CrowdStrike Falcon CrowdStrike Subreddit

Using the Falcon Complete Dashboard service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
AggregateAlerts
PEP 8aggregate_alerts
Retrieve aggregate alerts values based on the matched filter
AggregateAllowList
PEP 8aggregate_allow_list
Retrieve aggregate allowlist ticket values based on the matched filter
AggregateBlockList
PEP 8aggregate_block_list
Retrieve aggregate blocklist ticket values based on the matched filter
AggregateDetections
PEP 8aggregate_detections
Retrieve aggregate detection values based on the matched filter
AggregateDeviceCountCollection
PEP 8aggregate_device_count_collection
Retrieve aggregate host/devices count based on the matched filter
AggregateEscalations
PEP 8aggregate_escalations
Retrieve aggregate escalation ticket values based on the matched filter
AggregateFCIncidents
PEP 8aggregate_fc_incidents
Retrieve aggregate incident values based on the matched filter
AggregateRemediations
PEP 8aggregate_remediations
Retrieve aggregate remediation ticket values based on the matched filter
AggregatePreventionPolicy
PEP 8aggregate_prevention_policy
Retrieve aggregate prevention policy values based on the matched filter
AggregateSensorUpdatePolicy
PEP 8aggregate_sensor_update_policy
Retrieve aggregate sensor update policy values based on the matched filter
AggregateTotalDeviceCounts
PEP 8aggregate_total_device_counts
Retrieve aggregate total host/devices based on the matched filter
QueryAlertIdsByFilter
PEP 8query_alert_ids_by_filter
Retrieve Alert IDs that amtch the provided FQL filter criteria with scrolling enabled
QueryAllowListFilter
PEP 8query_allow_list_filter
Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled
QueryBlockListFilter
PEP 8query_block_list_filter
Retrieve block listtickets that match the provided filter criteria with scrolling enabled
QueryDetectionIdsByFilter
PEP 8query_detection_ids_by_filter
Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled
GetDeviceCountCollectionQueriesByFilter
PEP 8get_device_count_collection_queries_by_filter
Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled
QueryEscalationsFilter
PEP 8query_escalations_filter
Retrieve escalation tickets that match the provided filter criteria with scrolling enabled
QueryIncidentIdsByFilter
PEP 8query_incident_ids_by_filter
Retrieve incidents that match the provided filter criteria with scrolling enabled
QueryRemediationsFilter
PEP 8query_remediations_filter
Retrieve remediation tickets that match the provided filter criteria with scrolling enabled

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

AggregateAlerts

Retrieve aggregate alerts values based on the matched filter

PEP8 method name

aggregate_alerts

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/alerts/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_alerts(date_ranges=date_ranges,
                                   exclude="string",
                                   field="string",
                                   filter="string",
                                   from=integer,
                                   include="string",
                                   interval="string",
                                   max_doc_count=integer,
                                   min_doc_count=integer,
                                   missing="string",
                                   name="string",
                                   q="string",
                                   ranges=ranges,
                                   size=integer,
                                   sort="string",
                                   time_zone="string",
                                   type="string"
                                   )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateAlerts(date_ranges=date_ranges,
                                  exclude="string",
                                  field="string",
                                  filter="string",
                                  from=integer,
                                  include="string",
                                  interval="string",
                                  max_doc_count=integer,
                                  min_doc_count=integer,
                                  missing="string",
                                  name="string",
                                  q="string",
                                  ranges=ranges,
                                  size=integer,
                                  sort="string",
                                  time_zone="string",
                                  type="string"
                                  )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateAlerts", body=BODY)
print(response)

