-
Notifications
You must be signed in to change notification settings - Fork 119
Operations Overview
Throughout this repository, we frequently make references to Operations or Operation IDs. The usage of these terms is specific with regards to FalconPy and originates from the contents of the CrowdStrike API swagger, which the library is based on.
An operation is the act of performing a request against a specific endpoint within the CrowdStrike API. This is done by providing payloads using an allowed HTTP method to a specific API endpoint. Operations may use the same endpoint, or the same HTTP method as other operations, but no two combinations are ever duplicated. Although every operation will have it's own unique payload requirements, many operations will have matching payload formats or require no payload whatsoever.
For ease of use purposes, FalconPy intentionally abstracts the API endpoint and HTTP method for all API operations. Developers only need the ID of the operation they wish to perform in order to find documentation or use the operation.
All operations within all API service collections have a unique string identifier that is specific to the one operation only. This ID is present within the CrowdStrike API swagger and is leveraged in several places within the FalconPy library. Operation IDs are case sensitive.
-
Operation IDs are used to define the operation within this wiki, and to detail how it can be properly used.
-
Operation IDs can be used as methods within Service Classes. This is referred to as Operation ID Syntax.
-
Operation IDs are used to tell the Uber Class's
command
method which operation to perform. This can be provided as the first argument to the method, or as the keyword action.
Example: These two statements are functionally the same.from falconpy import APIHarnessV2 # Do not hardcode credentials! # These values are ingested as strings. falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) # This example passes the operation ID as a positional argument result = falcon.command("QueryDetects")
from falconpy import APIHarnessV2 # Do not hardcode credentials! # These values are ingested as strings. falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) # This example passes the operation ID as a keyword argument result = falcon.command(action="QueryDetects")
This is the only accepted positional argument when using the Uber class. Check individual service collection documentation for details regarding accepted arguments and keywords for each available method.
The FalconPy library, documentation and samples follow PEP8 syntax wherever possible, but depending on individual developer requirements, PEP8 syntax may not be necessary (or desired). An additional option within Service Classes, Operation ID Syntax
, allows developers to use operation IDs to specify API operations similar to the Uber class.
This is handled by creating a method alias within the Service Class for every method that aligns to an operation ID that does not match PEP8 syntax. When the operation ID uses Python reserved characters (ex:
-
or.
), the operation ID is updated to use_
. (Operation IDs deprecated in this fashion are still available within the Uber class.)
While the syntax differs slightly, there is no functional difference between PEP8 and Operation ID syntax with regards to API results or performance.
from falconpy import Hosts
# Do not hardcode credentials!
# These values are ingested as strings.
falcon = Hosts(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
result = falcon.query_devices_by_filter(limit=100)
print(result)
from falconpy import Hosts
# Do not hardcode credentials!
# These values are ingested as strings.
falcon = Hosts(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
result = falcon.QueryDevicesByFilter(limit=100)
print(result)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust