CrowdStrike Falcon CrowdStrike Subreddit

Using the Firewall Management service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
aggregate_events
PEP 8aggregate_events
Aggregate events for customer
aggregate_policy_rules
PEP 8aggregate_policy_rules
Aggregate rules within a policy for customer
aggregate_rule_groups
PEP 8aggregate_rule_groups
Aggregate rule groups for customer
aggregate_rules
PEP 8aggregate_rules
Aggregate rules for customer
get_events
PEP 8get_events
Get events entities by ID and optionally version
get_firewall_fields
PEP 8get_firewall_fields
Get the firewall field specifications by ID
get_network_locations_details
PEP8get_network_locations_details
Get network locations entities by ID
update_network_locations_metadata
PEP8update_network_locations_metadata
Updates the network locations metadata such as polling_intervals for the cid
update_network_locations_precedence
PEP8update_network_locations_precedence
Updates the network locations precedence according to the list of ids provided.
get_network_locations
PEP8get_network_locations
Get a summary of network locations entities by ID
upsert_network_locations
PEP8upsert_network_locations
Updates the network locations provided, and return the ID.
create_network_locations
PEP8create_network_locations
Create new network locations provided, and return the ID.
delete_network_locations
PEP8delete_network_locations
Delete network location entities by ID.
update_network_locations
PEP8update_network_locations
Updates the network locations provided, and return the ID.
get_platforms
PEP 8get_platforms
Get platforms by ID, e.g., windows or mac or droid
get_policy_containers
PEP 8get_policy_containers
Get policy container entities by policy ID
update_policy_container_v1
PEP 8update_policy_container_v1
DEPRECATED
Update an identified policy container
update_policy_container
PEP 8update_policy_container
Update an identified policy container
get_rule_groups
PEP 8get_rule_groups
Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
create_rule_group
PEP 8create_rule_group
Create new rule group on a platform for a customer with a name and description, and return the ID
delete_rule_groups
PEP 8delete_rule_groups
Delete rule group entities by ID
update_rule_group
PEP 8update_rule_group
Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
create_rule_group_validation
PEP8create_rule_group_validation
Validates the request of creating a new rule group on a platform for a customer with a name and description
update_rule_group_validation
PEP8update_rule_group_validation
Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
get_rules
PEP 8get_rules
Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
validate_filepath_pattern
PEP8validate_filepath_pattern
Validates that the test pattern matches the executable filepath glob pattern.
query_events
PEP 8query_events
Find all event IDs matching the query with filter
query_firewall_fields
PEP 8query_firewall_fields
Get the firewall field specification IDs for the provided platform
query_network_locations
PEP8query_network_locations
Get a list of network location IDs
query_platforms
PEP 8query_platforms
Get the list of platform names
query_policy_rules
PEP 8query_policy_rules
Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groups
PEP 8query_rule_groups
Find all rule group IDs matching the query with filter
query_rules
PEP 8query_rules
Find all rule IDs matching the query with filter

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

aggregate_events

Aggregate events for customer

PEP8 method name

aggregate_events

Endpoint

MethodRoute
POST/fwmgr/aggregates/events/GET/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_events(date_ranges=date_ranges,
                                   exclude="string",
                                   field="string",
                                   filter="string",
                                   from=integer,
                                   include="string",
                                   interval="string",
                                   max_doc_count=integer,
                                   min_doc_count=integer,
                                   missing="string",
                                   name="string",
                                   q="string",
                                   ranges=ranges,
                                   size=integer,
                                   sort="string",
                                   time_zone="string",
                                   type="string"
                                   )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("aggregate_events", body=BODY)

print(response)

Back to Table of Contents

aggregate_policy_rules

Aggregate rules within a policy for customer

PEP8 method name

aggregate_policy_rules

Endpoint

MethodRoute
POST/fwmgr/aggregates/policy-rules/GET/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_policy_rules(date_ranges=date_ranges,
                                         exclude="string",
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=ranges,
                                         size=integer,
                                         sort="string",
                                         time_zone="string",
                                         type="string"
                                         )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("aggregate_policy_rules", body=BODY)

print(response)

Back to Table of Contents

aggregate_rule_groups

Aggregate rule groups for customer

PEP8 method name

aggregate_rule_groups

Endpoint

MethodRoute
POST/fwmgr/aggregates/rule-groups/GET/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_rule_groups(date_ranges=date_ranges,
                                        exclude="string",
                                        field="string",
                                        filter="string",
                                        from=integer,
                                        include="string",
                                        interval="string",
                                        max_doc_count=integer,
                                        min_doc_count=integer,
                                        missing="string",
                                        name="string",
                                        q="string",
                                        ranges=ranges,
                                        size=integer,
                                        sort="string",
                                        time_zone="string",
                                        type="string"
                                        )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("aggregate_rule_groups", body=BODY)

print(response)

Back to Table of Contents

aggregate_rules

Aggregate rules for customer

PEP8 method name

aggregate_rules

Endpoint

MethodRoute
POST/fwmgr/aggregates/rules/GET/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.aggregate_rules(date_ranges=date_ranges,
                                  exclude="string",
                                  field="string",
                                  filter="string",
                                  from=integer,
                                  include="string",
                                  interval="string",
                                  max_doc_count=integer,
                                  min_doc_count=integer,
                                  missing="string",
                                  name="string",
                                  q="string",
                                  ranges=ranges,
                                  size=integer,
                                  sort="string",
                                  time_zone="string",
                                  type="string"
                                  )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = [{
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("aggregate_rules", body=BODY)

print(response)

