Response Policies - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the Response Policies service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
queryCombinedRTResponsePolicyMembers
PEP 8 query_combined_policy_members
Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedRTResponsePolicies
PEP 8 query_combined_policies
Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
performRTResponsePoliciesAction
PEP 8 perform_policies_action
Perform the specified action on the Response Policies specified in the request
setRTResponsePoliciesPrecedence
PEP 8 set_policies_precedence
Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getRTResponsePolicies
PEP 8 get_policies
Retrieve a set of Response Policies by specifying their IDs
createRTResponsePolicies
PEP 8 create_policies
Create Response Policies by specifying details about the policy to create
deleteRTResponsePolicies
PEP 8 delete_policies
Delete a set of Response Policies by specifying their IDs
updateRTResponsePolicies
PEP 8 update_policies
Update Response Policies by specifying the ID of the policy and details to update
queryRTResponsePolicyMembers
PEP 8 query_policy_members
Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryRTResponsePolicies
PEP 8 query_policies
Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

queryCombinedRTResponsePolicyMembers

Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria

PEP8 method name

query_combined_policy_members

Endpoint

Method Route
GET /policy/combined/response-members/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
id
Service Class Support

Uber Class Support
query string The ID of the Response policy to search for members of.
filter
Service Class Support

Uber Class Support
query string The filter expression that should be used to limit the results.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from.
limit
Service Class Support

Uber Class Support
query integer The maximum records to return. [1-5000]
sort
Service Class Support

Uber Class Support
query string The property to sort by.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_combined_policy_members(id="string",
                                                filter="string",
                                                offset=integer,
                                                limit=integer,
                                                sort="string"
                                                )
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queryCombinedRTResponsePolicyMembers(id="string",
                                                       filter="string",
                                                       offset=integer,
                                                       limit=integer,
                                                       sort="string"
                                                       )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queryCombinedRTResponsePolicyMembers",
                          id="string",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string"
                          )
print(response)

queryCombinedRTResponsePolicies

Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria

PEP8 method name

query_combined_policies

Endpoint

Method Route
GET /policy/combined/response/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string The filter expression that should be used to limit the results.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from.
limit
Service Class Support

Uber Class Support
query integer The maximum records to return. [1-5000]
sort
Service Class Support

Uber Class Support
query string The property to sort by.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_combined_policies(filter="string",
                                          offset=integer,
                                          limit=integer,
                                          sort="string"
                                          )
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queryCombinedRTResponsePolicies(filter="string",
                                                  offset=integer,
                                                  limit=integer,
                                                  sort="string"
                                                  )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

PARAMS = {
    "filter": "string",
    "offset": integer,
    "limit": integer,
    "sort": "string"
}

response = falcon.command("queryCombinedRTResponsePolicies",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string"
                          )
print(response)

performRTResponsePoliciesAction

Perform the specified action on the Response Policies specified in the request

PEP8 method name

perform_policies_action

Endpoint

Method Route
POST /policy/entities/response-actions/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action_name
Service Class Support

Uber Class Support
query string The action to perform. Allowed values:
  • add-host-group
  • add-rule-group
  • disable
  • enable
  • remove-host-group
  • remove-rule-group
action_parameters
Service Class Support

Uber Class Support
body list of dictionaries List of name / value pairs in JSON format.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
group_id
Service Class Support

Uber Class Support
body
action_parameters
string Host Group ID to apply the policy to. String. Overridden if action_parameters is specified.
ids
Service Class Support

Uber Class Support
body string or list of strings Response Policy ID(s) to perform actions against.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.perform_policies_action(action_name="string",
                                          group_id="HOST_GROUP_ID",
                                          ids="ID_TO_UPDATE"
                                          )
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

# Can also be provided using the keyword `group_id`
act_params = [{
    "name": "group_id",
    "value": "HOST_GROUP_ID"
}]

response = falcon.performRTResponsePoliciesAction(action_name="string",
                                                  action_parameters=act_params,
                                                  ids="ID_TO_UPDATE"
                                                  )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

PARAMS = {
    "action_name": "string"  # Can also pass action_name using a keyword
}

act_params = [{
    "name": "group_id",
    "value": "HOST_GROUP_ID"
}]

# Only one ID may be updated at a time
BODY = {
    "action_parameters": act_params,
    "ids": ["ID_TO_UPDATE"]
}

response = falcon.command("performRTResponsePoliciesAction", parameters=PARAMS, body=BODY)
print(response)

setRTResponsePoliciesPrecedence

Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence

PEP8 method name

set_policies_precedence

Endpoint

Method Route
POST /policy/entities/response-precedence/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
ids
Service Class Support

Uber Class Support
body string or list of strings Response Policy ID(s) to adjust precedence.
platform_name
Service Class Support

Uber Class Support
body string OS platform name. (Linux, Mac, Windows)

