Using the Workflows service collection
Table of Contents
| Operation ID | Description | ||||
|---|---|---|---|---|---|
| Search for activities by name. Returns all supported activities if no filter is specified. | ||||
| Search for activities by name. Returns all supported activities if no filter is specified. | ||||
| Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s) | ||||
| Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s) | ||||
| Executes an on-demand Workflow with mocks | ||||
| Allows a user to resume/retry a failed workflow execution. | ||||
| Get execution result of a given execution | ||||
| Deprovisions a system definition that was previously provisioned on the target CID | ||||
| Promote a version of a system definition | ||||
| Provisions a system definition onto the target CID by using the template and provided parameters | ||||
| Search workflow definitions based on the provided filter | ||||
| Search for triggers by namespaced identifier, i.e. FalconAudit, Detection, or FalconAudit/Detection/Status. Returns all triggers if no filter is specified. | ||||
| Search workflow executions based on the provided filter | ||||
| Exports a workflow definition for the given definition ID | ||||
| Imports a workflow definition based on the provided model | ||||
| Enable or disable a workflow definition, or stop all executions for a definition. | ||||
| Updates a workflow definition based on the provided model. | ||||
| Gets one or more specific human inputs by their IDs. | ||||
| Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted. | ||||
| Search for child executions by providing a FQL filter and paging details. | ||||
Passing credentials
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
WorkflowActivitiesCombined
Search for activities by name. Returns all supported activities if no filter is specified.
PEP8 method name
search_activities
Endpoint
| Method | Route |
|---|---|
 | /workflows/combined/activities/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |  | | query | string | FQL query specifying filter parameters. |
| offset | | | query | string | Starting pagination offset of records to return. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| limit | | | query | integer | Maximum number of records to return. |
| sort | | | query | string | Sort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_activities(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowActivitiesCombined(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowActivitiesCombined",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Back to Table of Contents
WorkflowActivitiesContentCombined
Search for activities by name. Returns all supported activities if no filter specified.
PEP8 method name
search_activities_content
Endpoint
| Method | Route |
|---|---|
| /workflows/combined/activity-content/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | FQL query specifying filter parameters. |
| limit | | | query | integer | Maximum number of records to return. |
| offset | | | query | string | Starting pagination offset of records to return. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | Sort items by providing a comma separated list of property and direction (eg name.desc,time.asc). If direction is omitted, defaults to descending. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_activities_content(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowActivitiesContentCombined(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowActivitiesContentCombined",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Back to Table of Contents
WorkflowExecute
Execute an on-demand workflow. Response will contain the execution ID.
PEP8 method name
execute
Endpoint
| Method | Route |
|---|---|
 | /workflows/entities/execute/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| definition_id | | | query | string or list of strings | Definition ID to execute, either a name or an ID can be specified. |
| execution_cid | | | query | string or list of strings | CID(s) to execute on. |
| name | | | query | string | Workflow name to execute, either a name or an ID can be specified. |
| key | | | query | string | Key used to help deduplicate executions, if unset a new UUID is used |
| depth | | | query | integer | Used to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| source_event_url | | | query | string | Used to record a URL to the source that led to triggering this workflow |
| body | |  | body | dictionary | Full body payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.execute(definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.WorkflowExecute(definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
workflow_schema = {}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.command("WorkflowExecute",
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=workflow_schema
)
print(response)
Back to Table of Contents
WorkflowExecuteInternal
Execute an on-demand workflow. Response will contain the execution ID.
PEP8 method name
execute_internal
Endpoint
| Method | Route |
|---|---|
| /workflows/entities/execute/internal/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| batch_size | | | query | integer | Used to set the size of the batch. |
| definition_id | | | query | string or list of strings | Definition ID to execute, either a name or an ID can be specified. |
| execution_cid | | | query | string or list of strings | CID(s) to execute on. |
| name | | | query | string | Workflow name to execute, either a name or an ID can be specified. |
| key | | | query | string | Key used to help deduplicate executions, if unset a new UUID is used |
| depth | | | query | integer | Used to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| source_event_url | | | query | string | Used to record a URL to the source that led to triggering this workflow |
| body | | | body | dictionary | Full body payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.execute_internal(batch_size=integer,
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.WorkflowExecuteInternal(batch_size=integer,
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
workflow_schema = {
"schema details": "go here"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.command("WorkflowExecuteInternal",
batch_size=integer,
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=workflow_schema
)
print(response)
Back to Table of Contents
WorkflowMockExecute
Execute an on-demand workflow with mocks.
PEP8 method name
mock_execute
Endpoint
| Method | Route |
|---|---|
| /workflows/entities/mock-executions/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| definition_id | | | query | string or list of strings | Definition ID to execute, either a name or an ID can be specified. |
| execution_cid | | | query | string or list of strings | CID(s) to execute on. |
| name | | | query | string | Workflow name to execute, either a name or an ID can be specified. |
| key | | | query | string | Key used to help deduplicate executions, if unset a new UUID is used |
| depth | | | query | integer | Used to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| source_event_url | | | query | string | Used to record a URL to the source that led to triggering this workflow |
| skip_validation | | | query | boolean | Skip validation of the workflow definition. |
| ignore_activity_mock_references | | | query | boolean | Ignore activity mock references during execution. |
| body | | | body | dictionary | Full body payload in JSON format containing the schema definition, mocks, and the on demand trigger. |
| validate_only | | | query | boolean | Prevent execution after validating mocks against definition. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.mock_execute(definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
skip_validation=boolean,
ignore_activity_mock_references=boolean,
validate_only=boolean
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.WorkflowMockExecute(definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
skip_validation=boolean,
ignore_activity_mock_references=boolean,
validate_only=boolean
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
body_payload = {
"definition": {
Workflow schema
},
"mocks": "string",
"on_demand_trigger": "string"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.command("WorkflowMockExecute",
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=body_payload,
validate_only=boolean
)
print(response)
Back to Table of Contents
WorkflowExecutionsAction
Allows a user to resume/retry a failed workflow execution.
PEP8 method name
execution_action
Endpoint
| Method | Route |
|---|---|
| /workflows/entities/execution-actions/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| action_name | | | query | string | Specify one of these actions: - resume: resume/retry the workflow execution(s) specified in ids - cancel: cancel the workflow execution(s) specified in ids |
| action_parameters | |  | body | list of dictionaries | List of actions to perform. |
| body | | | body | dictionary | Full body payload in JSON format. Not required when using other keywords. |
| ids | | | body | string or list of strings | Execution IDs. |
| name | | | body (action_parameters) | string | Action parameter name. |
| value | | | body (action_parameters) | string | Action parameter value. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
response = falcon.execution_action(action_name="string",
ids="string",
name="string",
value="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
response = falcon.WorkflowExecutionsAction(action_name="string",
ids="string",
name="string",
value="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
body_payload = {
"action_parameters": [
{
"name": "string",
"value": "string"
}
],
"ids": [
"string"
]
}
response = falcon.command("WorkflowExecutionsAction", action_name="string", body=body_payload)
print(response)
Back to Table of Contents
WorkflowExecutionResults
Get execution result of a given execution
PEP8 method name
execution_results
Endpoint
| Method | Route |
|---|---|
| /workflows/entities/execution-results/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | Workflow execution ID to return results for. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.execution_results(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.WorkflowExecutionResults(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("WorkflowExecutionResults", ids=id_list)
print(response)
Back to Table of Contents
WorkflowSystemDefinitionsDeProvision
Deprovisions a system definition that was previously provisioned on the target CID.
PEP8 method name
deprovision
Endpoint
| Method | Route |
|---|---|
| /workflows/system-definitions/deprovision/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | | | body | dictionary | Full body payload in JSON format. Not required when using other keywords. |
| definition_id | | | body | string | Workflow definition ID. |
| deprovision_all | | | body | boolean | Flag indicating if all workflows should be deprovisioned. |
| template_id | | | body | string | Template ID. |
| template_name | | | body | string | Template name. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
response = falcon.deprovision(definition_id="string",
deprovision_all=boolean,
template_id="string",
template_name="string",
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
response = falcon.WorkflowSystemDefinitionsDeProvision(definition_id="string",
deprovision_all=boolean,
template_id="string",
template_name="string",
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
body_payload = {
"definition_id": "string",
"deprovision_all": boolean,
"template_id": "string",
"template_name": "string"
}
response = falcon.command("WorkflowSystemDefinitionsDeProvision", body=body_payload)
print(response)
Back to Table of Contents
WorkflowSystemDefinitionsPromote
Promote a version of a system definition.
Tenant must be already provisioned. This allows the caller to apply an updated template version on a CID and expects all parameters to be supplied. If the template supports multi-instance, the customer scope definition ID must be supplied to determine which customer workflow should be update.
