CrowdStrike Falcon CrowdStrike Subreddit

Using the Identity Protection service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
GetSensorAggregates
PEP 8get_sensor_aggregates
Get sensor aggregates as specified via json in request body.
GetSensorDetails
PEP 8get_sensor_details
Get details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs.
QuerySensorsByFilter
PEP 8query_sensors
Search for sensors in your environment by hostname, IP, and other criteria.
api_preempt_proxy_post_graphql
PEP 8graphql
Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

GetSensorAggregates

Get sensor aggregates as specified via json in request body.

PEP8 method name

get_sensor_aggregates

Endpoint

MethodRoute
POST/identity-protection/aggregates/devices/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import Alerts

# Do not hardcode API credentials!
falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

date_range = {
    "from": "string",
    "to": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.get_sensor_aggregates(date_ranges=[date_range],
                                        exclude="string",
                                        field="string",
                                        filter="string",
                                        from=integer,
                                        include="string",
                                        interval="string",
                                        max_doc_count=integer,
                                        min_doc_count=integer,
                                        missing="string",
                                        name="string",
                                        q="string",
                                        ranges=[search_range],
                                        size=integer,
                                        sort="string",
                                        time_zone="string",
                                        type="string"
                                        )
print(response)
Service class example (Operation ID syntax)
from falconpy import Alerts

# Do not hardcode API credentials!
falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

date_range = {
    "from": "string",
    "to": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.GetSensorAggregates(date_ranges=[date_range],
                                      exclude="string",
                                      field="string",
                                      filter="string",
                                      from=integer,
                                      include="string",
                                      interval="string",
                                      max_doc_count=integer,
                                      min_doc_count=integer,
                                      missing="string",
                                      name="string",
                                      q="string",
                                      ranges=[search_range],
                                      size=integer,
                                      sort="string",
                                      time_zone="string",
                                      type="string"
                                      )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = [{
    "date_ranges": [
        {
            "from": "string",
            "to": "string"
        }
    ],
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": [
        {
            "From": integer,
            "To": integer
        }
    ],
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("GetSensorAggregates", body=BODY)
print(response)

GetSensorDetails

Get details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs.

PEP8 method name

get_sensor_details

Endpoint

MethodRoute
POST​/identity-protection​/entities​/devices​/GET​/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
ids
Service Class Support

Uber Class Support
bodystring or list of stringsThe host agent IDs used to get details on.
Maximum: 5000

Usage

Service class example (PEP8 syntax)
from falconpy import Hosts

# Do not hardcode API credentials!
falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_sensor_details(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Hosts

# Do not hardcode API credentials!
falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetSensorDetails(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetSensorDetails", ids=id_list)

print(response)

QuerySensorsByFilter

Search for sensors in your environment by hostname, IP, and other criteria.

PEP8 method name

query_sensors

Endpoint

MethodRoute
GET/identity-protection/queries/devices/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. [1-200]
sort
Service Class Support

Uber Class Support
querystringThe property to sort by (e.g. status.desc or hostname.asc)
filter
Service Class Support

Uber Class Support
querystringThe filter expression that should be used to limit the results.

Usage

Service class example (PEP8 syntax)
from falconpy import Hosts

# Do not hardcode API credentials!
falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_sensors(offset=integer,
                                limit=integer,
                                sort="string",
                                filter="string"
                                )

print(response)
Service class example (Operation ID syntax)
from falconpy import Hosts

# Do not hardcode API credentials!
falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QuerySensorsByFilter(offset=integer,
                                       limit=integer,
                                       sort="string",
                                       filter="string"
                                       )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QuerySensorsByFilter",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )

print(response)

api_preempt_proxy_post_graphql

Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.

PEP8 method name

graphql

Endpoint

MethodRoute
POST/identity-protection/combined/graphql/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
query
Service Class Support

Uber Class Support
bodystringJSON-similar formatted query to perform.
variables
Service Class Support

Uber Class Support
bodydictionaryDictionary of variables to provide to the query.

Usage

Service class example (PEP8 syntax)
from falconpy import IdentityProtection

# Do not hardcode API credentials!
falcon = IdentityProtection(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

idp_query = """
query ($after: Cursor) {
  entities(types: [USER], archived: false, learned: false, first: 5, after: $after) {
    nodes {
      primaryDisplayName
      secondaryDisplayName
      accounts {
        ... on ActiveDirectoryAccountDescriptor {
          domain
        }
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
"""

variables = {
    "string": "string, int, float"
}

response = falcon.graphql(query=idp_query, variables=variables)
print(response)

Service class example (Operation ID syntax)
from falconpy import IdentityProtection

# Do not hardcode API credentials!
falcon = IdentityProtection(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

idp_query = """
query ($after: Cursor) {
  entities(types: [USER], archived: false, learned: false, first: 5, after: $after) {
    nodes {
      primaryDisplayName
      secondaryDisplayName
      accounts {
        ... on ActiveDirectoryAccountDescriptor {
          domain
        }
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
"""

variables = {
    "string": "string, int, float"
}

response = falcon.api_preempt_proxy_post_graphql(query=idp_query, variables=variables)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

idp_query = """
query ($after: Cursor) {
  entities(types: [USER], archived: false, learned: false, first: 5, after: $after) {
    nodes {
      primaryDisplayName
      secondaryDisplayName
      accounts {
        ... on ActiveDirectoryAccountDescriptor {
          domain
        }
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
"""

variables = {
    "string": "string, int, float"
}

BODY = {
    "query": idp_query,
    "variables" variables
}

response = falcon.command("api_preempt_proxy_post_graphql", body=BODY)
print(response)