AggregateAllowList

Retrieve aggregate allowlist ticket values based on the matched filter

PEP8 method name

aggregate_allow_list

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/allowlist/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_allow_list(date_ranges=date_ranges,
                                       exclude="string",
                                       field="string",
                                       filter="string",
                                       from=integer,
                                       include="string",
                                       interval="string",
                                       max_doc_count=integer,
                                       min_doc_count=integer,
                                       missing="string",
                                       name="string",
                                       q="string",
                                       ranges=ranges,
                                       size=integer,
                                       sort="string",
                                       time_zone="string",
                                       type="string"
                                       )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateAllowList(date_ranges=date_ranges,
                                     exclude="string",
                                     field="string",
                                     filter="string",
                                     from=integer,
                                     include="string",
                                     interval="string",
                                     max_doc_count=integer,
                                     min_doc_count=integer,
                                     missing="string",
                                     name="string",
                                     q="string",
                                     ranges=ranges,
                                     size=integer,
                                     sort="string",
                                     time_zone="string",
                                     type="string"
                                     )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateAllowList", body=BODY)
print(response)

AggregateBlockList

Retrieve aggregate blocklist ticket values based on the matched filter

PEP8 method name

aggregate_block_list

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/blocklist/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_block_list(date_ranges=date_ranges,
                                       exclude="string",
                                       field="string",
                                       filter="string",
                                       from=integer,
                                       include="string",
                                       interval="string",
                                       max_doc_count=integer,
                                       min_doc_count=integer,
                                       missing="string",
                                       name="string",
                                       q="string",
                                       ranges=ranges,
                                       size=integer,
                                       sort="string",
                                       time_zone="string",
                                       type="string"
                                       )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateBlockList(date_ranges=date_ranges,
                                     exclude="string",
                                     field="string",
                                     filter="string",
                                     from=integer,
                                     include="string",
                                     interval="string",
                                     max_doc_count=integer,
                                     min_doc_count=integer,
                                     missing="string",
                                     name="string",
                                     q="string",
                                     ranges=ranges,
                                     size=integer,
                                     sort="string",
                                     time_zone="string",
                                     type="string"
                                     )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateBlockList", body=BODY)
print(response)

AggregateDetections

Retrieve aggregate detection values based on the matched filter

PEP8 method name

aggregate_detections

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/detects/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_detections(date_ranges=date_ranges,
                                       exclude="string",
                                       field="string",
                                       filter="string",
                                       from=integer,
                                       include="string",
                                       interval="string",
                                       max_doc_count=integer,
                                       min_doc_count=integer,
                                       missing="string",
                                       name="string",
                                       q="string",
                                       ranges=ranges,
                                       size=integer,
                                       sort="string",
                                       time_zone="string",
                                       type="string"
                                       )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateDetections(date_ranges=date_ranges,
                                      exclude="string",
                                      field="string",
                                      filter="string",
                                      from=integer,
                                      include="string",
                                      interval="string",
                                      max_doc_count=integer,
                                      min_doc_count=integer,
                                      missing="string",
                                      name="string",
                                      q="string",
                                      ranges=ranges,
                                      size=integer,
                                      sort="string",
                                      time_zone="string",
                                      type="string"
                                      )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateDetections", body=BODY)
print(response)

AggregateDeviceCountCollection

Retrieve aggregate host/devices count based on the matched filter

PEP8 method name

aggregate_device_count_collection

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/devicecount-collections/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_device_count_collection(date_ranges=date_ranges,
                                                    exclude="string",
                                                    field="string",
                                                    filter="string",
                                                    from=integer,
                                                    include="string",
                                                    interval="string",
                                                    max_doc_count=integer,
                                                    min_doc_count=integer,
                                                    missing="string",
                                                    name="string",
                                                    q="string",
                                                    ranges=ranges,
                                                    size=integer,
                                                    sort="string",
                                                    time_zone="string",
                                                    type="string"
                                                    )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateDeviceCountCollection(date_ranges=date_ranges,
                                                 exclude="string",
                                                 field="string",
                                                 filter="string",
                                                 from=integer,
                                                 include="string",
                                                 interval="string",
                                                 max_doc_count=integer,
                                                 min_doc_count=integer,
                                                 missing="string",
                                                 name="string",
                                                 q="string",
                                                 ranges=ranges,
                                                 size=integer,
                                                 sort="string",
                                                 time_zone="string",
                                                 type="string"
                                                 )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateDeviceCountCollection", body=BODY)
print(response)