PEP8 method name
promote
Endpoint
| Method | Route |
|---|---|
| /workflows/system-definitions/promote/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| activities | | | body | dictionary | Dictionary of workflow activities. |
| body | | | body | dictionary | Full body payload in JSON format. Not required when using other keywords. |
| conditions | | | body | list of dictionaries | List of workflow conditions. |
| customer_definition_id | | | body | string | Customer definition ID. |
| name | | | body | string | Name of the workflow. |
| parameters | | | body | dictionary | Overrides specified activities, conditions and trigger keywords. |
| template_id | | | body | string | Template ID. |
| template_name | | | body | string | Template name. |
| template_version | | | body | string | Template version. |
| trigger | | | body | dictionary | Workflow trigger definition. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
response = falcon.promote(activities=activities,
conditions=conditions,
customer_definition_id="string",
name="string",
template_id="string",
template_name="string",
template_version="string",
trigger=trigger
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
response = falcon.WorkflowSystemDefinitionsPromote(activities=activities,
conditions=conditions,
customer_definition_id="string",
name="string",
template_id="string",
template_name="string",
template_version="string",
trigger=trigger
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
body_payload = {
"customer_definition_id": "string",
"name": "string",
"parameters": {
"activities": activities,
"conditions": conditions,
"trigger": trigger
},
"template_id": "string",
"template_name": "string",
"template_version": "string"
}
response = falcon.command("WorkflowSystemDefinitionsPromote", body=body_payload)
print(response)
Back to Table of Contents
WorkflowSystemDefinitionsProvision
Provisions a system definition onto the target CID by using the template and provided parameters.
PEP8 method name
provision
Endpoint
| Method | Route |
|---|---|
| /workflows/system-definitions/provision/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| activities | | | body | dictionary | Dictionary of workflow activities. |
| body | | | body | dictionary | Full body payload in JSON format. Not required when using other keywords. |
| conditions | | | body | list of dictionaries | List of workflow conditions. |
| customer_definition_id | | | body | string | Customer definition ID. |
| name | | | body | string | Workflow name. |
| parameters | | | body | dictionary | Overrides specified activities, conditions and trigger keywords. |
| template_id | | | body | string | Template ID. |
| template_name | | | body | string | Template name. |
| template_version | | | body | string | Template version. |
| trigger | | | body | dictionary | Workflow trigger definition. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
response = falcon.provision(activities=activities,
conditions=conditions,
customer_definition_id="string",
name="string",
template_id="string",
template_name="string",
template_version="string",
trigger=trigger
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
response = falcon.WorkflowSystemDefinitionsProvision(activities=activities,
conditions=conditions,
customer_definition_id="string",
name="string",
template_id="string",
template_name="string",
template_version="string",
trigger=trigger
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
body_payload = {
"customer_definition_id": "string",
"name": "string",
"parameters": {
"activities": activities,
"conditions": conditions,
"trigger": trigger
},
"template_id": "string",
"template_name": "string",
"template_version": "string"
}
response = falcon.command("WorkflowSystemDefinitionsProvision", body=body_payload)
print(response)
Back to Table of Contents
WorkflowDefinitionsCombined
Search workflow definitions based on the provided filter.
PEP8 method name
search_definitions
Endpoint
| Method | Route |
|---|---|
| /workflows/combined/definitions/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | FQL query specifying filter parameters. |
| offset | | | query | string | Starting pagination offset of records to return. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| limit | | | query | integer | Maximum number of records to return. |
| sort | | | query | string | Sort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_definitions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowDefinitionsCombined(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowDefinitionsCombined",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Back to Table of Contents
WorkflowExecutionsCombined
Search workflow executions based on the provided filter.
PEP8 method name
search_executions
Endpoint
| Method | Route |
|---|---|
| /workflows/combined/executions/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | FQL query specifying filter parameters. |
| offset | | | query | string | Starting pagination offset of records to return. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| limit | | | query | integer | Maximum number of records to return. |
| sort | | | query | string | Sort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_executions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowExecutionsCombined(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowExecutionsCombined",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Back to Table of Contents
WorkflowTriggersCombined
Search for triggers by namespaced identifier, i.e. FalconAudit, Detection, or FalconAudit/Detection/Status. Returns all triggers if no filter is specified.
PEP8 method name
search_triggers
Endpoint
| Method | Route |
|---|---|
| /workflows/combined/triggers/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | FQL query specifying filter parameters. |
| offset | | | query | string | Starting pagination offset of records to return. |
| limit | | | query | integer | Maximum number of records to return. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_triggers(filter="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowTriggersCombined(filter="string")
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowTriggersCombined", filter="string")
print(response)
Back to Table of Contents
WorkflowDefinitionsExport
Exports a workflow definition for the given definition ID.
