Certificate Based Exclusions - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the Certificate Based Exclusions service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
cb_exclusions_get_v1
PEP8 get_exclusions
Find all exclusion IDs matching the query with filter
cb_exclusions_create_v1
PEP8 create_exclusions
Create new Certificate Based Exclusions.
cb_exclusions_delete_v1
PEP8 delete_exclusions
Delete the exclusions by id
cb_exclusions_update_v1
PEP8 update_exclusions
Updates existing Certificate Based Exclusions
certificates_get_v1
PEP8 get_certificates
Retrieves certificate signing information for a file
cb_exclusions_query_v1
PEP8 query_certificates
Search for cert-based exclusions.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

cb_exclusions_get_v1

Find all exclusion IDs matching the query with filter.

PEP8 method name

get_exclusions

Endpoint

Method Route
GET /exclusions/entities/cert-based-exclusions/v1

Required Scope

ml-exclusions:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids Service Class Support Uber Class Support query string or list of strings The ids of the exclusions to retrieve.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_exclusions(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.cb_exclusions_get_v1(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("cb_exclusions_get_v1", ids=id_list)
print(response)

Back to Table of Contents

cb_exclusions_create_v1

Create new Certificate Based Exclusions.

PEP8 method name

create_exclusions

Endpoint

Method Route
POST /exclusions/entities/cert-based-exclusions/v1

Required Scope

ml-exclusions:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
applied_globally Service Class Support Uber Class Support body boolean Boolean flag indicating if this exclusion is applied globally.
body Service Class Support Uber Class Support body dictionary Full body payload in JSON format.
certificate Service Class Support Uber Class Support body dictionary Dictionary describing the certificate.
children_cids Service Class Support Uber Class Support body string or list of strings List of child CIDs to apply this exclusion to.
comment Service Class Support Uber Class Support body string Exclusion comment.
created_by Service Class Support Uber Class Support body string Exclusion created by.
created_on Service Class Support Uber Class Support body string Exclusion creation date. UTC date formatted string.
description Service Class Support Uber Class Support body string Exclusion description.
host_groups Service Class Support Uber Class Support body string or list of strings List of host groups to apply this exclusion to.
issuer Service Class Support Uber Class Support body string Certificate issuer. Overwritten if certificate keyword is provided.
modified_by Service Class Support Uber Class Support body string Exclusion modified by.
modified_on Service Class Support Uber Class Support body string Exclusion last modification date. UTC date formatted string.
name Service Class Support Uber Class Support body string Exclusion name.
serial Service Class Support Uber Class Support body string Certificate serial. Overwritten if certificate keyword is provided.
status Service Class Support Uber Class Support body string Exclusion status.
subject Service Class Support Uber Class Support body string Certificate subject. Overwritten if certificate keyword is provided.
thumbprint Service Class Support Uber Class Support body string Certificate thumbprint. Overwritten if certificate keyword is provided.
valid_from Service Class Support Uber Class Support body string Certificate valid from date. UTC date formatted string. Overwritten if certificate keyword is provided.
valid_to Service Class Support Uber Class Support body string Certificate valid to date. UTC date formatted string. Overwritten if certificate keyword is provided.

Usage

Service class example (PEP8 syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

child_ids = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']
host_group_ids = 'HGID1,HGID2,HGID3'  # Can also pass a list here: ['HGID1', 'HGID2', 'HGID3']

response = falcon.create_exclusions(applied_globally=boolean,
                                    children_cids=child_ids,
                                    comment="string",
                                    created_by="string",
                                    created_on="string",
                                    description="string",
                                    host_groups=host_group_ids,
                                    issuer="string",
                                    modified_by="string",
                                    modified_on="string",
                                    name="string",
                                    serial="string",
                                    status="string",
                                    subject="string",
                                    thumbprint="string",
                                    valid_from="string",
                                    valid_to="string"
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

child_ids = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']
host_group_ids = 'HGID1,HGID2,HGID3'  # Can also pass a list here: ['HGID1', 'HGID2', 'HGID3']

response = falcon.cb_exclusions_create_v1(applied_globally=boolean,
                                          children_cids=child_ids,
                                          comment="string",
                                          created_by="string",
                                          created_on="string",
                                          description="string",
                                          host_groups=host_group_ids,
                                          issuer="string",
                                          modified_by="string",
                                          modified_on="string",
                                          name="string",
                                          serial="string",
                                          status="string",
                                          subject="string",
                                          thumbprint="string",
                                          valid_from="string",
                                          valid_to="string"
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

child_ids = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']
host_group_ids = 'HGID1,HGID2,HGID3'  # Can also pass a list here: ['HGID1', 'HGID2', 'HGID3']

body_payload = {
  "exclusions": [
    {
      "applied_globally": boolean,
      "certificate": {
        "issuer": "string",
        "serial": "string",
        "subject": "string",
        "thumbprint": "string",
        "valid_from": "UTC string",
        "valid_to": "UTC string"
      },
      "children_cids": [
        "string"
      ],
      "comment": "string",
      "created_by": "string",
      "created_on": "UTC string",
      "description": "string",
      "host_groups": [
        "string"
      ],
      "modified_by": "string",
      "modified_on": "UTC string",
      "name": "string",
      "status": "string"
    }
  ]
}

response = falcon.command("cb_exclusions_create_v1", body=body_payload)
print(response)

Back to Table of Contents

cb_exclusions_delete_v1

Delete the exclusions by ID.

PEP8 method name

delete_exclusions

Endpoint

Method Route
DELETE /exclusions/entities/cert-based-exclusions/v1

Required Scope

ml-exclusions:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids Service Class Support Uber Class Support query string or list of strings The IDs of the exclusions to delete.
comment Service Class Support Uber Class Support query string The comment why these exclusions were deleted.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_exclusions(comment="string", ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.cb_exclusions_delete_v1(comment="string", ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

PARAMS = {
    "comment": "string"
}

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("cb_exclusions_delete_v1", parameters=PARAMS, ids=id_list)
print(response)

Back to Table of Contents

cb_exclusions_update_v1

Updates existing Certificate Based Exclusions.

PEP8 method name

update_exclusions

Endpoint

Method Route
PATCH /exclusions/entities/cert-based-exclusions/v1

Required Scope

ml-exclusions:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
applied_globally Service Class Support Uber Class Support body boolean Boolean flag indicating if this exclusion is applied globally.
body Service Class Support Uber Class Support body dictionary Full body payload in JSON format.
certificate Service Class Support Uber Class Support body dictionary Dictionary describing the certificate.
children_cids Service Class Support Uber Class Support body string or list of strings List of child CIDs to apply this exclusion to.
comment Service Class Support Uber Class Support body string Exclusion comment.
created_by Service Class Support Uber Class Support body string Exclusion created by.
created_on Service Class Support Uber Class Support body string Exclusion creation date. UTC date formatted string.
description Service Class Support Uber Class Support body string Exclusion description.
host_groups Service Class Support Uber Class Support body string or list of strings List of host groups to apply this exclusion to.
issuer Service Class Support Uber Class Support body string Certificate issuer. Overwritten if certificate keyword is provided.
modified_by Service Class Support Uber Class Support body string Exclusion modified by.
modified_on Service Class Support Uber Class Support body string Exclusion last modification date. UTC date formatted string.
name Service Class Support Uber Class Support body string Exclusion name.
serial Service Class Support Uber Class Support body string Certificate serial. Overwritten if certificate keyword is provided.
status Service Class Support Uber Class Support body string Exclusion status.
subject Service Class Support Uber Class Support body string Certificate subject. Overwritten if certificate keyword is provided.
thumbprint Service Class Support Uber Class Support body string Certificate thumbprint. Overwritten if certificate keyword is provided.
valid_from Service Class Support Uber Class Support body string Certificate valid from date. UTC date formatted string. Overwritten if certificate keyword is provided.
valid_to Service Class Support Uber Class Support body string Certificate valid to date. UTC date formatted string. Overwritten if certificate keyword is provided.