AggregateEscalations

Retrieve aggregate escalation ticket values based on the matched filter

PEP8 method name

aggregate_escalations

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/escalations/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_escalations(date_ranges=date_ranges,
                                        exclude="string",
                                        field="string",
                                        filter="string",
                                        from=integer,
                                        include="string",
                                        interval="string",
                                        max_doc_count=integer,
                                        min_doc_count=integer,
                                        missing="string",
                                        name="string",
                                        q="string",
                                        ranges=ranges,
                                        size=integer,
                                        sort="string",
                                        time_zone="string",
                                        type="string"
                                        )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateEscalations(date_ranges=date_ranges,
                                       exclude="string",
                                       field="string",
                                       filter="string",
                                       from=integer,
                                       include="string",
                                       interval="string",
                                       max_doc_count=integer,
                                       min_doc_count=integer,
                                       missing="string",
                                       name="string",
                                       q="string",
                                       ranges=ranges,
                                       size=integer,
                                       sort="string",
                                       time_zone="string",
                                       type="string"
                                       )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateEscalations", body=BODY)
print(response)

AggregateFCIncidents

Retrieve aggregate incident values based on the matched filter

PEP8 method name

aggregate_fc_incidents

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/incidents/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_fc_incidents(date_ranges=date_ranges,
                                         exclude="string",
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=ranges,
                                         size=integer,
                                         sort="string",
                                         time_zone="string",
                                         type="string"
                                         )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateFCIncidents(date_ranges=date_ranges,
                                       exclude="string",
                                       field="string",
                                       filter="string",
                                       from=integer,
                                       include="string",
                                       interval="string",
                                       max_doc_count=integer,
                                       min_doc_count=integer,
                                       missing="string",
                                       name="string",
                                       q="string",
                                       ranges=ranges,
                                       size=integer,
                                       sort="string",
                                       time_zone="string",
                                       type="string"
                                       )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateFCIncidents", body=BODY)
print(response)

AggregateRemediations

Retrieve aggregate remediation ticket values based on the matched filter

PEP8 method name

aggregate_remediations

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/remediations/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_remediations(date_ranges=date_ranges,
                                         exclude="string",
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=ranges,
                                         size=integer,
                                         sort="string",
                                         time_zone="string",
                                         type="string"
                                         )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateRemediations(date_ranges=date_ranges,
                                        exclude="string",
                                        field="string",
                                        filter="string",
                                        from=integer,
                                        include="string",
                                        interval="string",
                                        max_doc_count=integer,
                                        min_doc_count=integer,
                                        missing="string",
                                        name="string",
                                        q="string",
                                        ranges=ranges,
                                        size=integer,
                                        sort="string",
                                        time_zone="string",
                                        type="string"
                                        )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateRemediations", body=BODY)
print(response)

AggregatePreventionPolicy

Retrieve aggregate remediation ticket values based on the matched filter

PEP8 method name

aggregate_prevention_policy

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/prevention-policies/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_prevention_policy(date_ranges=date_ranges,
                                              exclude="string",
                                              field="string",
                                              filter="string",
                                              from=integer,
                                              include="string",
                                              interval="string",
                                              max_doc_count=integer,
                                              min_doc_count=integer,
                                              missing="string",
                                              name="string",
                                              q="string",
                                              ranges=ranges,
                                              size=integer,
                                              sort="string",
                                              time_zone="string",
                                              type="string"
                                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregatePreventionPolicy(date_ranges=date_ranges,
                                            exclude="string",
                                            field="string",
                                            filter="string",
                                            from=integer,
                                            include="string",
                                            interval="string",
                                            max_doc_count=integer,
                                            min_doc_count=integer,
                                            missing="string",
                                            name="string",
                                            q="string",
                                            ranges=ranges,
                                            size=integer,
                                            sort="string",
                                            time_zone="string",
                                            type="string"
                                            )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregatePreventionPolicy", body=BODY)
print(response)

