login_host_country |
| account_name | last_successful_login_host_city |
| username | last_failed_login_type |
| account_type | last_failed_login_timestamp |
| admin_privileges | last_failed_login_hostname |
| first_seen_timestamp | password_last_set_timestamp |
| last_successful_login_type |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_accounts(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_accounts",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
query_applications
Search for applications in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.
PEP8 method name
query_applications
Endpoint
| Method | Route |
|---|---|
| /discover/queries/applications/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter applications using a FQL query. A list of available filters can be found here. |
| limit | | | query | integer | The number of account IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort accounts by their properties. A single sort field is allowed. Common sort options include:
|
Available filters
The following properties can be using for filtering and sorting.
| Name | Description |
|---|---|
id | Unique ID of the application. Each application ID represents a particular instance of an application on a particular asset. Example:
|
cid | The application's customer ID. In multi-CID environments:
|
name | Name of the application. Example: name:'Chrome' |
vendor | Name of the application vendor. Examples:
|
version | Application version. Examples:
|
name_vendor | The app name and vendor name for all application IDs with this application name, this field can be used to group results by application. . Examples:
|
name_vendor_version | The app name, vendor name, and vendor version for all application IDs with this application name, this field can be used to group results by application version. Examples:
|
versioning_scheme | Versioning scheme of the application. Example: versioning_scheme:'semver' |
groups | All application groups the application is assigned to. For more info, see Create application groups. Example: groups:'ExampleAppGroup' |
category | Category the application is in. For more info, see Understanding applications. Examples:
|
architectures | Application architecture. Examples:
|
installation_paths | File paths of the application or executable file to the folder on the asset. Examples:
|
installation_timestamp | Date and time the application was installed, if available. Example: installation_timestamp:'2023-01-11T00:00:00.000Z' |
first_seen_timestamp | Date and time the application was first seen. Example: first_seen_timestamp:'2022-12-22T12:41:47.417Z' |
last_updated_timestamp | Date and time the installation fields of the application instance most recently changed. Example: last_updated_timestamp:'2022-12-22T12:41:47.417Z' |
last_used_user_sid | For Windows and macOS: Security identifier of the account that most recently used the application. Example: last_used_user_sid:'S-1-x-x-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx1' |
last_used_user_name | For Windows and macOS: Username of the account that most recently used the application. Examples:
|
last_used_file_name | For Windows and macOS: Most recent file name used for the application. Examples:
|
last_used_file_hash | For Windows and macOS: Most recent file hash used for the application. Example: last_used_file_hash:'0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa' |
last_used_timestamp | For Windows and macOS: Date and time the application was most recently used. Example: last_used_timestamp:'2023-01-10T23:00:00.000Z' |
is_normalized | For Windows: Whether the application name is normalized (true or false). Applications can have different naming variations that result in different records for each variation, for example, Acrobat Reader, Adobe Acrobat Reader, and Acrobat. To avoid this duplication, the most common applications are listed under a single normalized application name, for example, Acrobat. Example: is_normalized:true |
is_suspicious | Whether the application is suspicious based on how often it's been seen in a detection on that asset (true or false). Examples: is_suspicious:true or is_suspicious:!false |
host.id | Unique ID of the asset the application is on. Example: host.id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191' |
host.aid | ID of the Falcon sensor installed on the asset the application is on. Example: host.aid:'14xxxxxxxxxxxxxxxxxxxxxxxxxxxx2f' |
host.country | Name of the country where the asset the application is on is located. Examples: host.country:'United States Of America' or host.country:!'Germany' |
host.platform_name | The platform name of the asset the application is on (Windows, Mac, Linux). Examples: host.platform_name:'Windows' or host.platform_name:!'Linux' |
host.os_version | OS version of the asset the application is on. Examples:
|
host.kernel_version | For Linux and Mac: The major version, minor version, and patch version of the kernel for the asset the application is on. For Windows: the build number of the asset the application is on. Examples:
|
host.product_type_desc | The product type of the asset the application is on (Workstation, Domain Controller, Server). Examples:
|
host.tags | Sensor and cloud tags of the asset the application is on. Examples:
|
host.groups | Host management groups the asset the application is on is part of. Examples:
|
host.agent_version | Version of the Falcon sensor that's installed on the asset the application is on. Examples:
|
host.system_manufacturer | System manufacturer of the asset the application is on. Examples:
|
host.ou | Organizational unit of the asset the application is on. Examples: host.ou:'Endpoints' or host.ou:!'Endpoints' |
host.machine_domain | Domain name the asset the application is on is currently joined to. Examples:
|
host.site_name | Site name of the domain the asset the asset the application is on is joined to (applies only to Windows hosts). Examples:
|
host.external_ip | External IPv4 address of the asset the application is on. Examples:
|
host.hostname | Hostname of the asset the application is on. Examples: host.hostname:'ABC-123-DEF-456' or host.hostname:!'ABC-123-DEF-456' |
host.current_network_prefix | Most recent network prefix of the asset the application is on. Examples: host.network_prefix:'192.0' or host.network_prefix:!'192.0' |
host.internet_exposure | Whether the asset the application is on is exposed to the internet (Yes or Unknown). Examples: host.internet_exposure:'Yes' or host.internet_exposure:!'Unknown' |
host.current_mac_address | Most recent MAC address of the asset the application is on. Examples:
|
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_applications(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_applications",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
query_hosts
Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
PEP8 method name
query_hosts
Endpoint
| Method | Route |
|---|---|
| /discover/queries/hosts/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter assets using a FQL query. A complete list of available filters can be found here. |
| limit | | | query | integer | The number of asset IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort assets by their properties. A single sort field is allowed. Common sort options include:
|
Available FQL Filters
The following table lists acceptable values for the filter keyword described above.