PEP8 method name
export_definition
Endpoint
| Method | Route |
|---|---|
| /workflows/entities/definitions/export/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/yaml
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| id | | | query | string | ID of workflow definitions to return details for. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sanitize | | | query | boolean | Sanitize PII from workflow before it is exported. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.export_definition(id="string", sanitize=boolean)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowDefinitionsExport(id="string", sanitize=boolean)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowDefinitionsExport", id="string", sanitize=boolean)
print(response)
Back to Table of Contents
WorkflowDefinitionsImport
Imports a workflow definition based on the provided model
PEP8 method name
import_definition
Endpoint
| Method | Route |
|---|---|
| /workflows/entities/definitions/import/v1 |
Required Scope
Content-Type
- Consumes: multipart/form-data
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| data_file | | | formData | file | A workflow definition in YAML format to import. Can be the file location or the file contents. |
| name | | | query | string | Workflow name to override. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| validate_only | | | query | boolean | When enabled, prevents saving workflow after validating. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.yml", "r") as yaml_file:
response = falcon.import_definition(name="string", validate_only=boolean, data_file=yaml_file)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.yml", "r") as yaml_file:
response = falcon.WorkflowDefinitionsImport(name="string",
validate_only=boolean,
data_file=yaml_file
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.yml", "r") as yaml_file:
response = falcon.command("WorkflowDefinitionsImport",
name="string",
validate_only=boolean,
data_file=yaml_file
)
print(response)
Back to Table of Contents
WorkflowDefinitionsAction
Enable or disable a workflow definition, or stop all executions for a definition.
When a definition is disabled it will not execute against any new trigger events.
PEP8 method name
workflow_definition_action
Endpoint
| Method | Route |
|---|---|
| /workflows/entities/definition-actions/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Parameters
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| action_name | | | query | string | Specify one of these actions: enable - enable the workflow(s) specified in ids, disable - disable the workflow(s) specified in ids, cancel - cancel all in-flight executions for the workflow specified in ids. Required parameter. |
| ids | | | body | string or list of strings | ID(s) of workflow definitions to perform the action against. |
| body | | | body | dictionary | Full body payload in JSON format. Required parameter. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.workflow_definition_action(action_name="enable",
ids=["string"]
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowDefinitionsAction(action_name="enable",
ids=["string"]
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"ids": [
"string"
]
}
response = falcon.command("WorkflowDefinitionsAction",
action_name="enable",
body=body_payload
)
print(response)
Back to Table of Contents
WorkflowDefinitionsUpdate
Updates a workflow definition based on the provided model.
PEP8 method name
update_definition
Endpoint
| Method | Route |
|---|---|
 | /workflows/entities/definitions/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | | | body | dictionary | Full workflow definition with all parameters in JSON format. |
| change_log | | | body | string | Workflow revision change log comment. |
| definition | | | body | dictionary | Workflow definition parameters. |
| flight_control | | | body | dictionary | Workflow flight control functionality definitions. |
| id | | | body | string | Workflow ID to update. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| validate_only | | | query | boolean | When enabled, prevents saving workflow after validating. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
workflow_definition = {
"Workflow definition in JSON format"
}
fc_params = {
"all_cids": boolean,
"excluded_cids": [
"string"
],
"include_parent_cid": boolean,
"selected_cids": [
"string"
]
}
response = falcon.update_definition(change_log="string",
definition=workflow_definition,
flight_control=fc_params,
id="string",
validate_only=boolean
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
workflow_definition = {
"Workflow definition in JSON format"
}
fc_params = {
"all_cids": boolean,
"excluded_cids": [
"string"
],
"include_parent_cid": boolean,
"selected_cids": [
"string"
]
}
response = falcon.WorkflowDefinitionsUpdate(change_log="string",
definition=workflow_definition,
flight_control=fc_params,
id="string",
validate_only=boolean
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
workflow_definition = {
"Workflow definition in JSON format"
}
fc_params = {
"all_cids": boolean,
"excluded_cids": [
"string"
],
"include_parent_cid": boolean,
"selected_cids": [
"string"
]
}
body_payload = {
"Definition": workflow_definition,
"change_log": "string",
"enabled": boolean,
"flight_control": fc_params,
"id": "string"
}
response = falcon.command("WorkflowDefinitionsUpdate", body=body_payload)
print(response)
Back to Table of Contents
WorkflowGetHumanInputV1
Gets one or more specific human inputs by their IDs.
PEP8 method name
get_human_input
Endpoint
| Method | Route |
|---|---|
| /workflows/entities/human-inputs/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | ID(s) of human inputs to retrieve. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_human_input(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.WorkflowGetHumanInputV1(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("WorkflowGetHumanInputV1", ids=id_list)
print(response)
Back to Table of Contents
WorkflowUpdateHumanInputV1
Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.
PEP8 method name
update_human_input
Endpoint
| Method | Route |
|---|---|
 | /workflows/entities/human-inputs/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | | | body | dictionary | Full body payload in JSON format. |
| id | | | query | string | ID of human input to provide an input to. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| input | | | body | string | Input value. |
| note | | | body | string | Input note. |
Usage
Service class example (PEP8 syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_human_input(id="string", input="string", note="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowUpdateHumanInputV1(id="string", input="string", note="string")
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"input": "string",
"note": "string"
}
response = falcon.command("WorkflowUpdateHumanInputV1", id="string", body=body_payload)
print(response)