AggregateSensorUpdatePolicy

Retrieve aggregate remediation ticket values based on the matched filter

PEP8 method name

aggregate_sensor_update_policy

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/sensor-update-policies/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_sensor_update_policy(date_ranges=date_ranges,
                                                 exclude="string",
                                                 field="string",
                                                 filter="string",
                                                 from=integer,
                                                 include="string",
                                                 interval="string",
                                                 max_doc_count=integer,
                                                 min_doc_count=integer,
                                                 missing="string",
                                                 name="string",
                                                 q="string",
                                                 ranges=ranges,
                                                 size=integer,
                                                 sort="string",
                                                 time_zone="string",
                                                 type="string"
                                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateSensorUpdatePolicy(date_ranges=date_ranges,
                                              exclude="string",
                                              field="string",
                                              filter="string",
                                              from=integer,
                                              include="string",
                                              interval="string",
                                              max_doc_count=integer,
                                              min_doc_count=integer,
                                              missing="string",
                                              name="string",
                                              q="string",
                                              ranges=ranges,
                                              size=integer,
                                              sort="string",
                                              time_zone="string",
                                              type="string"
                                              )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateSensorUpdatePolicy", body=BODY)
print(response)

AggregateTotalDeviceCounts

Retrieve aggregate remediation ticket values based on the matched filter

PEP8 method name

aggregate_total_device_counts

Endpoint

MethodRoute
POST/falcon-complete-dashboards/aggregates/total-device-counts/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_total_device_counts(date_ranges=date_ranges,
                                                exclude="string",
                                                field="string",
                                                filter="string",
                                                from=integer,
                                                include="string",
                                                interval="string",
                                                max_doc_count=integer,
                                                min_doc_count=integer,
                                                missing="string",
                                                name="string",
                                                q="string",
                                                ranges=ranges,
                                                size=integer,
                                                sort="string",
                                                time_zone="string",
                                                type="string"
                                                )
print(response)
Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.AggregateTotalDeviceCounts(date_ranges=date_ranges,
                                             exclude="string",
                                             field="string",
                                             filter="string",
                                             from=integer,
                                             include="string",
                                             interval="string",
                                             max_doc_count=integer,
                                             min_doc_count=integer,
                                             missing="string",
                                             name="string",
                                             q="string",
                                             ranges=ranges,
                                             size=integer,
                                             sort="string",
                                             time_zone="string",
                                             type="string"
                                             )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("AggregateTotalDeviceCounts", body=BODY)
print(response)

QueryRemediationsFilter

Retrieve Alert IDs that match the provided FQL filter criteria with scrolling enabled.

PEP8 method name

query_alert_ids_by_filter

Endpoint

MethodRoute
GET/falcon-complete-dashboards/queries/alerts/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 500).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.query_alert_ids_by_filter(limit=integer,
                                            sort="string",
                                            filter="string",
                                            offset="string"
                                            )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.QueryAlertIdsByFilter(limit=integer,
                                        sort="string",
                                        filter="string",
                                        offset="string"
                                        )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryAlertIdsByFilter",
                          limit=integer,
                          sort="string",
                          filter="string",
                          offset="string"
                          )
print(response)

QueryAllowListFilter

Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled

PEP8 method name

query_allow_list_filter

Endpoint

MethodRoute
GET/falcon-complete-dashboards/queries/allowlist/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 500).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.query_allow_list_filter(limit=integer,
                                          sort="string",
                                          filter="string",
                                          offset="string"
                                          )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.QueryAllowListFilter(limit=integer,
                                       sort="string",
                                       filter="string",
                                       offset="string"
                                       )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryAllowListFilter",
                          limit=integer,
                          sort="string",
                          filter="string",
                          offset="string"
                          )
print(response)

QueryBlockListFilter

Retrieve block listtickets that match the provided filter criteria with scrolling enabled

