Exposure Management - CrowdStrike/falconpy GitHub Wiki
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Returns external assets aggregates. | ||||
|
Download the entire contents of the blob. The relative link to this endpoint is returned in the GET /entities/external-assets/v1 request. | ||||
|
Download a preview of the blob. The relative link to this endpoint is returned in the GET /entities/external-assets/v1 request. | ||||
|
Get details on external assets by providing one or more IDs. | ||||
|
Update the details of external assets. | ||||
|
Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the /entities/external-assets/v1 endpoints |
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Returns external assets aggregates.
aggregate_assets
Method | Route |
---|---|
/fem/aggregates/external-assets/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body | body | dictionary | Full body payload as a dictionary. Not required when using other keywords. | ||
date_ranges | body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
||
exclude | body | string | Elements to exclude. | ||
field | body | string | The field on which to compute the aggregation. | ||
filter | body | string | FQL syntax formatted string to use to filter the results. | ||
from | body | integer | Starting position. | ||
include | body | string | Elements to include. | ||
interval | body | string | Time interval for date histogram aggregations. Valid values include:
|
||
max_doc_count | body | integer | Only return buckets if values are less than or equal to the value here. | ||
min_doc_count | body | integer | Only return buckets if values are greater than or equal to the value here. | ||
missing | body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. | ||
name | body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. | ||
q | body | string | Full text search across all metadata fields. | ||
ranges | body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
||
size | body | integer | The max number of term buckets to be returned. | ||
sub_aggregates | body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
||
sort | body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
||
time_zone | body | string | Time zone for bucket results. | ||
type | body | string | Type of aggregation. Valid values include:
|
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.aggregate_assets(date_ranges=[date_range],
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.aggregate_external_assets(date_ranges=[date_range],
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = [{
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"exclude": "string",
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"sub_aggregates": []
"time_zone": "string",
"type": "string"
}]
response = falcon.command("aggregate_external_assets", body=body_payload)
print(response)
Back to Table of Contents
Download the entire contents of the blob. The relative link to this endpoint is returned in the get_external_assets
request.
download_assets
Method | Route |
---|---|
/fem/entities/blobs-download/v1 |
- Produces: application/octet-stream
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
assetId | query | string | The Asset ID | ||
hash | query | string | The File Hash | ||
parameters | query | dictionary | Full query string parameters payload as a dictionary. Not required when using other keywords. |
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
save_file.write(falcon.download_assets(assetId="string", hash="string"))
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
save_file.write(falcon.download_assets(assetId="string", hash="string"))
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
save_file.write(falcon.command("blob_download_external_assets", assetId="string", hash="string"))
Back to Table of Contents
Download a preview of the blob. The relative link to this endpoint is returned in the get_external_assets
request.
preview_assets
Method | Route |
---|---|
/fem/entities/blobs-preview/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
assetId | query | string | The Asset ID | ||
hash | query | string | The File Hash | ||
parameters | query | dictionary | Full query string parameters payload as a dictionary. Not required when using other keywords. |
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.preview_assets(assetId="string", hash="string")
print(response)
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.blob_preview_external_assets(assetId="string", hash="string")
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("blob_preview_external_assets", assetId="string", hash="string")
print(response)
Back to Table of Contents
Get details on external assets by providing one or more IDs.
get_assets
Method | Route |
---|---|
/fem/entities/external-assets/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids | query | string or list of strings | One or more asset IDs (max: 100). Find asset IDs with query_external_assets . |
||
parameters | query | dictionary | Full query string parameters payload as a dictionary. Not required when using other keywords. |
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_assets(ids=id_list)
print(response)
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_external_assets(ids=id_list)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_external_assets", ids=id_list)
print(response)
Back to Table of Contents
Update the details of external assets.
