FDR - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the Falcon Data Replicator (FDR) service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
fdrschema_combined_event_get
PEP 8 get_event_combined
Fetches the combined schema.
fdrschema_entities_event_get
PEP 8 get_event_entities
Fetch event schema by ID.
fdrschema_queries_event_get
PEP 8 query_event_entities
Get list of event IDs given a particular query.
fdrschema_entities_field_get
PEP 8 get_field_entities
Fetch field schema by ID.
fdrschema_queries_field_get
PEP 8 query_field_entities
Get list of field IDs given a particular query.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

fdrschema_combined_event_get

Fetch the combined schema.

PEP8 method name

get_event_combined

Endpoint

Method Route
GET /fdr/combined/schema-members/v1

Required Scope

falcon-data-replicator:read

Content-Type

  • Produces: application/json

Keyword Arguments

No keywords or arguments accepted.

Usage

Service class example (PEP8 syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.get_event_combined()

print(response)
Service class example (Operation ID syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.fdrschema_combined_event_get()

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("fdrschema_combined_event_get")

print(response)

Back to Table of Contents

fdrschema_entities_event_get

Fetch event schema by ID.

PEP8 method name

get_event_entities

Endpoint

Method Route
GET /fdr/entities/schema-events/v1

Required Scope

falcon-data-replicator:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support
Uber Class Support
 query string or list of strings Feed IDs to fetch.
parameters
Service Class Support
Uber Class Support
 query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_event_entities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.fdrschema_entities_event_get(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("fdrschema_entities_event_get", ids=id_list)

print(response)

Back to Table of Contents

fdrschema_queries_event_get

Get a list of event IDs given a particular query.

PEP8 method name

query_event_entities

Endpoint

Method Route
GET /fdr/queries/schema-events/v1

Required Scope

falcon-data-replicator:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
offset
Service Class Support
Uber Class Support
 query integer The offset to start retrieving records from.
parameters
Service Class Support
Uber Class Support
 query dictionary Full query string parameters payload in JSON format.
limit
Service Class Support
Uber Class Support
 query integer The maximum records to return.
sort
Service Class Support
Uber Class Support
 query string FQL formatted sort directive.
filter
Service Class Support
Uber Class Support
 query string The FQL filter expression that should be used to limit the results.

Usage

Service class example (PEP8 syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.query_event_entities(filter="string",
                                       limit=integer,
                                       offset=integer,
                                       sort="string"
                                       )

print(response)
Service class example (Operation ID syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.fdrschema_queries_event_get(filter="string",
                                               limit=integer,
                                               offset=integer,
                                               sort="string"
                                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("fdrschema_queries_event_get",
                          filter="string",
                          limit=integer,
                          offset=integer,
                          sort="string"
                          )

print(response)

Back to Table of Contents

fdrschema_entities_field_get

Fetch field schema by ID.

PEP8 method name

get_field_entities

Endpoint

Method Route
GET /fdr/entities/schema-fields/v1

Required Scope

falcon-data-replicator:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support
Uber Class Support
 query string or list of strings Feed IDs to fetch.
parameters
Service Class Support
Uber Class Support
 query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_field_entities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.fdrschema_fields_event_get(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("fdrschema_fields_event_get", ids=id_list)

print(response)

Back to Table of Contents

fdrschema_queries_field_get

Get a list of field IDs given a particular query.

PEP8 method name

query_field_entities

Endpoint

Method Route
GET ​/fdr​/queries​/schema-fields​/v1

Required Scope

falcon-data-replicator:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
offset
Service Class Support
Uber Class Support
 query integer The offset to start retrieving records from.
parameters
Service Class Support
Uber Class Support
 query dictionary Full query string parameters payload in JSON format.
limit
Service Class Support
Uber Class Support
 query integer The maximum records to return.
sort
Service Class Support
Uber Class Support
 query string FQL formatted sort directive.
filter
Service Class Support
Uber Class Support
 query string The FQL filter expression that should be used to limit the results.

Usage

Service class example (PEP8 syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.query_field_entities(filter="string",
                                       limit=integer,
                                       offset=integer,
                                       sort="string"
                                       )

print(response)
Service class example (Operation ID syntax)
from falconpy import FDR

# Do not hardcode API credentials!
falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.fdrschema_queries_field_get(filter="string",
                                              limit=integer,
                                              offset=integer,
                                              sort="string"
                                              )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("fdrschema_queries_field_get",
                          filter="string",
                          limit=integer,
                          offset=integer,
                          sort="string"
                          )

print(response)

Back to Table of Contents

⚠️ **GitHub.com Fallback** ⚠️