Back to Table of Contents

get_events

Get events entities by ID and optionally version

PEP8 method name

get_events

Endpoint

MethodRoute
GET/fwmgr/entities/events/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe events to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_events(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_events", ids=id_list)

print(response)

Back to Table of Contents

get_firewall_fields

Get the firewall field specifications by ID

PEP8 method name

get_firewall_fields

Endpoint

MethodRoute
GET/fwmgr/entities/firewall-fields/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe rule types to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_firewall_fields(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_firewall_fields", ids=id_list)

print(response)

Back to Table of Contents

get_network_locations_details

Get network locations entities by ID

PEP8 method name

get_network_locations_details

Endpoint

MethodRoute
GET/fwmgr/entities/network-locations-details/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe ID of the network location to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format, not required if using ids keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_network_locations_details(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_network_locations_details", ids=id_list)

print(response)

Back to Table of Contents

update_network_locations_metadata

Updates the network locations metadata such as polling_intervals for the cid

PEP8 method name

update_network_locations_metadata

Endpoint

MethodRoute
POST/fwmgr/entities/network-locations-metadata/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
cid
Service Class Support

Uber Class Support
bodystringCID for the location.
comment
Service Class Support

Uber Class Support
querystringAudit log comment for this action.
dns_resolution_targets_polling_interval
Service Class Support

Uber Class Support
bodyintegerChange the DNS resolution target polling interval.
https_reachable_hosts_polling_interval
Service Class Support

Uber Class Support
bodyintegerChange the HTTPS reachable hosts polling interval.
icmp_request_targets_polling_interval
Service Class Support

Uber Class Support
bodyintegerChange the ICMP request targets polling interval.
location_precedence
Service Class Support

Uber Class Support
bodylist of stringsReorder location precedence of network locations based upon the order of the list of network location IDs provided.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format, not required if using the comment keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

location_precedence = ["string", "string", "string"]

response = falcon.update_network_locations_metadata(cid="string",
                                                    comment="string",
                                                    dns_resolution_targets_polling_interval=integer,
                                                    https_reachable_hosts_polling_interval=integer,
                                                    icmp_request_targets_polling_interval=integer,
                                                    location_precedence=location_precedence
                                                    )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "cid": "string",
    "dns_resolution_targets_polling_interval": integer,
    "https_reachable_hosts_polling_interval": integer,
    "icmp_request_targets_polling_interval": integer,
    "location_precedence": [
        "string"
    ]
}

response = falcon.command("update_network_locations_metadata", comment="string", body=BODY)

print(response)

Back to Table of Contents

update_network_locations_precedence

Updates the network locations precedence according to the list of ids provided.

PEP8 method name

update_network_locations_precedence

Endpoint

MethodRoute
POST/fwmgr/entities/network-locations-precedence/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
cid
Service Class Support

Uber Class Support
bodystringCID for the location.
comment
Service Class Support

Uber Class Support
querystringAudit log comment for this action.
location_precedence
Service Class Support

Uber Class Support
bodylist of stringsReorder location precedence of network locations based upon the order of the list of network location IDs provided.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format, not required if using the comment keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

location_precedence = ["string", "string", "string"]

response = falcon.update_network_locations_precedence(cid="string",
                                                      comment="string",
                                                      location_precedence=location_precedence
                                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "cid": "string",
    "location_precedence": [
        "string"
    ]
}

response = falcon.command("update_network_locations_precedence", comment="string", body=BODY)

print(response)

Back to Table of Contents

get_network_locations

Get a summary of network locations entities by ID

PEP8 method name

get_network_locations

Endpoint

MethodRoute
GET/fwmgr/entities/network-locations/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe ID of the network location to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format, not required if using ids keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_network_locations(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_network_locations", ids=id_list)

print(response)

Back to Table of Contents

upsert_network_locations

Updates the network locations provided, and return the ID.

PEP8 method name

upsert_network_locations

Endpoint

MethodRoute
PUT/fwmgr/entities/network-locations/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
comment
Service Class Support

Uber Class Support
querystringAudit log comment for this action.
connection_types
Service Class Support

Uber Class Support
bodydictionaryConnections available at this location.
created_by
Service Class Support

Uber Class Support
bodystringUser UUID that created the change.
created_on
Service Class Support

Uber Class Support
bodystringDatetime formatted string reflecting the time of the change.
default_gateways
Service Class Support

Uber Class Support
bodylist of stringsList of available gateways at this location.
description
Service Class Support

Uber Class Support
bodystringDescription for the location.
dhcp_servers
Service Class Support

Uber Class Support
bodylist of stringsList of available DHCP servers at this location.
dns_resolution_targets
Service Class Support

Uber Class Support
bodydictionaryDictionary containing a list of DNS resolution targets for the location.
dns_servers
Service Class Support

Uber Class Support
bodylist of stringsList of available DNS servers at this location.
enabled
Service Class Support

Uber Class Support
bodybooleanFlag indicating if this location is enabled.
host_addresses
Service Class Support

