CrowdStrike Falcon CrowdStrike Subreddit

Using the Installation Tokens service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
audit_events_read
PEP 8audit_events_read
Gets the details of one or more audit events by id.
customer_settings_read
PEP 8customer_settings_read
Check current installation token settings.
customer_settings_update
PEP8customer_settings_update
Update installation token settings.
tokens_read
PEP 8tokens_read
Gets the details of one or more tokens by id.
tokens_create
PEP 8tokens_create
Creates a token.
tokens_delete
PEP 8tokens_delete
Deletes a token immediately. To revoke a token, use tokens_update instead.
tokens_update
PEP 8tokens_update
Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
audit_events_query
PEP 8audit_events_query
Search for audit events by providing a FQL filter and paging details.
tokens_query
PEP 8tokens_query
Search for tokens by providing a FQL filter and paging details.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

audit_events_read

Gets the details of one or more audit events by id.

PEP8 method name

audit_events_read

Endpoint

MethodRoute
GET/installation-tokens/entities/audit-events/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsID(s) of the audit events to retrieve details for.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.audit_events_read(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("audit_events_read", ids=id_list)

print(response)

Back to Table of Contents

customer_settings_read

Check current installation token settings.

PEP8 method name

customer_settings_read

Endpoint

MethodRoute
GET/installation-tokens/entities/customer-settings/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

No keywords or arguments accepted.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.customer_settings_read()

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("customer_settings_read")

print(response)

Back to Table of Contents

customer_settings_update

Update installation token settings.

PEP8 method name

customer-settings-update

Endpoint

MethodRoute
PATCH/installation-tokens/entities/customer-settings/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
max_active_tokens
Service Class Support

Uber Class Support
bodyintegerMaximum number of active tokens.
tokens_required
Service Class Support

Uber Class Support
bodybooleanFlag indicating if tokens are required.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.customer_settings_update(max_active_tokens=integer,
                                           tokens_required=boolean
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "max_active_tokens": integer,
    "tokens_required": boolean
}

response = falcon.command("customer_settings_update", body=BODY)

print(response)

Back to Table of Contents

tokens_read

Gets the details of one or more tokens by id.

PEP8 method name

tokens_read

Endpoint

MethodRoute
GET/installation-tokens/entities/tokens/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsID(s) of the tokens to retrieve details for.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.tokens_read(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("tokens_read", ids=id_list)

print(response)

Back to Table of Contents

tokens_create

Creates a token.

PEP8 method name

tokens_create

Endpoint

MethodRoute
POST/installation-tokens/entities/tokens/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
expires_timestamp
Service Class Support

Uber Class Support
bodystringExpiration timestamp. UTC format.
label
Service Class Support

Uber Class Support
bodystringInstallation token label.
revoked
Service Class Support

Uber Class Support
bodybooleanFlag indicating if the token is revoked.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.tokens_create(expires_timestamp="string",
                                label="string",
                                revoked=boolean
                                )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "expires_timestamp": "2021-09-22T02:28:11.762Z",
    "label": "string",
    "revoked": boolean
}

response = falcon.command("tokens_create", body=BODY)

print(response)

Back to Table of Contents

tokens_delete

Deletes a token immediately. To revoke a token, use tokens_update instead.

PEP8 method name

tokens_delete

Endpoint

MethodRoute
DELETE/installation-tokens/entities/tokens/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsID(s) of the tokens to delete.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.tokens_delete(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("tokens_delete", ids=id_list)

print(response)

Back to Table of Contents

tokens_update

Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.

PEP8 method name

tokens_update

Endpoint

MethodRoute
PATCH/installation-tokens/entities/tokens/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
expires_timestamp
Service Class Support

Uber Class Support
bodystringExpiration timestamp. UTC format.
label
Service Class Support

Uber Class Support
bodystringInstallation token label.
ids
Service Class Support

Uber Class Support
querystring or list of stringsID(s) of the tokens to update.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
revoked
Service Class Support

Uber Class Support
bodybooleanFlag indicating if the token is revoked.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.tokens_update(expires_timestamp="string",
                                label="string",
                                ids=id_list,
                                revoked=boolean
                                )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "expires_timestamp": "2021-09-22T02:28:11.762Z",
    "label": "string",
    "revoked": boolean
}

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("tokens_update", body=BODY, ids=id_list)

print(response)

Back to Table of Contents

audit_events_query

Search for audit events by providing a FQL filter and paging details.

PEP8 method name

audit_events_query

Endpoint

MethodRoute
GET/installation-tokens/queries/audit-events/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return.

(Max: 1000, Default: 10)
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: timestamp.desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.audit_events_query(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string"
                                     )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("audit_events_query",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )

print(response)

Back to Table of Contents

tokens_query

Search for tokens by providing a FQL filter and paging details.

PEP8 method name

tokens_query

Endpoint

MethodRoute
GET/installation-tokens/queries/tokens/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return.

(Max: 1000, Default: 10)
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_timestamp.desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.tokens_query(offset=integer,
                               limit=integer,
                               sort="string",
                               filter="string"
                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("tokens_query",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )

print(response)

Back to Table of Contents