Real Time Response Audit - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the Real Time Response Audit service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
RTRAuditSessions
PEP8 audit_sessions
Get all the RTR sessions created for a customer in a specified duration

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

RTRAuditSessions

Get all the RTR sessions created for a customer in a specified duration

PEP8 method name

audit_sessions

Endpoint

Method Route
GET /real-time-response-audit/combined/sessions/v1

Required Scope

real-time-response-audit:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string Optional filter criteria in FQL format.
sort Service Class Support Uber Class Support query string Sort order in FQL format.
limit Service Class Support Uber Class Support query string Maximum number of sessions to be returned.
offset Service Class Support Uber Class Support query string Offset value to be used for paginating results.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
with_command_info Service Class Support Uber Class Support query boolean Retrieve sessions with command info included; by default sessions are returned without command information which include cloud_request_ids and logs fields.

Usage

Service class example (PEP8 syntax)
from falconpy import RealTimeResponseAudit

# Do not hardcode API credentials!
falcon = RealTimeResponseAudit(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.audit_sessions(filter="string",
                                 sort="string",
                                 limit="string",
                                 offset="string",
                                 with_command_info=boolean
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import RealTimeResponseAudit

# Do not hardcode API credentials!
falcon = RealTimeResponseAudit(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.RTRAuditSessions(filter="string",
                                   sort="string",
                                   limit="string",
                                   offset="string",
                                   with_command_info=boolean
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("RTRAuditSessions",
                          filter="string",
                          sort="string",
                          limit="string",
                          offset="string",
                          with_command_info=boolean
                          )
print(response)
⚠️ **GitHub.com Fallback** ⚠️