Real Time Response - CrowdStrike/falconpy GitHub Wiki
This service collection has code examples posted to the repository.
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Get aggregates on session data. | ||||
|
Batch executes a RTR active-responder command across the hosts mapped to the given batch ID. | ||||
|
Batch executes a RTR read-only command across the hosts mapped to the given batch ID. | ||||
|
Retrieves the status of the specified batch get command. Will return successful files when they are finished processing. | ||||
|
Batch executes get command across hosts to retrieve files. After this call is made BatchGetCmdStatus is used to query for the results. |
||||
|
Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. | ||||
|
Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 5 minutes unless refreshed. | ||||
|
Get status of an executed active-responder command on a single host. | ||||
|
Execute an active responder command on a single host. | ||||
|
Get status of an executed command on a single host. | ||||
|
Execute a command on a single host. | ||||
|
Get RTR extracted file contents for specified session and sha256. | ||||
|
Get a list of files for the specified RTR session. | ||||
|
Get a list of files for the specified RTR session. (Expanded output detail.) |
||||
|
Delete a RTR session file. | ||||
|
Delete a RTR session file. (Expanded output detail, use with RTR_ListFilesV2.) |
||||
|
Get queued session metadata by session ID. | ||||
|
Delete a queued session command | ||||
|
Refresh a session timeout on a single host. | ||||
|
Get session metadata by session id. | ||||
|
Initialize a new session with the RTR cloud. | ||||
|
Delete a session. | ||||
|
Get a list of session_ids. |
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Get aggregates on session data.
aggregate_sessions
Method | Route |
---|---|
/real-time-response/aggregates/sessions/GET/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
date_ranges |
|
|
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
exclude |
|
|
body | string | Elements to exclude. |
field |
|
|
body | string | The field on which to compute the aggregation. |
filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
from |
|
|
body | integer | Starting position. |
include |
|
|
body | string | Elements to include. |
interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
max_doc_count |
|
|
body | integer | Only return buckets if values are less than or equal to the value here. |
min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
q |
|
|
body | string | Full text search across all metadata fields. |
ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
size |
|
|
body | integer | The max number of term buckets to be returned. |
sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
time_zone |
|
|
body | string | Time zone for bucket results. |
type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_sessions(date_ranges=date_ranges,
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.RTR_AggregateSessions(date_ranges=date_ranges,
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = {
"date_ranges": date_ranges,
"exclude": "string",
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": integer,
"sort": "string",
"sub_aggregates": [
null
]
"time_zone": "string",
"type": "string"
}
response = falcon.command("RTR_AggregateSessions", body=BODY)
print(response)
Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.
batch_active_responder_command
Method | Route |
---|---|
/real-time-response/combined/batch-active-responder-command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
base_command |
|
|
body | string | Active Responder base command to perform. For example: get or cp . Refer to this list for a complete listing of available commands. |
batch_id |
|
|
body | string | RTR Batch ID to execute the command against. Received from batch_init_session . |
command_string |
|
|
body | string | Full command line of the command to execute. Example: get some_file.txt . |
host_timeout_duration |
|
|
query | string | Timeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 5 minutes. Example, 10s . Valid units: ns , us , ms , s , m , h . |
optional_hosts |
|
|
body | string or list of strings | List of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch. |
persist_all |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. |
timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes. |
timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s . Valid units: ns, us, ms, s, m, h . Maximum is 5 minutes. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
Command | Description | Operating System |
---|---|---|
cat |
View file contents | |
cd |
Change directory | |
clear |
Clear the screen | |
cp |
Copy a file | |
encrypt |
Encrypt a file | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
eventlog backup is the recommended solution as opposed to eventlog export , as this method is faster and follows industry-standard file format. |
|
filehash |
Calculate a file hash (MD5 or SHA256) | |
get |
Retrieve a file | |
getsid |
Retrieve the current SID | |
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ipconfig |
Review TCP configuration | |
kill |
Kill a running process | |
ls |
List the contents of a directory | |
map |
Map a UNC (SMB) path to a drive letter | |
memdump |
Dump memory of a running process | |
mkdir |
Create a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
mv |
Move a file | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
reg |
Registry operations. Subcommands:
|
|
restart |
Restart the system | |
rm |
Remove a file | |
runscript |
Run a script | |
shutdown |
Shutdown the system | |
unmap |
Unmap a UNC (SMB) path from a drive letter | |
update |
Install patches through Windows Update. Subcommands:
|
|
xmemdump |
Dump complete memory (kernel) for the system | |
zip |
Create a zip archive |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_active_responder_command(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchActiveResponderCmd(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"base_command": "string",
"batch_id": "string",
"command_string": "string",
"optional_hosts": target_hosts,
"persist_all": boolean
}
response = falcon.command("BatchActiveResponderCmd",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)
Batch executes a RTR read-only command across the hosts mapped to the given batch ID.
batch_command
Method | Route |
---|---|
/real-time-response/combined/batch-command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
base_command |
|
|
body | string | Active Responder base command to perform. For example: get or cp . Refer to this list for a complete listing of available commands. |
batch_id |
|
|
body | string | RTR Batch ID to execute the command against. Received from batch_init_session . |
command_string |
|
|
body | string | Full command line of the command to execute. Example: cat some_file.txt . |
host_timeout_duration |
|
|
query | string | Timeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 5 minutes. Example, 10s . Valid units: ns , us , ms , s , m , h . |
optional_hosts |
|
|
body | string or list of strings | List of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch. |
persist_all |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. |
timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes. |
timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s . Valid units: ns, us, ms, s, m, h . Maximum is 5 minutes. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
Command | Description | Operating System |
---|---|---|
cat |
View file contents | |
cd |
Change directory | |
clear |
Clear the screen | |
csrutil |
Get system integrity protection status | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
|
|
filehash |
Calculate a file hash (MD5 or SHA256) | |
getsid |
Retrieve the current SID | |
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ipconfig |
Review TCP configuration | |
ls |
List the contents of a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
reg |
Registry operations. Subcommands:
|
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_command(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchCmd(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"base_command": "string",
"batch_id": "string",
"command_string": "string",
"optional_hosts": target_hosts,
"persist_all": boolean
}
response = falcon.command("BatchCmd",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)
Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.
batch_get_command_status
Method | Route |
---|---|
/real-time-response/combined/batch-get-command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
batch_get_cmd_req_id |
|
|
query | string | Batch Get Command Request ID (usually retrieved when making a call to BatchGetCmd ). |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes. |
timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s . Valid units: ns, us, ms, s, m, h . Maximum is 5 minutes. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.batch_get_command_status(timeout=integer,
timeout_duration="string",
batch_get_cmd_req_id="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.BatchGetCmdStatus(timeout=integer,
timeout_duration="string",
batch_get_cmd_req_id="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("BatchGetCmdStatus",
timeout=integer,
timeout_duration="string",
batch_get_cmd_req_id="string"
)
print(response)
Batch executes a get
command across hosts to retrieve files. After this call is made BatchGetCmdStatus
is used to query for the results.
batch_get_command
Method | Route |
---|---|
/real-time-response/combined/batch-get-command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
batch_id |
|
|
body | string | RTR Batch ID to execute the get command against. Received from batch_init_session . |
file_path |
|
|
body | string | Full path to the file that is to be retrieved from each host in the batch. |
host_timeout_duration |
|
|
query | string | Timeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 5 minutes. Example, 10s . Valid units: ns , us , ms , s , m , h . |
optional_hosts |
|
|
body | string or list of strings | List of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes. |
timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s . Valid units: ns, us, ms, s, m, h . Maximum is 5 minutes. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_get_command(batch_id="string",
file_path="string",
optional_hosts=target_hosts,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchGetCmd(batch_id="string",
file_path="string",
optional_hosts=target_hosts,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"batch_id": "string",
"file_path": "string",
"optional_hosts": target_hosts
}
response = falcon.command("BatchGetCmd",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)
Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
batch_init_sessions
Method | Route |
---|---|
/real-time-response/combined/batch-init-session/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
existing_batch_id |
|
|
body | string | Optional existing RTR batch ID. Use this to initialize new hosts and add them to the existing batch. |
host_ids |
|
|
body | string or list of strings | List of host agent IDs to initialize a RTR session on. |
host_timeout_duration |
|
|
query | string | Timeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 5 minutes. Example, 10s . Valid units: ns , us , ms , s , m , h . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
queue_offline |
|
|
body | boolean | Flag indicating if the command should be queued for execution when the host returns to service. |
timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes. |
timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s . Valid units: ns, us, ms, s, m, h . Maximum is 5 minutes. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_init_sessions(existing_batch_id="string",
host_ids=target_hosts,
queue_offline=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchInitSessions(existing_batch_id="string",
host_ids=target_hosts,
queue_offline=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"existing_batch_id": "string",
"host_ids": target_hosts,
"queue_offline": boolean
}
response = falcon.command("BatchInitSessions",
timeout=integer,
timeout_duration="string"
body=BODY
)
print(response)
Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 5 minutes unless refreshed.
batch_refresh_sessions
Method | Route |
---|---|
/real-time-response/combined/batch-refresh-session/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
batch_id |
|
|
body | string | Existing RTR batch ID to refresh. |
host_to_remove |
|
|
body | string or list of strings | List of host agent IDs to remove from the batch. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes. |
timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s . Valid units: ns, us, ms, s, m, h . Maximum is 5 minutes. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
remove_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_refresh_sessions(batch_id="string",
hosts_to_remove=remove_hosts,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
remove_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchRefreshSessions(batch_id="string",
hosts_to_remove=remove_hosts,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
remove_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"batch_id": "string",
"hosts_to_remove": remove_hosts
}
response = falcon.command("BatchRefreshSessions",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)
Get status of an executed active-responder command on a single host.
check_active_responder_command_status
Method | Route |
---|---|
/real-time-response/entities/active-responder-command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
cloud_request_id |
|
|
query | string | Cloud Request ID of the executed command to query. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sequence_id |
|
|
query | integer | Sequence ID that we want to retrieve. Command responses are chunked across sequences. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.check_active_responder_command_status(cloud_request_id="string",
sequence_id=integer
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_CheckActiveResponderCommandStatus(cloud_request_id="string",
sequence_id=integer
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_CheckActiveResponderCommandStatus",
cloud_request_id="string",
sequence_id=integer
)
print(response)
Execute an active responder command on a single host.
execute_active_responder_command
Method | Route |
---|---|
/real-time-response/entities/active-responder-command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
base_command |
|
|
body | string | Active Responder base command to perform. For example: get or cp . Refer to this list for a complete listing of available commands. |
command_string |
|
|
body | string | Full command line of the command to execute. Example: get some_file.txt . |
persist |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. Unused |
session_id |
|
|
body | string | RTR Session ID. |
Command | Description | Operating System |
---|---|---|
cat |
View file contents | |
cd |
Change directory | |
clear |
Clear the screen | |
cp |
Copy a file | |
encrypt |
Encrypt a file | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
eventlog backup is the recommended solution as opposed to eventlog export , as this method is faster and follows industry-standard file format. |
|
filehash |
Calculate a file hash (MD5 or SHA256) | |
get |
Retrieve a file | |
getsid |
Retrieve the current SID | |
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ipconfig |
Review TCP configuration | |
kill |
Kill a running process | |
ls |
List the contents of a directory | |
map |
Map a UNC (SMB) path to a drive letter | |
memdump |
Dump memory of a running process | |
mkdir |
Create a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
mv |
Move a file | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
reg |
Registry operations. Subcommands:
|
|
restart |
Restart the system | |
rm |
Remove a file | |
runscript |
Run a script | |
shutdown |
Shutdown the system | |
unmap |
Unmap a UNC (SMB) path from a drive letter | |
update |
Install patches through Windows Update. Subcommands:
|
|
xmemdump |
Dump complete memory (kernel) for the system | |
zip |
Create a zip archive |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.execute_active_responder_command(base_command="string",
command_string="string",
persist=boolean,
session_id="string",
timeout=integer,
timeout_duraction="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_ExecuteActiveResponderCommand(base_command="string",
command_string="string",
persist=boolean,
session_id="string",
timeout=integer,
timeout_duraction="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"base_command": "string",
"command_string": "string",
"persist": boolean,
"session_id": "string"
}
response = falcon.command("RTR_ExecuteActiveResponderCommand",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)
Get status of an executed command on a single host.
check_command_status
Method | Route |
---|---|
/real-time-response/entities/command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
cloud_request_id |
|
|
query | string | Cloud Request ID of the executed command to query. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sequence_id |
|
|
query | integer | Sequence ID that we want to retrieve. Command responses are chunked across sequences. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.check_command_status(cloud_request_id="string", sequence_id=integer)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_CheckCommandStatus(cloud_request_id="string", sequence_id=integer)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_CheckCommandStatus",
cloud_request_id="string",
sequence_id=integer
)
print(response)
Execute a command on a single host.
execute_command
Method | Route |
---|---|
/real-time-response/entities/command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
base_command |
|
|
body | string | Read-only base command to perform. For example: ls or ps . Refer to this list for a complete listing of available commands. |
command_string |
|
|
body | string | Full command line of the command to execute. Example: cat some_file.txt . |
persist |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. |
session_id |
|
|
body | string | RTR Session ID to execute the command against. |
Command | Description | Operating System |
---|---|---|
cat |
View file contents | |
cd |
Change directory | |
clear |
Clear the screen | |
csrutil |
Get system integrity protection status | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
|
|
filehash |
Calculate a file hash (MD5 or SHA256) | |
getsid |
Retrieve the current SID | |
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ipconfig |
Review TCP configuration | |
ls |
List the contents of a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
reg |
Registry operations. Subcommands:
|
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.execute_command(base_command="string",
command_string="string",
persist=boolean,
session_id="string",
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_ExecuteCommand(base_command="string",
command_string="string",
persist=boolean,
session_id="string",
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"base_command": "string",
"command_string": "string",
"persist": true,
"session_id": "string"
}
response = falcon.command("RTR_ExecuteCommand", body=BODY)
print(response)
Get RTR extracted file contents for specified session and sha256.
get_extracted_file_contents
Method | Route |
---|---|
/real-time-response/entities/extracted-file-contents/v1 |
- Produces: application/x-7z-compressed
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
filename |
|
|
query | string | Filename to use for the archive name and the file within the archive. |
session_id |
|
|
query | string | RTR Session ID. |
sha256 |
|
|
query | string | Extracted SHA256. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.7z"
response = falcon.get_extracted_file_contents(session_id="string",
sha256="string",
filename="string"
)
open(save_file, 'wb').write(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.7z"
response = falcon.RTR_GetExtractedFileContents(session_id="string",
sha256="string",
filename="string"
)
open(save_file, 'wb').write(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.7z"
response = falcon.command("RTR_GetExtractedFileContents",
session_id="string",
sha256="string",
filename="string"
)
open(save_file, 'wb').write(response)
Get a list of files for the specified RTR session.
list_files
Method | Route |
---|---|
/real-time-response/entities/file/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_files(session_id="string")
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_ListFiles(session_id="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_ListFiles", session_id="string")
print(response)
Get a list of files for the specified RTR session.
list_files_v2
Method | Route |
---|---|
/real-time-response/entities/file/v2 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_files_v2(session_id="string")
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_ListFilesV2(session_id="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_ListFilesV2", session_id="string")
print(response)
Delete a RTR session file.
delete_file
Method | Route |
---|---|
/real-time-response/entities/file/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
ids |
|
|
query | string | RTR Session file ID (SHA256). |
session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_file(session_id="string", ids="string")
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_DeleteFile(session_id="string", ids="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_DeleteFile", session_id="string", ids="string")
print(response)
Delete a RTR session file.
delete_file_v2
Method | Route |
---|---|
/real-time-response/entities/file/v2 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
ids |
|
|
query | string | RTR Session file ID (SHA256). |
session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_file_v2(session_id="string", ids="string")
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_DeleteFileV2(session_id="string", ids="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_DeleteFileV2", session_id="string", ids="string")
print(response)
Get queued session metadata by session ID.
list_queued_sessions
Method | Route |
---|---|
/real-time-response/entities/queued-sessions/GET/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
ids |
|
|
body | string or list of strings | List of RTR sessions to retrieve. Will only return sessions created by the calling user. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = "ID1,ID2,ID3" # Can also use a list here ['ID1','ID2','ID3']
response = falcon.list_queued_sessions(ids=id_list)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = "ID1,ID2,ID3" # Can also use a list here ['ID1','ID2','ID3']
response = falcon.RTR_ListQueuedSessions(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = ['ID1','ID2','ID3']
BODY = {
"ids": id_list
}
response = falcon.command("RTR_ListQueuedSessions", body=BODY)
print(response)
Delete a queued session command
delete_queued_session
Method | Route |
---|---|
/real-time-response/entities/queued-sessions/command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
cloud_request_id |
|
|
query | string | Cloud Request ID of the executed command to query. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_queued_session(session_id="string", cloud_request_id="string")
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_DeleteQueuedSession(session_id="string", cloud_request_id="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_DeleteQueuedSession",
session_id="string",
cloud_request_id="string"
)
print(response)
Refresh a session timeout on a single host.
pulse_session
Method | Route |
---|---|
/real-time-response/entities/refresh-session/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
device_id |
|
|
body | string | The host agent ID to refresh the RTR session on. RTR will retrieve an existing session for the calling user on this host. |
origin |
|
|
body | string | Origin of the request. |
queue_offline |
|
|
body | boolean | Flag indicating if this should be queued to pulse after the host returns to service. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.pulse_session(device_id="string",
origin="string",
queue_offline=boolean
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_PulseSession(device_id="string",
origin="string",
queue_offline=boolean
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"device_id": "string",
"origin": "string",
"queue_offline": boolean
}
response = falcon.command("RTR_PulseSession", body=BODY)
print(response)
Get session metadata by session id.
list_sessions
Method | Route |
---|---|
/real-time-response/entities/sessions/GET/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
ids |
|
|
body | string or list of strings | List of RTR sessions to retrieve. Will only return sessions created by the calling user. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = "ID1,ID2,ID3" # Can also use a list here ['ID1','ID2','ID3']
response = falcon.list_sessions(ids=id_list)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = "ID1,ID2,ID3" # Can also use a list here ['ID1','ID2','ID3']
response = falcon.RTR_ListSessions(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = ['ID1','ID2','ID3']
BODY = {
"ids": id_list
}
response = falcon.command("RTR_ListSessions", body=BODY)
print(response)
Initialize a new session with the RTR cloud.
init_session
Method | Route |
---|---|
/real-time-response/entities/sessions/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
device_id |
|
|
body | string | The host agent ID to refresh the RTR session on. RTR will retrieve an existing session for the calling user on this host. |
origin |
|
|
body | string | Origin of the request. |
queue_offline |
|
|
body | boolean | Flag indicating if this should be queued to pulse after the host returns to service. |
timeout |
|
|
body | integer | Timeout for how long to wait for the request in seconds. Default: 30 Maximum: 600 |
timeout_duration |
|
|
body | string | Timeout duration for how long to wait for the request in duration syntax. Example: 10s Valid units: ns , us , ms , s , m , h Maximum timeout is 5 minutes. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.init_session(device_id="string",
origin="string",
queue_offline=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_InitSession(device_id="string",
origin="string",
queue_offline=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"device_id": "string",
"origin": "string",
"queue_offline": boolean,
"timeout": integer,
"timeout_duration": "string"
}
response = falcon.command("RTR_InitSession", body=BODY)
print(response)
Delete a session.
delete_session
Method | Route |
---|---|
/real-time-response/entities/sessions/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_session(session_id="string")
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_DeleteSession(session_id="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_DeleteSession", session_id="string")
print(response)
Get a list of session_ids.
You will only be able to retrieve sessions that were created using the same API credentials.
list_all_sessions
Method | Route |
---|---|
/real-time-response/queries/sessions/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Available filters:
user_id can accept a special value ‘@me’ which will restrict results to records with current user’s ID. |
limit |
|
|
query | integer | Maximum number of records to return. Max: 5000. |
offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
sort |
|
|
query | string | The property to sort by. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_all_sessions(offset="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import RealTimeResponse
# Do not hardcode API credentials!
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_ListAllSessions(offset="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_ListAllSessions",
offset="string",
limit=integer,
sort="string",
filter="string"
)
print(response)