PEP8 method name

query_block_list_filter

Endpoint

MethodRoute
GET/falcon-complete-dashboards/queries/blocklist/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 500).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.query_block_list_filter(limit=integer,
                                          sort="string",
                                          filter="string",
                                          offset="string"
                                          )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.QueryBlockListFilter(limit=integer,
                                       sort="string",
                                       filter="string",
                                       offset="string"
                                       )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryBlockListFilter",
                          limit=integer,
                          sort="string",
                          filter="string",
                          offset="string"
                          )
print(response)

QueryDetectionIdsByFilter

Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled

PEP8 method name

query_detection_ids_by_filter

Endpoint

MethodRoute
GET/falcon-complete-dashboards/queries/detects/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 500).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.query_detection_ids_by_filter(limit=integer,
                                                sort="string",
                                                filter="string",
                                                offset="string"
                                                )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.QueryDetectionIdsByFilter(limit=integer,
                                            sort="string",
                                            filter="string",
                                            offset="string"
                                            )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryDetectionIdsByFilter",
                          limit=integer,
                          sort="string",
                          filter="string",
                          offset="string"
                          )
print(response)

GetDeviceCountCollectionQueriesByFilter

Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled

PEP8 method name

get_device_count_collection_queries_by_filter

Endpoint

MethodRoute
GET/falcon-complete-dashboards/queries/devicecount-collections/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 500).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.get_device_count_collection_queries_by_filter(limit=integer,
                                                                sort="string",
                                                                filter="string",
                                                                offset="string"
                                                                )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.GetDeviceCountCollectionQueriesByFilter(limit=integer,
                                                          sort="string",
                                                          filter="string",
                                                          offset="string"
                                                          )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("GetDeviceCountCollectionQueriesByFilter",
                          limit=integer,
                          sort="string",
                          filter="string",
                          offset="string"
                          )
print(response)

QueryEscalationsFilter

Retrieve escalation tickets that match the provided filter criteria with scrolling enabled

PEP8 method name

query_escalations_filter

Endpoint

MethodRoute
GET/falcon-complete-dashboards/queries/escalations/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 500).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.query_escalations_filter(limit=integer,
                                           sort="string",
                                           filter="string",
                                           offset="string"
                                           )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.QueryEscalationsFilter(limit=integer,
                                         sort="string",
                                         filter="string",
                                         offset="string"
                                         )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryEscalationsFilter",
                          limit=integer,
                          sort="string",
                          filter="string",
                          offset="string"
                          )
print(response)

QueryIncidentIdsByFilter

Retrieve incidents that match the provided filter criteria with scrolling enabled

PEP8 method name

query_incident_ids_by_filter

Endpoint

MethodRoute
GET/falcon-complete-dashboards/queries/incidents/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 500).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.query_incident_ids_by_filter(limit=integer,
                                               sort="string",
                                               filter="string",
                                               offset="string"
                                               )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.QueryIncidentIdsByFilter(limit=integer,
                                           sort="string",
                                           filter="string",
                                           offset="string"
                                           )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIncidentIdsByFilter",
                          limit=integer,
                          sort="string",
                          filter="string",
                          offset="string"
                          )
print(response)

QueryRemediationsFilter

Retrieve remediation tickets that match the provided filter criteria with scrolling enabled

PEP8 method name

query_remediations_filter

Endpoint

MethodRoute
GET/falcon-complete-dashboards/queries/remediations/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 500).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.query_remediations_filter(limit=integer,
                                            sort="string",
                                            filter="string",
                                            offset="string"
                                            )
print(response)

Service class example (Operation ID syntax)
from falconpy import CompleteDashboard

# Do not hardcode API credentials!
falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.QueryRemediationsFilter(limit=integer,
                                          sort="string",
                                          filter="string",
                                          offset="string"
                                          )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryRemediationsFilter",
                          limit=integer,
                          sort="string",
                          filter="string",
                          offset="string"
                          )
print(response)