Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.
Passing credentials
WARNING
client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)
CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
queryCombinedRTResponsePolicyMembers
Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
PEP8 method name
query_combined_policy_members
Endpoint
Method
Route
/policy/combined/response-members/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
id
query
string
The ID of the Response policy to search for members of.
filter
query
string
The filter expression that should be used to limit the results.
offset
query
integer
The offset to start retrieving records from.
limit
query
integer
The maximum records to return. [1-5000]
sort
query
string
The property to sort by.
parameters
query
dictionary
Full query string parameters payload in JSON format.
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.query_combined_policy_members(id="string",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.queryCombinedRTResponsePolicyMembers(id="string",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
Uber class example
fromfalconpyimportAPIHarnessV2# Do not hardcode API credentials!falcon=APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.command("queryCombinedRTResponsePolicyMembers",
id="string",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
queryCombinedRTResponsePolicies
Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
PEP8 method name
query_combined_policies
Endpoint
Method
Route
/policy/combined/response/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
filter
query
string
The filter expression that should be used to limit the results.
offset
query
integer
The offset to start retrieving records from.
limit
query
integer
The maximum records to return. [1-5000]
sort
query
string
The property to sort by.
parameters
query
dictionary
Full query string parameters payload in JSON format.
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.query_combined_policies(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.queryCombinedRTResponsePolicies(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
Uber class example
fromfalconpyimportAPIHarnessV2# Do not hardcode API credentials!falcon=APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PARAMS= {
"filter": "string",
"offset": integer,
"limit": integer,
"sort": "string"
}
response=falcon.command("queryCombinedRTResponsePolicies",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
performRTResponsePoliciesAction
Perform the specified action on the Response Policies specified in the request
PEP8 method name
perform_policies_action
Endpoint
Method
Route
/policy/entities/response-actions/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
action_name
query
string
The action to perform. Allowed values:
add-host-group
add-rule-group
disable
enable
remove-host-group
remove-rule-group
action_parameters
body
list of dictionaries
List of name / value pairs in JSON format.
body
body
dictionary
Full body payload in JSON format.
group_id
body action_parameters
string
Host Group ID to apply the policy to. String. Overridden if action_parameters is specified.
ids
body
string or list of strings
Response Policy ID(s) to perform actions against.
parameters
query
dictionary
Full query string parameters payload in JSON format.
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.perform_policies_action(action_name="string",
group_id="HOST_GROUP_ID",
ids="ID_TO_UPDATE"
)
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also be provided using the keyword `group_id`act_params= [{
"name": "group_id",
"value": "HOST_GROUP_ID"
}]
response=falcon.performRTResponsePoliciesAction(action_name="string",
action_parameters=act_params,
ids="ID_TO_UPDATE"
)
print(response)
Uber class example
fromfalconpyimportAPIHarnessV2# Do not hardcode API credentials!falcon=APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PARAMS= {
"action_name": "string"# Can also pass action_name using a keyword
}
act_params= [{
"name": "group_id",
"value": "HOST_GROUP_ID"
}]
# Only one ID may be updated at a timeBODY= {
"action_parameters": act_params,
"ids": ["ID_TO_UPDATE"]
}
response=falcon.command("performRTResponsePoliciesAction", parameters=PARAMS, body=BODY)
print(response)
setRTResponsePoliciesPrecedence
Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
PEP8 method name
set_policies_precedence
Endpoint
Method
Route
/policy/entities/response-precedence/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
body
body
dictionary
Full body payload in JSON format.
ids
body
string or list of strings
Response Policy ID(s) to adjust precedence.
platform_name
body
string
OS platform name. (Linux, Mac, Windows)
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list="ID1,ID2,ID3"# Can also pass a list here: ['ID1', 'ID2', 'ID3']response=falcon.set_policies_precedence(ids=id_list, platform_name="string")
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list="ID1,ID2,ID3"# Can also pass a list here: ['ID1', 'ID2', 'ID3']response=falcon.setRTResponsePoliciesPrecedence(ids=id_list, platform_name="string")
print(response)
Uber class example
fromfalconpyimportAPIHarnessV2# Do not hardcode API credentials!falcon=APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list= ['ID1', 'ID2', 'ID3']
BODY= {
"ids": id_list,
"platform_name": "string"
}
response=falcon.command("setRTResponsePoliciesPrecedence", body=BODY)
print(response)
getRTResponsePolicies
Retrieve a set of Response Policies by specifying their IDs
PEP8 method name
get_policies
Endpoint
Method
Route
/policy/entities/response/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
ids
query
string or list of strings
The ID(s) of the Response Policies to return.
parameters
query
dictionary
Full query string parameters payload in JSON format.
