Discover - CrowdStrike/falconpy GitHub Wiki
This service collection has code examples posted to the repository.
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria. | ||||
|
Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria. | ||||
|
Get details on accounts by providing one or more IDs. | ||||
|
Get details on applications by providing one or more IDs. | ||||
|
Get details on assets by providing one or more IDs. | ||||
|
Get details on IoT assets by providing one or more IDs. | ||||
|
Get details on logins by providing one or more IDs. | ||||
|
Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
|
Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria. | ||||
|
Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
|
Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
|
Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. | ||||
|
Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria.
query_combined_applications
Method | Route |
---|---|
/discover/combined/applications/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Filter applications using a FQL query. A list of available filters can be found here. |
limit |
|
|
query | integer | The number of account IDs to return in this response (Max: 1000, Default: 100). Use with the after parameter to manage pagination of results. |
after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | Sort accounts by their properties. A single sort field is allowed. Common sort options include:
|
The following properties can be using for filtering and sorting.
Name | Description |
---|---|
id |
Unique ID of the application. Each application ID represents a particular instance of an application on a particular asset. Example:
|
cid |
The application's customer ID. In multi-CID environments:
|
name |
Name of the application. Example: name:'Chrome'
|
vendor |
Name of the application vendor. Examples:
|
version |
Application version. Examples:
|
name_vendor |
The app name and vendor name for all application IDs with this application name, this field can be used to group results by application. . Examples:
|
name_vendor_version |
The app name, vendor name, and vendor version for all application IDs with this application name, this field can be used to group results by application version. Examples:
|
versioning_scheme |
Versioning scheme of the application. Example: versioning_scheme:'semver'
|
groups |
All application groups the application is assigned to. For more info, see Create application groups. Example: groups:'ExampleAppGroup'
|
category |
Category the application is in. For more info, see Understanding applications. Examples:
|
architectures |
Application architecture. Examples:
|
installation_paths |
File paths of the application or executable file to the folder on the asset. Examples:
|
installation_timestamp |
Date and time the application was installed, if available. Example: installation_timestamp:'2023-01-11T00:00:00.000Z'
|
first_seen_timestamp |
Date and time the application was first seen. Example: first_seen_timestamp:'2022-12-22T12:41:47.417Z'
|
last_updated_timestamp |
Date and time the installation fields of the application instance most recently changed. Example: last_updated_timestamp:'2022-12-22T12:41:47.417Z'
|
last_used_user_sid |
For Windows and macOS: Security identifier of the account that most recently used the application. Example: last_used_user_sid:'S-1-x-x-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx1'
|
last_used_user_name |
For Windows and macOS: Username of the account that most recently used the application. Examples:
|
last_used_file_name |
For Windows and macOS: Most recent file name used for the application. Examples:
|
last_used_file_hash |
For Windows and macOS: Most recent file hash used for the application. Example: last_used_file_hash:'0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa'
|
last_used_timestamp |
For Windows and macOS: Date and time the application was most recently used. Example: last_used_timestamp:'2023-01-10T23:00:00.000Z'
|
is_normalized |
For Windows: Whether the application name is normalized (true or false). Applications can have different naming variations that result in different records for each variation, for example, Acrobat Reader, Adobe Acrobat Reader, and Acrobat. To avoid this duplication, the most common applications are listed under a single normalized application name, for example, Acrobat. Example: is_normalized:true
|
is_suspicious |
Whether the application is suspicious based on how often it's been seen in a detection on that asset (true or false). Examples: is_suspicious:true or is_suspicious:!false
|
host.id |
Unique ID of the asset the application is on. Example: host.id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
|
host.aid |
ID of the Falcon sensor installed on the asset the application is on. Example: host.aid:'14xxxxxxxxxxxxxxxxxxxxxxxxxxxx2f'
|
host.country |
Name of the country where the asset the application is on is located. Examples: host.country:'United States Of America' or host.country:!'Germany'
|
host.platform_name |
The platform name of the asset the application is on (Windows, Mac, Linux). Examples: host.platform_name:'Windows' or host.platform_name:!'Linux'
|
host.os_version |
OS version of the asset the application is on. Examples:
|
host.kernel_version |