| agent_version | kernel_version |
| aid | last_discoverer_aid |
| bios_manufacturer | last_seen_timestamp |
| bios_version | local_ips_count |
| cid | machine_domain |
| city | network_interfaces |
| confidence | network_interfaces.interface_alias |
| country | network_interfaces.interface_description |
| current_local_ip | network_interfaces.local_ip |
| discoverer_aids | network_interfaces.mac_address |
| discoverer_count | network_interfaces.network_prefix |
| discoverer_platform_names | os_version |
| discoverer_product_type_descs | ou |
| discoverer_tags | platform_name |
| entity_type | product_type |
| external_ip | product_type_desc |
| first_discoverer_aid | site_name |
| first_discoverer_ip | system_manufacturer |
| first_seen_timestamp | system_product_name |
| groups | system_serial_number |
| hostname | tags |
| id |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_hosts(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_hosts",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
query_iot_hosts
Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
PEP8 method name
query_iot_hosts
Endpoint
| Method | Route |
|---|---|
| /discover/queries/iot-hosts/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter assets using a FQL query. A complete list of available filters can be found here. |
| limit | | | query | integer | The number of IoT asset IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort IoT assets by their properties. A single sort field is allowed. Common sort options include:
|
Available FQL Filters
The following table lists acceptable values for the filter keyword described above.
| agent_version | local_ips_count |
| aid | mac_addresses |
| bios_manufacturer | machine_domain |
| bios_version | network_id |
| business_criticality | network_interfaces |
| cid | network_interfaces.interface_alias |
| city | network_interfaces.interface_description |
| claroty_id | network_interfaces.local_ip |
| confidence | network_interfaces.mac_address |
| country | network_interfaces.network_prefix |
| current_local_ip | number_of_disk_drives |
| data_providers | os_is_eol |
| data_providers_count | os_version |
| device_class | ou |
| device_family | physical_core_count |
| device_type | platform_name |
| discoverer_count | processor_package_count |
| discoverer_product_type_descs | product_type_desc |
| discoverer_tags | protocols |
| entity_type | purdue_level |
| external_ip | reduced_functionality_mode |
| first_seen_timestamp | site_name |
| groups | subnet |
| hostname | system_manufacturer |
| ics_id | system_product_name |
| id | system_serial_number |
| internet_exposure | tags |
| kernel_version | virtual_zone |
| last_seen_timestamp | vlan |
| local_ip_addresses |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_iot_hosts(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_iot_hosts",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
query_logins
Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
PEP8 method name
query_logins
Endpoint
| Method | Route |
|---|---|
| /discover/queries/logins/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter logins using a FQL query. A complete list of available filters can be found here. |
| limit | | | query | integer | The number of login IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort logins by their properties. A single sort field is allowed. Common sort options include:
|
Available FQL Filters
Common filters include:
account_type:'Local'login_type:'Interactive'first_seen_timestamp:<'now-7d'admin_privileges:'No'
The following table lists acceptable values for the filter keyword described above.
| id | login_timestamp |
| cid | login_domain |
| login_status | admin_privileges |
| account_id | local_ip |
| host_id | remote_ip |
| user_sid | host_country |
| aid | host_city |
| account_name | is_suspicious |
| username | failure_description |
| hostname | login_event_count |
| account_type | aggregation_time_interval |
| login_type |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_logins(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_logins",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
query_iot_hostsV2
Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
PEP8 method name
query_iot_hosts_v2
Endpoint
| Method | Route |
|---|---|
| /discover/queries/iot-hosts/v2 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Filter assets using a FQL query. A complete list of available filters can be found here. |
| limit | | | query | integer | The number of IoT asset IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
| offset | | | query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort IoT assets by their properties. A single sort field is allowed. Common sort options include:
|
Available FQL Filters
The following table lists acceptable values for the filter keyword described above.
| agent_version | local_ips_count |
| aid | mac_addresses |
| bios_manufacturer | machine_domain |
| bios_version | network_id |
| business_criticality | network_interfaces |
| cid | network_interfaces.interface_alias |
| city | network_interfaces.interface_description |
| claroty_id | network_interfaces.local_ip |
| confidence | network_interfaces.mac_address |
| country | network_interfaces.network_prefix |
| current_local_ip | number_of_disk_drives |
| data_providers | os_is_eol |
| data_providers_count | os_version |
| device_class | ou |
| device_family | physical_core_count |
| device_type | platform_name |
| discoverer_count | processor_package_count |
| discoverer_product_type_descs | product_type_desc |
| discoverer_tags | protocols |
| entity_type | purdue_level |
| external_ip | reduced_functionality_mode |
| first_seen_timestamp | site_name |
| groups | subnet |
| hostname | system_manufacturer |
| ics_id | system_product_name |
| id | system_serial_number |
| internet_exposure | tags |
| kernel_version | virtual_zone |
| last_seen_timestamp | vlan |
| local_ip_addresses |
Usage
Service class example (PEP8 / Operation ID syntax)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_iot_hosts_v2(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_iot_hosts_v2",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)