Usage

Service class example (PEP8 syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

child_ids = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']
host_group_ids = 'HGID1,HGID2,HGID3'  # Can also pass a list here: ['HGID1', 'HGID2', 'HGID3']

response = falcon.update_exclusions(applied_globally=boolean,
                                    children_cids=child_ids,
                                    comment="string",
                                    created_by="string",
                                    created_on="string",
                                    description="string",
                                    host_groups=host_group_ids,
                                    issuer="string",
                                    modified_by="string",
                                    modified_on="string",
                                    name="string",
                                    serial="string",
                                    status="string",
                                    subject="string",
                                    thumbprint="string",
                                    valid_from="string",
                                    valid_to="string"
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

child_ids = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']
host_group_ids = 'HGID1,HGID2,HGID3'  # Can also pass a list here: ['HGID1', 'HGID2', 'HGID3']

response = falcon.cb_exclusions_update_v1(applied_globally=boolean,
                                          children_cids=child_ids,
                                          comment="string",
                                          created_by="string",
                                          created_on="string",
                                          description="string",
                                          host_groups=host_group_ids,
                                          issuer="string",
                                          modified_by="string",
                                          modified_on="string",
                                          name="string",
                                          serial="string",
                                          status="string",
                                          subject="string",
                                          thumbprint="string",
                                          valid_from="string",
                                          valid_to="string"
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

child_ids = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']
host_group_ids = 'HGID1,HGID2,HGID3'  # Can also pass a list here: ['HGID1', 'HGID2', 'HGID3']

body_payload = {
    "resources": [
        {
            "applied_globally": boolean,
            "certificate": {
                "issuer": "string",
                "serial": "string",
                "subject": "string",
                "thumbprint": "string",
                "valid_from": "UTC string",
                "valid_to": "UTC string"
            },
            "children_cids": child_ids,
            "comment": "string",
            "created_by": "string",
            "created_on": "UTC string",
            "description": "string",
            "host_groups": host_group_ids,
            "modified_by": "string",
            "modified_on": "UTC string",
            "name": "string",
            "status": "string"
        }
    ]
}

response = falcon.command("cb_exclusions_update_v1", body=body_payload)
print(response)

Back to Table of Contents

certificates_get_v1

Retrieves certificate signing information for a file

PEP8 method name

get_certificates

Endpoint

Method Route
GET /exclusions/entities/certificates/v1

Required Scope

ml-exclusions:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids Service Class Support Uber Class Support query string The SHA256 hash of the file to retrieve certificate signing info for.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_certificates(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.certificates_get_v1(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("certificates_get_v1", ids=id_list)
print(response)

Back to Table of Contents

cb_exclusions_query_v1

Search for cert-based exclusions.

PEP8 method name

query_certificates

Endpoint

Method Route
GET /exclusions/queries/cert-based-exclusions/v1

Required Scope

ml-exclusions:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string The filter expression that should be used to limit the results.
limit Service Class Support Uber Class Support query integer The maximum records to return. [1-100]
offset Service Class Support Uber Class Support query integer The offset to start retrieving records from
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required when using other keywords.
sort Service Class Support Uber Class Support query string The sort expression that should be used to sort the results.

Usage

Service class example (PEP8 syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

response = falcon.query_certificates(filter="string",
                                     offset=integer,
                                     limit=integer,
                                     sort="string"
                                     )
print(response)
Service class example (Operation ID syntax)
from falconpy import CertificateBasedExclusions

falcon = CertificateBasedExclusions(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

response = falcon.cb_exclusions_query_v1(filter="string",
                                         offset=integer,
                                         limit=integer,
                                         sort="string"
                                         )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("cb_exclusions_query_v1",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string"
                          )
print(response)

Back to Table of Contents

⚠️ **GitHub.com Fallback** ⚠️