Uber Class Support
bodylist of stringsList of available host address ranges for this location.
https_reachable_hosts
Service Class Support

Uber Class Support
bodydictionaryDictionary containing a list of hostnames reachable via HTTPS at this location.
icmp_request_targets
Service Class Support

Uber Class Support
bodydictionaryDictionary containing targets for ICMP monitoring requests at this location.
id
Service Class Support

Uber Class Support
bodystringNetwork location ID to upsert.
modified_by
Service Class Support

Uber Class Support
bodystringUser UUID performing this change.
modified_on
Service Class Support

Uber Class Support
bodystringUTC formatted date string when this location was modified.
name
Service Class Support

Uber Class Support
bodystringName for this location.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format, not required if using the comment keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

response = falcon.upsert_network_locations(comment="string",
                                           connection_types=connection_types,
                                           created_by="string",
                                           created_on="string",
                                           default_gateways=default_gateways,
                                           description="string",
                                           dhcp_servers=dhcp_servers,
                                           dns_resolution_targets=dns_resolution_targets,
                                           dns_servers=dns_servers,
                                           enabled=boolean,
                                           host_addresses=host_addresses,
                                           https_reachable_hosts=https_reachable_hosts,
                                           icmp_request_targets=icmp_request_targets,
                                           name="string",
                                           id="string",
                                           modified_by="string",
                                           modified_on="string"
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

BODY = {
    "connection_types": connection_types,
    "created_by": "string",
    "created_on": "string",
    "default_gateways": default_gateways,
    "description": "string",
    "dhcp_servers": dhcp_servers,
    "dns_resolution_targets": dns_resolution_targets,
    "dns_servers": dns_servers,
    "enabled": boolean,
    "host_addresses": host_addresses,
    "https_reachable_hosts": https_reachable_hosts,
    "icmp_request_targets": icmp_request_targets,
    "name": "string",
    "id": "string",
    "modified_by": "string",
    "modified_on": "string"
}

response = falcon.command("upsert_network_locations", comment="string", body=BODY)

print(response)

Back to Table of Contents

create_network_locations

Create new network locations provided, and return the ID.

PEP8 method name

create_network_locations

Endpoint

MethodRoute
POST/fwmgr/entities/network-locations/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
add_fw_rules
Service Class Support

Uber Class Support
querybooleanFlag to indicate that the cloned location needs to be added to the same firewall rules that encompass the original location.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
clone_id
Service Class Support

Uber Class Support
querystringA rule group ID from which to copy rules. If this keyword is provided then all other keywords excluding add_fw_rules and comment are ignored.
comment
Service Class Support

Uber Class Support
querystringAudit log comment for this action.
connection_types
Service Class Support

Uber Class Support
bodydictionaryConnections available at this location.
default_gateways
Service Class Support

Uber Class Support
bodylist of stringsList of available gateways at this location.
description
Service Class Support

Uber Class Support
bodystringDescription for the location.
dhcp_servers
Service Class Support

Uber Class Support
bodylist of stringsList of available DHCP servers at this location.
dns_resolution_targets
Service Class Support

Uber Class Support
bodydictionaryDictionary containing a list of DNS resolution targets for the location.
dns_servers
Service Class Support

Uber Class Support
bodylist of stringsList of available DNS servers at this location.
enabled
Service Class Support

Uber Class Support
bodybooleanFlag indicating if this location is enabled.
host_addresses
Service Class Support

Uber Class Support
bodylist of stringsList of available host address ranges for this location.
https_reachable_hosts
Service Class Support

Uber Class Support
bodydictionaryDictionary containing a list of hostnames reachable via HTTPS at this location.
icmp_request_targets
Service Class Support

Uber Class Support
bodydictionaryDictionary containing targets for ICMP monitoring requests at this location.
name
Service Class Support

Uber Class Support
bodystringName for this location.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format, not required if using the add_fw_rules, clone_id or comment keywords.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}
response = falcon.create_network_locations(add_fw_rules=boolean,
                                           clone_id="string",
                                           comment="string",
                                           connection_types=connection_types,
                                           default_gateways=default_gateways,
                                           description="string",
                                           dhcp_servers=dhcp_servers,
                                           dns_resolution_targets=dns_resolution_targets,
                                           dns_servers=dns_servers,
                                           enabled=boolean,
                                           host_addresses=host_addresses,
                                           https_reachable_hosts=https_reachable_hosts,
                                           icmp_request_targets=icmp_request_targets,
                                           name="string",
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

BODY = {
    "connection_types": connection_types,
    "default_gateways": default_gateways,
    "description": "string",
    "dhcp_servers": dhcp_servers,
    "dns_resolution_targets": dns_resolution_targets,
    "dns_servers": dns_servers,
    "enabled": boolean,
    "host_addresses": host_addresses,
    "https_reachable_hosts": https_reachable_hosts,
    "icmp_request_targets": icmp_request_targets,
    "name": "string"
}

response = falcon.command("create_network_locations",
                          add_fw_rules=boolean,
                          clone_id="string",
                          comment="string",
                          body=BODY
                          )

print(response)

Back to Table of Contents

delete_network_locations

Delete network location entities by ID.

PEP8 method name

delete_network_locations

Endpoint

MethodRoute
DELETE/fwmgr/entities/network-locations/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe ID of the network location to delete.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format, not required if using ids keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_network_locations(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("delete_network_locations", ids=id_list)

print(response)

Back to Table of Contents

update_network_locations

Updates the network locations provided, and return the ID.

PEP8 method name

update_network_locations

Endpoint

MethodRoute
PATCH/fwmgr/entities/network-locations/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
comment
Service Class Support

Uber Class Support
querystringAudit log comment for this action.
connection_types
Service Class Support

Uber Class Support
bodydictionaryConnections available at this location.
created_by
Service Class Support

Uber Class Support
bodystringUser UUID that created the change.
created_on
Service Class Support

Uber Class Support
bodystringDatetime formatted string reflecting the time of the change.
default_gateways
Service Class Support

Uber Class Support
bodylist of stringsList of available gateways at this location.
description
Service Class Support

Uber Class Support
bodystringDescription for the location.
dhcp_servers
Service Class Support

Uber Class Support
bodylist of stringsList of available DHCP servers at this location.
dns_resolution_targets
Service Class Support

Uber Class Support
bodydictionaryDictionary containing a list of DNS resolution targets for the location.
dns_servers
Service Class Support

Uber Class Support
bodylist of stringsList of available DNS servers at this location.
enabled
Service Class Support

Uber Class Support
bodybooleanFlag indicating if this location is enabled.
host_addresses
Service Class Support

Uber Class Support
bodylist of stringsList of available host address ranges for this location.
https_reachable_hosts
Service Class Support

Uber Class Support
bodydictionaryDictionary containing a list of hostnames reachable via HTTPS at this location.
icmp_request_targets
Service Class Support

Uber Class Support
bodydictionaryDictionary containing targets for ICMP monitoring requests at this location.
id
Service Class Support

Uber Class Support
bodystringNetwork location ID to upsert.
modified_by
Service Class Support

Uber Class Support
bodystringUser UUID performing this change.
modified_on
Service Class Support

Uber Class Support
bodystringUTC formatted date string when this location was modified.
name
Service Class Support

Uber Class Support
bodystringName for this location.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format, not required if using the comment keyword.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

response = falcon.update_network_locations(comment="string",
                                           connection_types=connection_types,
                                           created_by="string",
                                           created_on="string",
                                           default_gateways=default_gateways,
                                           description="string",
                                           dhcp_servers=dhcp_servers,
                                           dns_resolution_targets=dns_resolution_targets,
                                           dns_servers=dns_servers,
                                           enabled=boolean,
                                           host_addresses=host_addresses,
                                           https_reachable_hosts=https_reachable_hosts,
                                           icmp_request_targets=icmp_request_targets,
                                           name="string",
                                           id="string",
                                           modified_by="string",
                                           modified_on="string"
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

connection_types = {
    "wired": boolean,
    "wireless": {
        "enabled": boolean,
        "require_encryption": boolean,
        "ssids": [
            "string"
        ]
    }
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}
icmp_request_targets = {
    "targets": [
        "string"
    ]
}

BODY = {
    "connection_types": connection_types,
    "created_by": "string",
    "created_on": "string",
    "default_gateways": default_gateways,
    "description": "string",
    "dhcp_servers": dhcp_servers,
    "dns_resolution_targets": dns_resolution_targets,
    "dns_servers": dns_servers,
    "enabled": boolean,
    "host_addresses": host_addresses,
    "https_reachable_hosts": https_reachable_hosts,
    "icmp_request_targets": icmp_request_targets,
    "name": "string",
    "id": "string",
    "modified_by": "string",
    "modified_on": "string"
}

response = falcon.command("update_network_locations", comment="string", body=BODY)

print(response)

Back to Table of Contents

get_platforms

Get platforms by ID, e.g., windows or mac or droid

PEP8 method name

get_platforms

Endpoint

MethodRoute
GET/fwmgr/entities/platforms/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe platforms to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_platforms(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_platforms", ids=id_list)

print(response)

Back to Table of Contents

get_policy_containers

Get policy container entities by policy ID

PEP8 method name

get_policy_containers

Endpoint

MethodRoute
GET/fwmgr/entities/policies/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe policy container(s) to retrieve, identified by policy ID.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_policy_containers(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_policy_containers", ids=id_list)

print(response)

Back to Table of Contents

update_policy_container_v1

Update an identified policy container.

PLEASE NOTE: This endpoint is deprecated in favor of update_policy_container (also known as update_policy_container_v2). Using this legacy endpoint could potentially disable your local logging setting.

PEP8 method name

update-policy-container-v1

Endpoint

MethodRoute
PUT/fwmgr/entities/policies/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
default_inbound
Service Class Support

Uber Class Support
bodystringDefault inbound.
default_outbound
Service Class Support

Uber Class Support
bodystringDefault outbound.
enforce
Service Class Support

Uber Class Support
bodybooleanEnforcement flag.
is_default_policy
Service Class Support

Uber Class Support
bodybooleanDefault policy flag.
local_logging
Service Class Support

Uber Class Support
bodybooleanLocal logging flag.
platform_id
Service Class Support

Uber Class Support
bodystringID of the platform this policy container.
policy_id
Service Class Support

Uber Class Support
bodystringPolicy ID to apply to this container.
rule_group_ids
Service Class Support

Uber Class Support
bodystring or list of stringsRule group IDs to include in this container.
test_mode
Service Class Support