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list='ID1,ID2,ID3'# Can also pass a list here: ['ID1', 'ID2', 'ID3']response=falcon.get_policies(ids=id_list)
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list='ID1,ID2,ID3'# Can also pass a list here: ['ID1', 'ID2', 'ID3']response=falcon.getRTResponsePolicies(ids=id_list)
print(response)
Uber class example
fromfalconpyimportAPIHarnessV2# Do not hardcode API credentials!falcon=APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list='ID1,ID2,ID3'# Can also pass a list here: ['ID1', 'ID2', 'ID3']response=falcon.command("getRTResponsePolicies", ids=id_list)
print(response)
createRTResponsePolicies
Create Response Policies by specifying details about the policy to create
PEP8 method name
create_policies
Endpoint
Method
Route
/policy/entities/response/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
body
body
dictionary
Full body payload in JSON format.
clone_id
body
string
Response Policy ID to clone.
description
body
string
Response Policy description.
name
body
string
Response Policy name.
platform_name
body
string
Operating system platform name.
settings
body
list of dictionaries
List of policy-specific settings to apply to the newly created policy. Multiple settings can be applied by passing a list containing multiple entries.
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
policy_settings= {
"id": "string",
"value": {}
}
response=falcon.create_policies(clone_id="string",
description="string",
name="string",
platform_name="string",
settings=policy_settings
)
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
policy_settings= {
"id": "string",
"value": {}
}
response=falcon.createRTResponsePolicies(clone_id="string",
description="string",
name="string",
platform_name="string",
settings=policy_settings
)
print(response)
Delete a set of Response Policies by specifying their IDs
PEP8 method name
delete_policies
Endpoint
Method
Route
/policy/entities/response/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
ids
query
string or list of strings
The ID(s) of the Response Policies to delete.
parameters
query
dictionary
Full query string parameters payload in JSON format.
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list='ID1,ID2,ID3'# Can also pass a list here: ['ID1', 'ID2', 'ID3']response=falcon.delete_policies(ids=id_list)
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list='ID1,ID2,ID3'# Can also pass a list here: ['ID1', 'ID2', 'ID3']response=falcon.deleteRTResponsePolicies(ids=id_list)
print(response)
Uber class example
fromfalconpyimportAPIHarnessV2# Do not hardcode API credentials!falcon=APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list='ID1,ID2,ID3'# Can also pass a list here: ['ID1', 'ID2', 'ID3']response=falcon.command("deleteRTResponsePolicies", ids=id_list)
print(response)
updateRTResponsePolicies
Update Response Policies by specifying the ID of the policy and details to update
PEP8 method name
update_policies
Endpoint
Method
Route
/policy/entities/response/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
body
body
dictionary
Full body payload in JSON format.
description
body
string
Prevention Policy description.
id
body
string
Prevention Policy ID to update.
name
body
string
Prevention Policy name.
settings
body
list of dictionaries
List of policy-specific settings to apply to the newly created policy. Multiple settings can be applied by passing a list containing multiple entries.
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
policy_settings= {
"id": "string",
"value": "string"
}
response=falcon.update_policies(id="string",
description="string",
name="string",
settings=policy_settings
)
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
policy_settings= {
"id": "string",
"value": "string"
}
response=falcon.updateRTResponsePolicies(id="string",
description="string",
name="string",
settings=policy_settings
)
print(response)
Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
PEP8 method name
query_policy_members
Endpoint
Method
Route
/policy/queries/response-members/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
filter
query
string
FQL query expression that should be used to limit the results.
limit
query
integer
Maximum number of records to return. Max: 5000.
offset
query
string
Starting index of overall result set from which to return ids.
id
query
string
The ID of the Response Policy to search for members of.
sort
query
string
The property to sort by.
parameters
query
dictionary
Full query string parameters payload in JSON format.
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.query_policy_members(id="string",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.queryRTResponsePolicyMembers(id="string",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
Uber class example
fromfalconpyimportAPIHarnessV2# Do not hardcode API credentials!falcon=APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.command("queryRTResponsePolicyMembers",
id="string",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
queryRTResponsePolicies
Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.
PEP8 method name
query_policies
Endpoint
Method
Route
/policy/queries/response/v1
Required Scope
Content-Type
Produces: application/json
Keyword Arguments
Name
Service
Uber
Type
Data type
Description
filter
query
string
FQL query expression that should be used to limit the results.
limit
query
integer
Maximum number of records to return. Max: 5000.
offset
query
string
Starting index of overall result set from which to return ids.
sort
query
string
The property to sort by.
parameters
query
dictionary
Full query string parameters payload in JSON format.
Usage
Service class example (PEP8 syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.query_policies(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
fromfalconpyimportResponsePolicies# Do not hardcode API credentials!falcon=ResponsePolicies(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.queryRTResponsePolicies(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
Uber class example
fromfalconpyimportAPIHarnessV2# Do not hardcode API credentials!falcon=APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response=falcon.command("queryRTResponsePolicies",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)