For Linux and Mac: The major version, minor version, and patch version of the kernel for the asset the application is on. For Windows: the build number of the asset the application is on. Examples:
|
host.product_type_desc |
The product type of the asset the application is on (Workstation, Domain Controller, Server). Examples:
|
host.tags |
Sensor and cloud tags of the asset the application is on. Examples:
|
host.groups |
Host management groups the asset the application is on is part of. Examples:
|
host.agent_version |
Version of the Falcon sensor that's installed on the asset the application is on. Examples:
|
host.system_manufacturer |
System manufacturer of the asset the application is on. Examples:
|
host.ou |
Organizational unit of the asset the application is on. Examples: host.ou:'Endpoints' or host.ou:!'Endpoints'
|
host.machine_domain |
Domain name the asset the application is on is currently joined to. Examples:
|
host.site_name |
Site name of the domain the asset the asset the application is on is joined to (applies only to Windows hosts). Examples:
|
host.external_ip |
External IPv4 address of the asset the application is on. Examples:
|
host.hostname |
Hostname of the asset the application is on. Examples: host.hostname:'ABC-123-DEF-456' or host.hostname:!'ABC-123-DEF-456'
|
host.current_network_prefix |
Most recent network prefix of the asset the application is on. Examples: host.network_prefix:'192.0' or host.network_prefix:!'192.0'
|
host.internet_exposure |
Whether the asset the application is on is exposed to the internet (Yes or Unknown). Examples: host.internet_exposure:'Yes' or host.internet_exposure:!'Unknown'
|
host.current_mac_address |
Most recent MAC address of the asset the application is on. Examples:
|
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_combined_applications(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.combined_applications(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("combined_applications",
after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria.
query_combined_hosts
Method | Route |
---|---|
/discover/combined/hosts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Filter assets using a FQL query. A complete list of available filters can be found here. |
limit |
|
|
query | integer | The number of asset IDs to return in this response (Max: 1000, Default: 100). Use with the after parameter to manage pagination of results. |
after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | Sort assets by their properties. A single sort field is allowed. Common sort options include:
|
Available filter fields that support exact match: id, aid, entity_type, country, city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, local_ips_count, network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, discoverer_count, discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, data_providers, data_providers_count, mac_addresses, local_ip_addresses, reduced_functionality_mode, number_of_disk_drives, processor_package_count, physical_core_count, logical_core_count, total_disk_space, disk_sizes.disk_name, disk_sizes.disk_space, cpu_processor_name, total_memory, encryption_status, encrypted_drives, encrypted_drives_count, unencrypted_drives, unencrypted_drives_count, os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, os_security.iommu_protection_status, os_security.secure_boot_enabled_status, os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, os_security.kernel_dma_protection_status, total_bios_files, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, bios_id, average_processor_usage, average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.mount_path, mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, discovering_by
Available filter fields that supports wildcard (*): id, aid, entity_type, country, city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, os_security.iommu_protection_status, os_security.secure_boot_enabled_status, os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, cpu_manufacturer, discovering_by
Available filter fields that supports range comparisons (>, <, >=, <=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.used_space, mount_storage_info.available_space, ad_user_account_control, creation_timestamp
All filter fields and operations supports negation (!).
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_combined_hosts(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.combined_hosts(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("combined_hosts",
after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
Get details on assets by providing one or more IDs.
get_accounts
Method | Route |
---|---|
/discover/entities/accounts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | One or more account IDs. (Max: 100) Find account IDs with query_accounts . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_accounts(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_accounts", ids=id_list)
print(response)
Get details on applications by providing one or more IDs.
get_applications
Method | Route |
---|---|
/discover/entities/applications/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | One or more account IDs. (Max: 100) Find account IDs with query_accounts . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_applications(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_applications", ids=id_list)
print(response)
Get details on assets by providing one or more IDs.