update_assets
Method | Route |
---|---|
/fem/entities/external-assets/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
action | body | string | The asset triage action. | ||
assigned_to | body | string | The user assigned to triage the asset. | ||
body | body | dictionary | Full body payload as a dictionary. Not required when using other keywords. | ||
cid | body | string | Asset customer ID. | ||
criticality | body | string | The criticality level manually assigned to this asset. | ||
criticality_description | body | string | The criticality description manually assigned to this asset. | ||
description | body | string | The asset triage description | ||
id | body | string | The unique ID of the asset. | ||
status | body | string | The asset triage status. |
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_assets(action="string",
assigned_to="string",
cid="string",
criticality="string",
criticality_description="string",
description="string",
id="string",
status="string"
)
print(response)
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.patch_external_assets(action="string",
assigned_to="string",
cid="string",
criticality="string",
criticality_description="string",
description="string",
id="string",
status="string"
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"assets": [
{
"cid": "string",
"criticality": "string",
"criticality_description": "string",
"id": "string",
"triage": {
"action": "string",
"assigned_to": "string",
"description": "string",
"status": "string"
}
}
]
}
response = falcon.command("patch_external_assets", body=body_payload)
print(response)
Back to Table of Contents
Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the GET and PATCH endpoints.
query_assets
Method | Route |
---|---|
/fem/queries/external-assets/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter | query | string | Filter assets using an FQL query. Common filter options include:
! ). |
||
limit | query | integer | Number of IDs to return. | ||
offset | query | string | Starting index of result set from which to return IDs. | ||
sort | query | string | Order by fields. | ||
parameters | query | dictionary | Full query string parameters payload as a dictionary. Not required when using other keywords. |
asset_id |
asset_type |
confidence |
connectivity_status |
criticality |
criticality_description |
criticality_timestamp |
criticality_username |
data_providers |
discovered_by |
dns_domain.fqdn |
dns_domain.isps |
dns_domain.parent_domain |
dns_domain.resolved_ips |
dns_domain.services.applications.category |
dns_domain.services.applications.cpe |
dns_domain.services.applications.name |
dns_domain.services.applications.vendor |
dns_domain.services.applications.version |
dns_domain.services.cloud_provider |
dns_domain.services.cpes |
dns_domain.services.hosting_provider |
dns_domain.services.last_seen |
dns_domain.services.platform_name |
dns_domain.services.port |
dns_domain.services.protocol |
dns_domain.services.protocol_port |
dns_domain.services.status |
dns_domain.services.status_code |
dns_domain.services.transport |
dns_domain.type |
first_seen |
id |
internet_exposure |
ip.asn |
ip.cloud_vm.description |
ip.cloud_vm.instance_id |
ip.cloud_vm.lifecycle |
ip.cloud_vm.mac_address |
ip.cloud_vm.owner_id |
ip.cloud_vm.platform |
ip.cloud_vm.private_ip |
ip.cloud_vm.public_ip |
ip.cloud_vm.region |
ip.cloud_vm.security_groups |
ip.cloud_vm.source |
ip.cloud_vm.status |
ip.fqdns |
ip.ip_address |
ip.isp |
ip.location.area_code |
ip.location.city |
ip.location.country_code |
ip.location.country_name |
ip.location.postal_code |
ip.location.region_code |
ip.location.region_name |
ip.location.timezone |
ip.ptr |
ip.aid |
ip.services.applications.category |
ip.services.applications.cpe |
ip.services.applications.name |
ip.services.applications.vendor |
ip.services.applications.version |
ip.services.cloud_provider |
ip.services.cpes |
ip.services.first_seen |
ip.services.last_seen |
ip.services.platform_name |
ip.services.port |
ip.services.protocol |
ip.services.protocol_port |
ip.services.status |
ip.services.status_code |
ip.services.transport |
last_seen |
manual |
perimeter |
subsidiaries.id |
subsidiaries.name |
triage.action |
triage.assigned_to |
triage.status |
triage.updated_by |
triage.updated_timestamp |
asset_id |
asset_type |
confidence |
connectivity_status |
criticality |
criticality_username |
data_providers |
discovered_by |
dns_domain.fqdn |
dns_domain.isps |
dns_domain.parent_domain |
dns_domain.resolved_ips |
dns_domain.services.applications.category |
dns_domain.services.applications.cpe |
dns_domain.services.applications.name |
dns_domain.services.applications.vendor |
dns_domain.services.applications.version |
dns_domain.services.cloud_provider |
dns_domain.services.cpes |
dns_domain.services.hosting_provider |
dns_domain.services.id |
dns_domain.services.platform_name |
dns_domain.services.port |
dns_domain.services.protocol |
dns_domain.services.protocol_port |
dns_domain.services.status |
dns_domain.services.status_code |
dns_domain.services.transport |
dns_domain.type |
id |
internet_exposure |
ip.asn |
ip.cloud_vm.instance_id |
ip.cloud_vm.lifecycle |
ip.cloud_vm.mac_address |
ip.cloud_vm.owner_id |
ip.cloud_vm.platform |
ip.cloud_vm.private_ip |
ip.cloud_vm.public_ip |
ip.cloud_vm.region |
ip.cloud_vm.security_groups |
ip.cloud_vm.source |
ip.cloud_vm.status |
ip.fqdns |
ip.ip_address |
ip.isp |
ip.location.area_code |
ip.location.city |
ip.location.country_code |
ip.location.country_name |
ip.location.postal_code |
ip.location.region_code |
ip.location.region_name |
ip.location.timezone |
ip.ptr |
ip.aid |
ip.services.applications.category |
ip.services.applications.cpe |
ip.services.applications.name |
ip.services.applications.vendor |
ip.services.applications.version |
ip.services.cloud_provider |
ip.services.cpes |
ip.services.platform_name |
ip.services.port |
ip.services.protocol |
ip.services.protocol_port |
ip.services.status |
ip.services.status_code |
ip.services.transport |
manual |
perimeter |
subsidiaries.id |
subsidiaries.name |
triage.action |
triage.assigned_to |
triage.status |
triage.updated_by |
asset_id |
asset_type |
confidence |
connectivity_status |
criticality |
criticality_username |
data_providers |
discovered_by |
dns_domain.fqdn |
dns_domain.isps |
dns_domain.parent_domain |
dns_domain.services.applications.category |
dns_domain.services.applications.cpe |
dns_domain.services.applications.name |
dns_domain.services.applications.vendor |
dns_domain.services.applications.version |
dns_domain.services.cloud_provider |
dns_domain.services.cpes |
dns_domain.services.id |
dns_domain.services.platform_name |
dns_domain.services.port |
dns_domain.services.protocol |
dns_domain.services.protocol_port |
dns_domain.services.status |
dns_domain.services.status_code |
dns_domain.services.transport |
dns_domain.type |
id |
internet_exposure |
ip.asn |
ip.cloud_vm.instance_id |
ip.cloud_vm.lifecycle |
ip.cloud_vm.mac_address |
ip.cloud_vm.owner_id |
ip.cloud_vm.platform |
ip.cloud_vm.region |
ip.cloud_vm.security_groups |
ip.cloud_vm.source |
ip.cloud_vm.status |
ip.fqdns |
ip.isp |
ip.location.area_code |
ip.location.city |
ip.location.country_code |
ip.location.country_name |
ip.location.postal_code |
ip.location.region_code |
ip.location.region_name |
ip.location.timezone |
ip.ptr |
ip.aid |
ip.services.applications.category |
ip.services.applications.cpe |
ip.services.applications.name |
ip.services.applications.vendor |
ip.services.applications.version |
ip.services.cloud_provider |
ip.services.cpes |
ip.services.platform_name |
ip.services.port |
ip.services.protocol |
ip.services.protocol_port |
ip.services.status |
ip.services.status_code |
ip.services.transport |
manual |
perimeter |
subsidiaries.id |
subsidiaries.name |
triage.action |
triage.assigned_to |
triage.status |
triage.updated_by |
criticality_timestamp |
dns_domain.resolved_ips |
dns_domain.services.first_seen |
dns_domain.services.last_seen |
dns_domain.services.port |
dns_domain.services.status_code |
first_seen |
ip.cloud_vm.private_ip |
ip.cloud_vm.public_ip |
ip.ip_address |
ip.services.first_seen |
ip.services.last_seen |
ip.services.port |
ip.services.status_code |
last_seen |
triage.updated_timestamp |
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_assets(offset="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import ExposureManagement
falcon = ExposureManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_external_assets(offset="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_external_assets",
offset="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
Back to Table of Contents