Uber Class Support
bodybooleanFlag indicating if this container is in test mode.
tracking
Service Class Support

Uber Class Support
bodystringTracking.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rule_groups = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.update_policy_container_v1(default_inbound="string",
                                             default_outbound="string",
                                             enforce=boolean,
                                             is_default_policy=boolean,
                                             local_logging=boolean,
                                             platform_id="string",
                                             policy_id="string",
                                             rule_group_ids=rule_groups,
                                             test_mode=boolean,
                                             tracking="string"
                                             )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rule_groups = ['ID1', 'ID2', 'ID3']

BODY = {
    "default_inbound": "string",
    "default_outbound": "string",
    "enforce": boolean,
    "is_default_policy": boolean,
    "local_logging": boolean,
    "platform_id": "string",
    "policy_id": "string",
    "rule_group_ids": rule_groups,
    "test_mode": boolean,
    "tracking": "string"
}

response = falcon.command("update_policy_container_v1", body=BODY)

print(response)

Back to Table of Contents

update_policy_container

Update an identified policy container

PEP8 method name

update_policy_container

Endpoint

MethodRoute
PUT/fwmgr/entities/policies/v2

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
default_inbound
Service Class Support

Uber Class Support
bodystringDefault inbound.
default_outbound
Service Class Support

Uber Class Support
bodystringDefault outbound.
enforce
Service Class Support

Uber Class Support
bodybooleanEnforcement flag.
is_default_policy
Service Class Support

Uber Class Support
bodybooleanDefault policy flag.
local_logging
Service Class Support

Uber Class Support
bodybooleanLocal logging flag.
platform_id
Service Class Support

Uber Class Support
bodystringID of the platform this policy container.
policy_id
Service Class Support

Uber Class Support
bodystringPolicy ID to apply to this container.
rule_group_ids
Service Class Support

Uber Class Support
bodystring or list of stringsRule group IDs to include in this container.
test_mode
Service Class Support

Uber Class Support
bodybooleanFlag indicating if this container is in test mode.
tracking
Service Class Support

Uber Class Support
bodystringTracking.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rule_groups = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.update_policy_container(default_inbound="string",
                                          default_outbound="string",
                                          enforce=boolean,
                                          is_default_policy=boolean,
                                          local_logging=boolean,
                                          platform_id="string",
                                          policy_id="string",
                                          rule_group_ids=rule_groups,
                                          test_mode=boolean,
                                          tracking="string"
                                          )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rule_groups = ['ID1', 'ID2', 'ID3']

BODY = {
    "default_inbound": "string",
    "default_outbound": "string",
    "enforce": boolean,
    "is_default_policy": boolean,
    "local_logging": boolean,
    "platform_id": "string",
    "policy_id": "string",
    "rule_group_ids": rule_groups,
    "test_mode": boolean,
    "tracking": "string"
}

response = falcon.command("update_policy_container", body=BODY)

print(response)

Back to Table of Contents

get_rule_groups

Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.

PEP8 method name

get_rule_groups

Endpoint

MethodRoute
GET/fwmgr/entities/rule-groups/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe ID(s) of the rule group to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_groups(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rule_groups", ids=id_list)

print(response)

Back to Table of Contents

create_rule_group

Create new rule group on a platform for a customer with a name and description, and return the ID

PEP8 method name

create_rule_group

Endpoint

MethodRoute
POST/fwmgr/entities/rule-groups/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
action
Service Class Support

Uber Class Support
body
rules
stringRule action to perform. String. Overridden if rules keyword is provided.
address_family
Service Class Support

Uber Class Support
body
rules
stringAddress type, String. Either IP4, IP6 or NONE.
Overridden if rules keyword is provided.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
clone_id
Service Class Support

Uber Class Support
querystringA rule group ID from which to copy rules. If this is provided then the 'rules' property of the body is ignored.
comment
Service Class Support

Uber Class Support
querystringComment for this rule group.
description
Service Class Support

Uber Class Support
bodystringRule group description.
direction
Service Class Support

Uber Class Support
body
rules
stringTraffic direction for created rule. String. Either IN, OUT or BOTH.
Overridden if rules keyword is provided.
enabled
Service Class Support

Uber Class Support
bodybooleanFlag indicating if the rule group is enabled.
fields
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionariesFields to impact. Dictionary or list of dictionaries.
Overridden if rules keyword is provided.
icmp
Service Class Support

Uber Class Support
body
rules
dictionaryICMP protocol options.
Overridden if rules keyword is provided.
library
Service Class Support

Uber Class Support
querystringIf this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewal Rule Groups Library.
local_address
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionariesLocal address and netmask detail.
Overridden if rules keyword is provided.
local_port
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionariesLocal port range.
Overridden if rules keyword is provided.
log
Service Class Support

Uber Class Support
body
rules
booleanLog rule matches.
Overridden if rules keyword is provided.
name
Service Class Support

Uber Class Support
bodystringRule group name.
monitor
Service Class Support

Uber Class Support
body
rules
dictionaryMonitor count / period.
Overridden if rules keyword is provided.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
platform
Service Class Support

Uber Class Support
querystringCommon name for the OS platform this rule applies to. Should be provided instead of platform_ids.
platform_ids
Service Class Support

Uber Class Support
body
rules
string or list of stringsOS platform(s) covered by rule. Supports comma delimited strings.
Overridden if rules keyword is provided.