get_hosts
Method | Route |
---|---|
/discover/entities/hosts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | One or more asset IDs. (Max: 100) Find asset IDs with query_hosts . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_hosts(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_hosts", ids=id_list)
print(response)
Get details on assets by providing one or more IDs.
get_iot_hosts
Method | Route |
---|---|
/discover/entities/iot-hosts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | One or more IoT asset IDs. (Max: 100) Find asset IDs with query_iot_hosts . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_iot_hosts(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_iot_hosts", ids=id_list)
print(response)
Get details on assets by providing one or more IDs.
get_logins
Method | Route |
---|---|
/discover/entities/logins/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | One or more login IDs. (Max: 100) Find login IDs with query_logins . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_logins(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_logins", ids=id_list)
print(response)
Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_accounts
Method | Route |
---|---|
/discover/queries/accounts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Filter accounts using a FQL query. A complete list of available filters can be found here. |
limit |
|
|
query | integer | The number of account IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
offset |
|
|
query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset . On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | Sort accounts by their properties. A single sort field is allowed. Common sort options include:
|
Common filters include:
account_type:'Local'
admin_privileges:'Yes'
first_seen_timestamp:<'now-7d'
last_successful_login_type:'Terminal server'
The following table lists acceptable values for the filter keyword described above.
id | last_successful_login_timestamp |
cid | last_successful_login_hostname |
user_sid | last_successful_login_remote_ip |
login_domain | last_successful_login_host_country |
account_name | last_successful_login_host_city |
username | last_failed_login_type |
account_type | last_failed_login_timestamp |
admin_privileges | last_failed_login_hostname |
first_seen_timestamp | password_last_set_timestamp |
last_successful_login_type |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_accounts(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_accounts",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Search for applications in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.
query_applications
Method | Route |
---|---|
/discover/queries/applications/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Filter applications using a FQL query. A list of available filters can be found here. |
limit |
|
|
query | integer | The number of account IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
offset |
|
|
query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset . On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | Sort accounts by their properties. A single sort field is allowed. Common sort options include:
|
The following properties can be using for filtering and sorting.
Name | Description |
---|---|
id |
Unique ID of the application. Each application ID represents a particular instance of an application on a particular asset. Example:
|
cid |
The application's customer ID. In multi-CID environments:
|
name |
Name of the application. Example: name:'Chrome'
|
vendor |
Name of the application vendor. Examples:
|
version |
Application version. Examples:
|
name_vendor |
The app name and vendor name for all application IDs with this application name, this field can be used to group results by application. . Examples:
|
name_vendor_version |
The app name, vendor name, and vendor version for all application IDs with this application name, this field can be used to group results by application version. Examples:
|
versioning_scheme |
Versioning scheme of the application. Example: versioning_scheme:'semver'
|
groups |
All application groups the application is assigned to. For more info, see Create application groups. Example: groups:'ExampleAppGroup'
|
category |
Category the application is in. For more info, see Understanding applications. Examples:
|
architectures |
Application architecture. Examples:
|
installation_paths |
File paths of the application or executable file to the folder on the asset. Examples:
|
installation_timestamp |
Date and time the application was installed, if available. Example: installation_timestamp:'2023-01-11T00:00:00.000Z'
|
first_seen_timestamp |
Date and time the application was first seen. Example: first_seen_timestamp:'2022-12-22T12:41:47.417Z'
|
last_updated_timestamp |
Date and time the installation fields of the application instance most recently changed. Example: last_updated_timestamp:'2022-12-22T12:41:47.417Z'
|
last_used_user_sid |
For Windows and macOS: Security identifier of the account that most recently used the application. Example: last_used_user_sid:'S-1-x-x-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx1'
|
last_used_user_name |
For Windows and macOS: Username of the account that most recently used the application. Examples:
|
last_used_file_name |
For Windows and macOS: Most recent file name used for the application. Examples:
|
last_used_file_hash |
For Windows and macOS: Most recent file hash used for the application. Example: last_used_file_hash:'0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa'
|
