Installation Tokens - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the Installation Tokens service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
audit_events_read
PEP 8 audit_events_read
Gets the details of one or more audit events by id.
customer_settings_read
PEP 8 customer_settings_read
Check current installation token settings.
customer_settings_update
PEP8 customer_settings_update
Update installation token settings.
tokens_read
PEP 8 tokens_read
Gets the details of one or more tokens by id.
tokens_create
PEP 8 tokens_create
Creates a token.
tokens_delete
PEP 8 tokens_delete
Deletes a token immediately. To revoke a token, use tokens_update instead.
tokens_update
PEP 8 tokens_update
Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
audit_events_query
PEP 8 audit_events_query
Search for audit events by providing a FQL filter and paging details.
tokens_query
PEP 8 tokens_query
Search for tokens by providing a FQL filter and paging details.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

audit_events_read

Gets the details of one or more audit events by id.

PEP8 method name

audit_events_read

Endpoint

Method Route
GET /installation-tokens/entities/audit-events/v1

Required Scope

installation-tokens:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings ID(s) of the audit events to retrieve details for.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.audit_events_read(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("audit_events_read", ids=id_list)

print(response)

Back to Table of Contents

customer_settings_read

Check current installation token settings.

PEP8 method name

customer_settings_read

Endpoint

Method Route
GET /installation-tokens/entities/customer-settings/v1

Required Scope

installation-tokens:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

No keywords or arguments accepted.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.customer_settings_read()

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("customer_settings_read")

print(response)

Back to Table of Contents

customer_settings_update

Update installation token settings.

PEP8 method name

customer-settings-update

Endpoint

Method Route
PATCH /installation-tokens/entities/customer-settings/v1

Required Scope

installation-tokens-settings:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
max_active_tokens
Service Class Support

Uber Class Support
body integer Maximum number of active tokens.
tokens_required
Service Class Support

Uber Class Support
body boolean Flag indicating if tokens are required.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.customer_settings_update(max_active_tokens=integer,
                                           tokens_required=boolean
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "max_active_tokens": integer,
    "tokens_required": boolean
}

response = falcon.command("customer_settings_update", body=BODY)

print(response)

Back to Table of Contents

tokens_read

Gets the details of one or more tokens by id.

PEP8 method name

tokens_read

Endpoint

Method Route
GET /installation-tokens/entities/tokens/v1

Required Scope

installation-tokens:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings ID(s) of the tokens to retrieve details for.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.tokens_read(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("tokens_read", ids=id_list)

print(response)

Back to Table of Contents

tokens_create

Creates a token.

PEP8 method name

tokens_create

Endpoint

Method Route
POST /installation-tokens/entities/tokens/v1

Required Scope

installation-tokens:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
expires_timestamp
Service Class Support

Uber Class Support
body string Expiration timestamp. UTC format.
label
Service Class Support

Uber Class Support
body string Installation token label.
revoked
Service Class Support

Uber Class Support
body boolean Flag indicating if the token is revoked.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.tokens_create(expires_timestamp="string",
                                label="string",
                                revoked=boolean
                                )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "expires_timestamp": "2021-09-22T02:28:11.762Z",
    "label": "string",
    "revoked": boolean
}

response = falcon.command("tokens_create", body=BODY)

print(response)

Back to Table of Contents

tokens_delete

Deletes a token immediately. To revoke a token, use tokens_update instead.

PEP8 method name

tokens_delete

Endpoint

Method Route
DELETE /installation-tokens/entities/tokens/v1

Required Scope

installation-tokens:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings ID(s) of the tokens to delete.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.tokens_delete(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("tokens_delete", ids=id_list)

print(response)

Back to Table of Contents

tokens_update

Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.

PEP8 method name

tokens_update

Endpoint

Method Route
PATCH /installation-tokens/entities/tokens/v1

Required Scope

installation-tokens:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
expires_timestamp
Service Class Support

Uber Class Support
body string Expiration timestamp. UTC format.
label
Service Class Support

Uber Class Support
body string Installation token label.
ids
Service Class Support

Uber Class Support
query string or list of strings ID(s) of the tokens to update.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
revoked
Service Class Support

Uber Class Support
body boolean Flag indicating if the token is revoked.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.tokens_update(expires_timestamp="string",
                                label="string",
                                ids=id_list,
                                revoked=boolean
                                )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "expires_timestamp": "2021-09-22T02:28:11.762Z",
    "label": "string",
    "revoked": boolean
}

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("tokens_update", body=BODY, ids=id_list)

print(response)

Back to Table of Contents

audit_events_query

Search for audit events by providing a FQL filter and paging details.

PEP8 method name

audit_events_query

Endpoint

Method Route
GET /installation-tokens/queries/audit-events/v1

Required Scope

installation-tokens:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.

(Max: 1000, Default: 10)
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: timestamp.desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.audit_events_query(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string"
                                     )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("audit_events_query",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )

print(response)

Back to Table of Contents

tokens_query

Search for tokens by providing a FQL filter and paging details.

PEP8 method name

tokens_query

Endpoint

Method Route
GET /installation-tokens/queries/tokens/v1

Required Scope

installation-tokens:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.

(Max: 1000, Default: 10)
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_timestamp.desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)
from falconpy import InstallationTokens

# Do not hardcode API credentials!
falcon = InstallationTokens(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )

response = falcon.tokens_query(offset=integer,
                               limit=integer,
                               sort="string",
                               filter="string"
                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("tokens_query",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )

print(response)

Back to Table of Contents

⚠️ **GitHub.com Fallback** ⚠️