Using the Identity Protection service collection

Documentation Version

Table of Contents

Operation ID

Description

api_preempt_proxy_post_graphql
PEP 8	graphql

Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

api_preempt_proxy_post_graphql

Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.

PEP8 method name

graphql

Endpoint

Method	Route
	`/identity-protection/combined/graphql/v1`

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
query			body	string	JSON-similar formatted query to perform.
variables			body	dictionary	Dictionary of variables to provide to the query.

Usage

Service class example (PEP8 syntax)

from falconpy import IdentityProtection

# Do not hardcode API credentials!
falcon = IdentityProtection(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

idp_query = """
query ($after: Cursor) {
  entities(types: [USER], archived: false, learned: false, first: 5, after: $after) {
    nodes {
      primaryDisplayName
      secondaryDisplayName
      accounts {
        ... on ActiveDirectoryAccountDescriptor {
          domain
        }
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
"""

variables = {
    "string": "string, int, float"
}

response = falcon.graphql(query=idp_query, variables=variables)
print(response)

Service class example (Operation ID syntax)

from falconpy import IdentityProtection

# Do not hardcode API credentials!
falcon = IdentityProtection(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

idp_query = """
query ($after: Cursor) {
  entities(types: [USER], archived: false, learned: false, first: 5, after: $after) {
    nodes {
      primaryDisplayName
      secondaryDisplayName
      accounts {
        ... on ActiveDirectoryAccountDescriptor {
          domain
        }
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
"""

variables = {
    "string": "string, int, float"
}

response = falcon.api_preempt_proxy_post_graphql(query=idp_query, variables=variables)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

idp_query = """
query ($after: Cursor) {
  entities(types: [USER], archived: false, learned: false, first: 5, after: $after) {
    nodes {
      primaryDisplayName
      secondaryDisplayName
      accounts {
        ... on ActiveDirectoryAccountDescriptor {
          domain
        }
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
"""

variables = {
    "string": "string, int, float"
}

BODY = {
    "query": idp_query,
    "variables" variables
}

response = falcon.command("api_preempt_proxy_post_graphql", body=BODY)
print(response)