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = "ID1,ID2,ID3"  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.set_policies_precedence(ids=id_list, platform_name="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = "ID1,ID2,ID3"  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.setRTResponsePoliciesPrecedence(ids=id_list, platform_name="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "ids": id_list,
    "platform_name": "string"
}

response = falcon.command("setRTResponsePoliciesPrecedence", body=BODY)
print(response)

getRTResponsePolicies

Retrieve a set of Response Policies by specifying their IDs

PEP8 method name

get_policies

Endpoint

Method Route
GET /policy/entities/response/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the Response Policies to return.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_policies(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.getRTResponsePolicies(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("getRTResponsePolicies", ids=id_list)
print(response)

createRTResponsePolicies

Create Response Policies by specifying details about the policy to create

PEP8 method name

create_policies

Endpoint

Method Route
POST /policy/entities/response/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
clone_id
Service Class Support

Uber Class Support
body string Response Policy ID to clone.
description
Service Class Support

Uber Class Support
body string Response Policy description.
name
Service Class Support

Uber Class Support
body string Response Policy name.
platform_name
Service Class Support

Uber Class Support
body string Operating system platform name.
settings
Service Class Support

Uber Class Support
body list of dictionaries List of policy-specific settings to apply to the newly created policy. Multiple settings can be applied by passing a list containing multiple entries.

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

policy_settings = {
    "id": "string",
    "value": {}
}

response = falcon.create_policies(clone_id="string",
                                  description="string",
                                  name="string",
                                  platform_name="string",
                                  settings=policy_settings
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

policy_settings = {
    "id": "string",
    "value": {}
}

response = falcon.createRTResponsePolicies(clone_id="string",
                                           description="string",
                                           name="string",
                                           platform_name="string",
                                           settings=policy_settings
                                           )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "resources": [
        {
            "clone_id": "string",
            "description": "string",
            "name": "string",
            "platform_name": "Windows",
            "settings": [
                {
                    "id": "string",
                    "value": {}
                }
            ]
        }
    ]
}

response = falcon.command("createRTResponsePolicies", body=BODY)
print(response)

deleteRTResponsePolicies

Delete a set of Response Policies by specifying their IDs

PEP8 method name

delete_policies

Endpoint

Method Route
DELETE /policy/entities/response/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the Response Policies to delete.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_policies(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.deleteRTResponsePolicies(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("deleteRTResponsePolicies", ids=id_list)
print(response)

updateRTResponsePolicies

Update Response Policies by specifying the ID of the policy and details to update

PEP8 method name

update_policies

Endpoint

Method Route
PATCH /policy/entities/response/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
description
Service Class Support

Uber Class Support
body string Prevention Policy description.
id
Service Class Support

Uber Class Support
body string Prevention Policy ID to update.
name
Service Class Support

Uber Class Support
body string Prevention Policy name.
settings
Service Class Support

Uber Class Support
body list of dictionaries List of policy-specific settings to apply to the newly created policy. Multiple settings can be applied by passing a list containing multiple entries.

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

policy_settings = {
    "id": "string",
    "value": "string"
}

response = falcon.update_policies(id="string",
                                  description="string",
                                  name="string",
                                  settings=policy_settings
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

policy_settings = {
    "id": "string",
    "value": "string"
}

response = falcon.updateRTResponsePolicies(id="string",
                                           description="string",
                                           name="string",
                                           settings=policy_settings
                                           )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "resources": [
        {
            "description": "string",
            "id": "string",
            "name": "string",
            "settings": [
                {
                    "id": "string",
                    "value": {}
                }
            ]
        }
    ]
}

response = falcon.command("updateRTResponsePolicies", body=BODY)
print(response)

queryRTResponsePolicyMembers

Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria

PEP8 method name

query_policy_members

Endpoint

Method Route
GET /policy/queries/response-members/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. Max: 5000.
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
id
Service Class Support

Uber Class Support
query string The ID of the Response Policy to search for members of.
sort
Service Class Support

Uber Class Support
query string The property to sort by.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_policy_members(id="string",
                                       filter="string",
                                       offset=integer,
                                       limit=integer,
                                       sort="string"
                                       )
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queryRTResponsePolicyMembers(id="string",
                                               filter="string",
                                               offset=integer,
                                               limit=integer,
                                               sort="string"
                                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queryRTResponsePolicyMembers", 
                          id="string",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string"
                          )
print(response)

queryRTResponsePolicies

Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.

PEP8 method name

query_policies

Endpoint

Method Route
GET /policy/queries/response/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. Max: 5000.
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_policies(filter="string",
                                 offset=integer,
                                 limit=integer,
                                 sort="string"
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import ResponsePolicies

# Do not hardcode API credentials!
falcon = ResponsePolicies(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queryRTResponsePolicies(filter="string",
                                          offset=integer,
                                          limit=integer,
                                          sort="string"
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queryRTResponsePolicies",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string"
                          )
print(response)
⚠️ **GitHub.com Fallback** ⚠️