DEPRECATED
protocol
Service Class Support

Uber Class Support
body
rules
integerProtocol specified by rule (Integer identifier).
Overridden if rules keyword is provided.
remote_address
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionariesRemote address and netmask detail.
Overridden if rules keyword is provided.
remote_port
Service Class Support

Uber Class Support
body
rules
dictionary or list of dictionariesRemote port range.
Overridden if rules keyword is provided.
rule_description
Service Class Support

Uber Class Support
body
rules
stringRule description.
Overridden if rules keyword is provided.
rule_enabled
Service Class Support

Uber Class Support
body
rules
booleanEnablement status for the new rule.
Overridden if rules keyword is provided.
rule_name
Service Class Support

Uber Class Support
body
rules
stringRule name.
Overridden if rules keyword is provided.
rules
Service Class Support

Uber Class Support
bodydictionary or list of dictionariesRule(s) in JSON format.
temp_id
Service Class Support

Uber Class Support
body
rules
stringString to use for temporary rule ID.
Overridden if rules keyword is provided.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

new_rule = {
    "action": "string",
    "address_family": "string",
    "description": "string",
    "direction": "string",
    "enabled": boolean,
    "fields": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                "string"
            ]
        }
    ],
    "icmp": {
        "icmp_code": "string",
        "icmp_type": "string"
    },
    "local_address": [
        {
            "address": "string",
            "netmask": integer
        }
    ],
    "local_port": [
        {
            "end": integer,
            "start": integer
        }
    ],
    "log": boolean,
    "monitor": {
        "count": "string",
        "period_ms": "string"
    },
    "name": "string",
    "platform_ids": [
        "string"
    ],
    "protocol": "string",
    "remote_address": [
        {
            "address": "string",
            "netmask": integer
        }
    ],
    "remote_port": [
        {
            "end": integer,
            "start": integer
        }
    ],
    "temp_id": "string"
}

response = falcon.create_rule_group(clone_id="string",
                                    library="string",
                                    comment="string",
                                    description="string",
                                    enabled=boolean,
                                    name="string",
                                    platform="string",
                                    rules=new_rule
                                    )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

new_rule = {
    "action": "string",
    "address_family": "string",
    "description": "string",
    "direction": "string",
    "enabled": boolean,
    "fields": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                "string"
            ]
        }
    ],
    "icmp": {
        "icmp_code": "string",
        "icmp_type": "string"
    },
    "local_address": [
        {
            "address": "string",
            "netmask": integer
        }
    ],
    "local_port": [
        {
            "end": integer,
            "start": integer
        }
    ],
    "log": boolean,
    "monitor": {
        "count": "string",
        "period_ms": "string"
    },
    "name": "string",
    "platform_ids": [
        "string"
    ],
    "protocol": "string",
    "remote_address": [
        {
            "address": "string",
            "netmask": integer
        }
    ],
    "remote_port": [
        {
            "end": integer,
            "start": integer
        }
    ],
    "temp_id": "string"
}

BODY = {
    "description": "string",
    "enabled": boolean,
    "name": "string",
    "platform": "string",
    "rules": [new_rule]
}

response = falcon.command("create_rule_group",
                          body=BODY,
                          clone_id="string",
                          library="string",
                          comment="string"
                          )

print(response)

Back to Table of Contents

delete_rule_groups

Delete rule group entities by ID

PEP8 method name

delete_rule_groups

Endpoint

MethodRoute
DELETE/fwmgr/entities/rule-groups/v1

Required Scope

firewall-management:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
comment
Service Class Support

Uber Class Support
querystring or list of stringsAudit log comment for this operation.
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe rules to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("delete_rule_groups", comment="string", ids=id_list)

print(response)

Back to Table of Contents

update_rule_group

Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules

PEP8 method name

update_rule_group

Endpoint

MethodRoute
PATCH/fwmgr/entities/rule-groups/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
comment
Service Class Support

Uber Class Support
querystringAudit log comment for this action.
diff_from
Service Class Support

Uber Class Support
body
diff_operations
stringFrom value for the diff.
Overridden if diff_operations keyword is provided.
diff_op
Service Class Support

Uber Class Support
body
diff_operations
stringOperation for the diff.
Overridden if diff_operations keyword is provided.
diff_operations
Service Class Support

Uber Class Support
bodydictionary or list of dictionariesDifferential operations to perform against the rule group.
diff_path
Service Class Support

Uber Class Support
body
diff_operations
stringPath for the diff.
Overridden if diff_operations keyword is provided.
diff_type
Service Class Support

Uber Class Support
bodystringType of diff to apply.
id
Service Class Support

Uber Class Support
bodystringID of the rule group to update.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
rule_ids
Service Class Support

Uber Class Support
bodylist of stringsRule ID(s) to add to the rule group.
rule_versions
Service Class Support

Uber Class Support
bodylist of integersRule group versions.
tracking
Service Class Support

Uber Class Support
bodystringTracking.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
    "from": "string",
    "op": "string",
    "path": "string"
}

response = falcon.update_rule_group(comment="string",
                                    diff_operations=diffs,
                                    diff_type="string",
                                    id="string",
                                    rule_ids=rules,
                                    rule_versions=versions,
                                    tracking="string"
                                    )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
    "from": "string",
    "op": "string",
    "path": "string"
}

