CrowdStrike Falcon CrowdStrike Subreddit

Using the Real Time Response Audit service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
RTRAuditSessions
PEP8audit_sessions
Get all the RTR sessions created for a customer in a specified duration

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

RTRAuditSessions

Get all the RTR sessions created for a customer in a specified duration

PEP8 method name

audit_sessions

Endpoint

MethodRoute
GET/real-time-response-audit/combined/sessions/v1

Required Scope

real-time-response-audit:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filterService Class SupportUber Class SupportquerystringOptional filter criteria in FQL format.
sortService Class SupportUber Class SupportquerystringSort order in FQL format.
limitService Class SupportUber Class SupportquerystringMaximum number of sessions to be returned.
offsetService Class SupportUber Class SupportquerystringOffset value to be used for paginating results.
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload in JSON format.
with_command_infoService Class SupportUber Class SupportquerybooleanRetrieve sessions with command info included; by default sessions are returned without command information which include cloud_request_ids and logs fields.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAudit

# Do not hardcode API credentials!
falcon = RealTimeResponseAudit(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.audit_sessions(filter="string",
                                 sort="string",
                                 limit="string",
                                 offset="string",
                                 with_command_info=boolean
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAudit

# Do not hardcode API credentials!
falcon = RealTimeResponseAudit(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.RTRAuditSessions(filter="string",
                                   sort="string",
                                   limit="string",
                                   offset="string",
                                   with_command_info=boolean
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("RTRAuditSessions",
                          filter="string",
                          sort="string",
                          limit="string",
                          offset="string",
                          with_command_info=boolean
                          )
print(response)