last_used_timestamp |
For Windows and macOS: Date and time the application was most recently used. Example: last_used_timestamp:'2023-01-10T23:00:00.000Z'
|
is_normalized |
For Windows: Whether the application name is normalized (true or false). Applications can have different naming variations that result in different records for each variation, for example, Acrobat Reader, Adobe Acrobat Reader, and Acrobat. To avoid this duplication, the most common applications are listed under a single normalized application name, for example, Acrobat. Example: is_normalized:true
|
is_suspicious |
Whether the application is suspicious based on how often it's been seen in a detection on that asset (true or false). Examples: is_suspicious:true or is_suspicious:!false
|
host.id |
Unique ID of the asset the application is on. Example: host.id:'a89xxxxxxxxxxxxxxxxxxxxxxxxx08e_137xxxxxxxxxxxx191'
|
host.aid |
ID of the Falcon sensor installed on the asset the application is on. Example: host.aid:'14xxxxxxxxxxxxxxxxxxxxxxxxxxxx2f'
|
host.country |
Name of the country where the asset the application is on is located. Examples: host.country:'United States Of America' or host.country:!'Germany'
|
host.platform_name |
The platform name of the asset the application is on (Windows, Mac, Linux). Examples: host.platform_name:'Windows' or host.platform_name:!'Linux'
|
host.os_version |
OS version of the asset the application is on. Examples:
|
host.kernel_version |
For Linux and Mac: The major version, minor version, and patch version of the kernel for the asset the application is on. For Windows: the build number of the asset the application is on. Examples:
|
host.product_type_desc |
The product type of the asset the application is on (Workstation, Domain Controller, Server). Examples:
|
host.tags |
Sensor and cloud tags of the asset the application is on. Examples:
|
host.groups |
Host management groups the asset the application is on is part of. Examples:
|
host.agent_version |
Version of the Falcon sensor that's installed on the asset the application is on. Examples:
|
host.system_manufacturer |
System manufacturer of the asset the application is on. Examples:
|
host.ou |
Organizational unit of the asset the application is on. Examples: host.ou:'Endpoints' or host.ou:!'Endpoints'
|
host.machine_domain |
Domain name the asset the application is on is currently joined to. Examples:
|
host.site_name |
Site name of the domain the asset the asset the application is on is joined to (applies only to Windows hosts). Examples:
|
host.external_ip |
External IPv4 address of the asset the application is on. Examples:
|
host.hostname |
Hostname of the asset the application is on. Examples: host.hostname:'ABC-123-DEF-456' or host.hostname:!'ABC-123-DEF-456'
|
host.current_network_prefix |
Most recent network prefix of the asset the application is on. Examples: host.network_prefix:'192.0' or host.network_prefix:!'192.0'
|
host.internet_exposure |
Whether the asset the application is on is exposed to the internet (Yes or Unknown). Examples: host.internet_exposure:'Yes' or host.internet_exposure:!'Unknown'
|
host.current_mac_address |
Most recent MAC address of the asset the application is on. Examples:
|
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_applications(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_applications",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_hosts
Method | Route |
---|---|
/discover/queries/hosts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Filter assets using a FQL query. A complete list of available filters can be found here. |
limit |
|
|
query | integer | The number of asset IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
offset |
|
|
query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset . On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | Sort assets by their properties. A single sort field is allowed. Common sort options include:
|
The following table lists acceptable values for the filter keyword described above.
agent_version | kernel_version |
aid | last_discoverer_aid |
bios_manufacturer | last_seen_timestamp |
bios_version | local_ips_count |
cid | machine_domain |
city | network_interfaces |
confidence | network_interfaces.interface_alias |
country | network_interfaces.interface_description |
current_local_ip | network_interfaces.local_ip |
discoverer_aids | network_interfaces.mac_address |
discoverer_count | network_interfaces.network_prefix |
discoverer_platform_names | os_version |
discoverer_product_type_descs | ou |
discoverer_tags | platform_name |
entity_type | product_type |
external_ip | product_type_desc |
first_discoverer_aid | site_name |
first_discoverer_ip | system_manufacturer |
first_seen_timestamp | system_product_name |
groups | system_serial_number |
hostname | tags |
id |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_hosts(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_hosts",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts
Method | Route |
---|---|
/discover/queries/iot-hosts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Filter assets using a FQL query. A complete list of available filters can be found here. |
limit |
|
|
query | integer | The number of IoT asset IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
offset |
|
|
query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset . On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | Sort IoT assets by their properties. A single sort field is allowed. Common sort options include:
|
The following table lists acceptable values for the filter keyword described above.