BODY = {
    "diff_operations": [diffs],
    "diff_type": "string",
    "id": "string",
    "rule_ids": rules,
    "rule_versions": versions,
    "tracking": "string"
}

response = falcon.command("update_rule_group",
                          comment="string",
                          body=BODY
                          )

print(response)

Back to Table of Contents

create_rule_group_validation

Validates the request of creating a new rule group on a platform for a customer with a name and description

PEP8 method name

create_rule_group_validation

Endpoint

MethodRoute
POST/fwmgr/entities/rule-groups/validation/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format, not required if using other keywords.
clone_id
Service Class Support

Uber Class Support
querystringA rule group validation ID from which to copy rules. If this is provided then the 'rules' property of the body is ignored.
comment
Service Class Support

Uber Class Support
querystringAudit log comment for this action.
description
Service Class Support

Uber Class Support
bodystringRule group validation description.
enabled
Service Class Support

Uber Class Support
bodybooleanFlag indicating if this validation is enabled.
library
Service Class Support

Uber Class Support
querybooleanIf this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewall Rule Groups Library.
name
Service Class Support

Uber Class Support
bodystringName for this rule group validation.
parameters
Service Class Support

Uber Class Support
querydictionaryFull parameters payload in JSON format. Not required if using the clone_id and comment keywords.
platform
Service Class Support

Uber Class Support
bodystringName of the platform this rule group validation is associated with.
rules
Service Class Support

Uber Class Support
bodylist of dictionariesJSON formatted list of rules to validate.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rule_list = [
    {
        "action": "string",
        "address_family": "string",
        "description": "string",
        "direction": "string",
        "enabled": boolean,
        "fields": [
            {
                "final_value": "string",
                "label": "string",
                "name": "string",
                "type": "string",
                "value": "string",
                "values": [
                    "string"
                ]
            }
        ],
        "fqdn": "string",
        "fqdn_enabled": boolean,
        "icmp": {
            "icmp_code": "string",
            "icmp_type": "string"
        },
        "local_address": [
            {
                "address": "string",
                "netmask": integer
            }
        ],
        "local_port": [
            {
                "end": integer,
                "start": integer
            }
        ],
        "log": boolean,
        "monitor": {
            "count": "string",
            "period_ms": "string"
        },
        "name": "string",
        "protocol": "string",
        "remote_address": [
            {
            "address": "string",
            "netmask": integer
            }
        ],
        "remote_port": [
            {
            "end": integer,
            "start": integer
            }
        ],
        "temp_id": "string"
    }
]

response = falcon.create_rule_group_validation(clone_id="string",
                                               comment="string",
                                               description="string",
                                               enabled=boolean,
                                               library="string",
                                               name="string",
                                               platform="string",
                                               rules=rule_list
                                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rule_list = [
    {
        "action": "string",
        "address_family": "string",
        "description": "string",
        "direction": "string",
        "enabled": boolean,
        "fields": [
            {
                "final_value": "string",
                "label": "string",
                "name": "string",
                "type": "string",
                "value": "string",
                "values": [
                    "string"
                ]
            }
        ],
        "fqdn": "string",
        "fqdn_enabled": boolean,
        "icmp": {
            "icmp_code": "string",
            "icmp_type": "string"
        },
        "local_address": [
            {
                "address": "string",
                "netmask": integer
            }
        ],
        "local_port": [
            {
                "end": integer,
                "start": integer
            }
        ],
        "log": boolean,
        "monitor": {
            "count": "string",
            "period_ms": "string"
        },
        "name": "string",
        "protocol": "string",
        "remote_address": [
            {
            "address": "string",
            "netmask": integer
            }
        ],
        "remote_port": [
            {
            "end": integer,
            "start": integer
            }
        ],
        "temp_id": "string"
    }
]

BODY = {
    "description": "string",
    "enabled": boolean,
    "name": "string",
    "platform": "string",
    "rules": rule_list
}

response = falcon.command("create_rule_group_validation",
                          clone_id="string",
                          comment="string",
                          library="string",
                          body=BODY
                          )

print(response)

Back to Table of Contents

update_rule_group_validation

Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules

PEP8 method name

update_rule_group_validation

Endpoint

MethodRoute
PATCH/fwmgr/entities/rule-groups/validation/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
comment
Service Class Support

Uber Class Support
querystringAudit log comment for this action.
diff_from
Service Class Support

Uber Class Support
body
diff_operations
stringFrom value for the diff.
Overridden if diff_operations keyword is provided.
diff_op
Service Class Support

Uber Class Support
body
diff_operations
stringOperation for the diff.
Overridden if diff_operations keyword is provided.
diff_operations
Service Class Support

Uber Class Support
bodydictionary or list of dictionariesDifferential operations to perform against the rule group.
diff_path
Service Class Support

Uber Class Support
body
diff_operations
stringPath for the diff.
Overridden if diff_operations keyword is provided.
diff_type
Service Class Support

Uber Class Support
bodystringType of diff to apply.
id
Service Class Support

Uber Class Support
bodystringID of the rule group to update.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
rule_ids
Service Class Support

Uber Class Support
bodylist of stringsRule ID(s) to add to the rule group.
rule_versions
Service Class Support

Uber Class Support
bodylist of integersRule group versions.
tracking
Service Class Support

Uber Class Support
bodystringTracking.

| | comment | query | string | Audit log comment for this action | | :white_check_mark: | body | body | string

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
    "from": "string",
    "op": "string",
    "path": "string"
}

response = falcon.update_rule_group_validation(comment="string",
                                               diff_operations=diffs,
                                               diff_type="string",
                                               id="string",
                                               rule_ids=rules,
                                               rule_versions=versions,
                                               tracking="string"
                                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
    "from": "string",
    "op": "string",
    "path": "string"
}

BODY = {
    "diff_operations": [diffs],
    "diff_type": "string",
    "id": "string",
    "rule_ids": rules,
    "rule_versions": versions,
    "tracking": "string"
}

response = falcon.command("update_rule_group_validation",
                          comment="string",
                          body=BODY
                          )

print(response)

Back to Table of Contents

get_rules

Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)

PEP8 method name

get_rules

Endpoint

MethodRoute
GET/fwmgr/entities/rules/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe rules to retrieve, identified by ID.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rules", ids=id_list)

print(response)

Back to Table of Contents

validate_filepath_pattern

Validates that the test pattern matches the executable filepath glob pattern.

PEP8 method name

validate_filepath_pattern

Endpoint

MethodRoute
POST/fwmgr/entities/rules/validate-filepath/v1

Required Scope

firewall-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
filepath_pattern
Service Class Support

Uber Class Support
bodystringPattern to test against.
filepath_test_string
Service Class Support

Uber Class Support
bodystringFile path string to be tested.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.validate_filepath_pattern(filepath_pattern="string",
                                            filepath_test_string="string"
                                            )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "filepath_pattern": "string",
    "filepath_test_string": "string"
}

response = falcon.command("validate_filepath_pattern", body=BODY)

print(response)

Back to Table of Contents

query_events

Find all event IDs matching the query with filter

PEP8 method name

query_events

Endpoint

MethodRoute
GET/fwmgr/queries/events/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringFQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_events(sort="string",
                               filter="string",
                               q="string",
                               offset=integer,
                               after="string",
                               limit=integer
                               )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_events",
                          sort="string",
                          filter="string",
                          q="string",
                          offset=integer,
                          after="string",
                          limit=integer
                          )

print(response)

Back to Table of Contents

query_firewall_fields

Get the firewall field specification IDs for the provided platform

PEP8 method name

query_firewall_fields

Endpoint

MethodRoute
GET/fwmgr/queries/firewall-fields/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
platform_id
Service Class Support

Uber Class Support
querystringField configurations specific to this platform.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_firewall_fields(platform_id="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_firewall_fields", 
                          platform_id="string",
                          limit=integer,
                          offset=integer
                          )

print(response)

Back to Table of Contents

query_network_locations

Get a list of network location IDs

PEP8 method name

query_network_locations

Endpoint

MethodRoute
GET/fwmgr/queries/network-locations/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringFQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy.firewall_management import FirewallManagement

falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_network_locations(sort="string",
                                          filter="string",
                                          q="string",
                                          offset="string",
                                          after="string",
                                          limit=integer
                                          )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_network_locations",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          after="string",
                          limit=integer
                          )

print(response)

Back to Table of Contents

query_platforms

Get the list of platform names

PEP8 method name

query_platforms

Endpoint

MethodRoute
GET/fwmgr/queries/platforms/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_platforms(offset=integer, limit=integer)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_platforms", limit=integer, offset=integer)

print(response)

Back to Table of Contents

query_policy_rules

Find all firewall rule IDs matching the query with filter, and return them in precedence order

PEP8 method name

query_policy_rules

Endpoint

MethodRoute
GET/fwmgr/queries/policy-rules/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to limit the results.
id
Service Class Support

Uber Class Support
querystringThe ID of the policy container within which to query.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringFQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_policy_rules(id="string",
                                     sort="string",
                                     filter="string",
                                     q="string",
                                     offset=integer,
                                     limit=integer,
                                     after="string"
                                     )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_policy_rules",
                          id="string",
                          sort="string",
                          filter="string",
                          q="string",
                          offset=integer,
                          limit=integer,
                          after="string"
                          )

print(response)

Back to Table of Contents

query_rule_groups

Find all rule group IDs matching the query with filter

PEP8 method name

query_rule_groups

Endpoint

MethodRoute
GET/fwmgr/queries/rule-groups/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringFQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_rule_groups(sort="string",
                                    filter="string",
                                    q="string",
                                    offset="string",
                                    after="string",
                                    limit=integer
                                    )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_groups",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          after="string",
                          limit=integer
                          )

print(response)

Back to Table of Contents

query_rules

Find all rule IDs matching the query with filter

PEP8 method name

query_rules

Endpoint

MethodRoute
GET/fwmgr/queries/rules/v1

Required Scope

firewall-management:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringFQL Syntax formatted sort filter.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import FirewallManagement

# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.query_rules(sort="string",
                              filter="string",
                              q="string",
                              offset=integer,
                              after="string",
                              limit=integer
                              )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rules",
                          sort="string",
                          filter="string",
                          q="string",
                          offset=integer,
                          after="string",
                          limit=integer
                          )

print(response)

Back to Table of Contents