agent_version | local_ips_count |
aid | mac_addresses |
bios_manufacturer | machine_domain |
bios_version | network_id |
business_criticality | network_interfaces |
cid | network_interfaces.interface_alias |
city | network_interfaces.interface_description |
claroty_id | network_interfaces.local_ip |
confidence | network_interfaces.mac_address |
country | network_interfaces.network_prefix |
current_local_ip | number_of_disk_drives |
data_providers | os_is_eol |
data_providers_count | os_version |
device_class | ou |
device_family | physical_core_count |
device_type | platform_name |
discoverer_count | processor_package_count |
discoverer_product_type_descs | product_type_desc |
discoverer_tags | protocols |
entity_type | purdue_level |
external_ip | reduced_functionality_mode |
first_seen_timestamp | site_name |
groups | subnet |
hostname | system_manufacturer |
ics_id | system_product_name |
id | system_serial_number |
internet_exposure | tags |
kernel_version | virtual_zone |
last_seen_timestamp | vlan |
local_ip_addresses |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_iot_hosts(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_iot_hosts",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_logins
Method | Route |
---|---|
/discover/queries/logins/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Filter logins using a FQL query. A complete list of available filters can be found here. |
limit |
|
|
query | integer | The number of login IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
offset |
|
|
query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset . On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | Sort logins by their properties. A single sort field is allowed. Common sort options include:
|
Common filters include:
account_type:'Local'
login_type:'Interactive'
first_seen_timestamp:<'now-7d'
admin_privileges:'No'
The following table lists acceptable values for the filter keyword described above.
id | login_timestamp |
cid | login_domain |
login_status | admin_privileges |
account_id | local_ip |
host_id | remote_ip |
user_sid | host_country |
aid | host_city |
account_name | is_suspicious |
username | failure_description |
hostname | login_event_count |
account_type | aggregation_time_interval |
login_type |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_logins(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_logins",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts_v2
Method | Route |
---|---|
/discover/queries/iot-hosts/v2 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Filter assets using a FQL query. A complete list of available filters can be found here. |
limit |
|
|
query | integer | The number of IoT asset IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results. |
offset |
|
|
query | string | An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset . On subsequent requests, provide the offset from the previous response to continue from that place in the results. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | Sort IoT assets by their properties. A single sort field is allowed. Common sort options include:
|
The following table lists acceptable values for the filter keyword described above.
agent_version | local_ips_count |
aid | mac_addresses |
bios_manufacturer | machine_domain |
bios_version | network_id |
business_criticality | network_interfaces |
cid | network_interfaces.interface_alias |
city | network_interfaces.interface_description |
claroty_id | network_interfaces.local_ip |
confidence | network_interfaces.mac_address |
country | network_interfaces.network_prefix |
current_local_ip | number_of_disk_drives |
data_providers | os_is_eol |
data_providers_count | os_version |
device_class | ou |
device_family | physical_core_count |
device_type | platform_name |
discoverer_count | processor_package_count |
discoverer_product_type_descs | product_type_desc |
discoverer_tags | protocols |
entity_type | purdue_level |
external_ip | reduced_functionality_mode |
first_seen_timestamp | site_name |
groups | subnet |
hostname | system_manufacturer |
ics_id | system_product_name |
id | system_serial_number |
internet_exposure | tags |
kernel_version | virtual_zone |
last_seen_timestamp | vlan |
local_ip_addresses |
from falconpy import Discover
# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_iot_hosts_v2(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_iot_hosts_v2",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)