Basic Uber Class usage
To make use of the Uber Class, you will need to import it, provide API credentials for authentication and specify any additional configuration options required by your environment.
The Uber class leverages two authentication methods, Direct Authentication and Credential Authentication. These methods abstract token administration and allow developers to skip the initial authentication step if desired.
You will not authenticate until your first request to the API is made. If you check your authentication status, your token or your token_expiration before doing so, the results will be False.
Direct Authentication allows you to pass your credentials to the class as keywords when you create it.
from falconpy import APIHarness
auth = APIHarness(client_id="CLIENT_ID_HERE",
client_secret="CLIENT_SECRET_HERE"
)
PARAMS = {"limit": 100}
account_list = falcon.command(action="QueryAWSAccounts", parameters=PARAMS)
print(account_list)
# Only de-auth when you are done interacting with the API
falcon.deauthenticate()Credential Authentication allows you to pass your credentials as a dictionary to the class when you create it.
from falconpy import APIHarness
falcon = APIHarness(creds={
"client_id": "CLIENT_ID_HERE",
"client_secret": "CLIENT_SECRET_HERE"
})
PARAMS = {"limit": 100}
account_list = falcon.command(action="QueryAWSAccounts", parameters=PARAMS)
print(account_list)
# Only de-auth when you are done interacting with the API
falcon.deauthenticate()Authorization status and the token are still available as constants.
from falconpy import APIHarness
falcon = APIHarness(client_id="CLIENT_ID_HERE",
client_secret="CLIENT_SECRET_HERE"
)
falcon.authenticate()
if falcon.authenticated:
print(falcon.token)$ eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzph...really long token stringThe Uber Class supports custom environment configuration similar to Service Classes and provides full support for all environment configuration keywords.
The Uber Class leverages a single method to make calls to the CrowdStrike API. This method is called command, and handles all the same payload types that Service Classes handle.
The command method accepts only one argument, which is assumed to be the action keyword and contain the requested Operation ID. Either this argument must be specified, or the action keyword present, in order to make use of the command method.
| Keyword | Description |
|---|---|
action |
Operation ID to perform. Can be omitted if passed as the first argument to the method. |
action_name |
Name of the operation-specific action to perform. Only has effect on operations that require it. |
parameters |
JSON formatted query string payload. |
body |
JSON or binary formatted body payload. |
content_type |
Forces the Content-Type header for the request being performed. |
data |
JSON or binary formatted form data payload. |
files |
File array formatted file data payload. |
file_name |
Name of the file represented within a form or file data payload. |
headers |
Dictionary of additional headers to add to request performed. |
ids |
Comma-delimited string or list of strings containing the IDs necessary for the requested operation. |
partition |
Number of the stream partition to refresh. Specific to the Event Streams API service collection. |
override |
String representation of the operation to perform when the Operation ID is unknown. Should be provided in METHOD,ENDPOINT format. Endpoint should not contain the base URL. |
Most API response results will be in the form of a JSON formatted dictionary.
Review the Content-Type section within the operation details of the Service Collection pages to identify operations that produce results that are binary and will require being saved to a file.
{
"status_code": 200,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "699",
"Content-Type": "application/json",
"Date": "Thu, 12 Nov 2020 22:34:47 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5954"
},
"body": {
"meta": {
"query_time": 0.0030413,
"pagination": {
"offset": 3,
"limit": 100,
"total": 3
},
"powered_by": "cloud-connect-manager",
"trace_id": "7c182b49-fe3c-4704-9042-12345678e8d3"
},
"errors": [],
"resources": [
{
"cid": "123456-redacted-cid",
"id": "987654321098",
"iam_role_arn": "arn:aws:iam::987654321098:role/FalconDiscover",
"external_id": "IwXe54tosfaSDfsE32dS",
"policy_version": "1",
"cloudtrail_bucket_owner_id": "987654321098",
"cloudtrail_bucket_region": "eu-west-1",
"created_timestamp": "2020-11-12T20:18:28Z",
"last_modified_timestamp": "2020-11-12T20:18:28Z",
"last_scanned_timestamp": "2020-11-12T20:18:28Z",
"provisioning_state": "registered"
},
{
"cid": "123456-redacted-cid",
"id": "2109876543210",
"iam_role_arn": "arn:aws:iam::2109876543210:role/CrowdStrikeFalcon",
"external_id": "AnotherExternalID",
"policy_version": "1",
"cloudtrail_bucket_owner_id": "2109876543210",
"cloudtrail_bucket_region": "eu-west-1",
"created_timestamp": "2020-10-08T12:44:49Z",
"last_modified_timestamp": "2020-10-08T12:44:49Z",
"last_scanned_timestamp": "2020-11-01T00:14:13Z",
"provisioning_state": "registered",
"access_health": {
"api": {
"valid": true,
"last_checked": "2020-11-12T22:34:00Z"
}
}
},
{
"cid": "123456-redacted-cid",
"id": "0123456789012",
"iam_role_arn": "arn:aws:iam::0123456789012:role/FalconDiscover",
"external_id": "CrossAccountExternalID",
"policy_version": "1",
"cloudtrail_bucket_owner_id": "0123456789012",
"cloudtrail_bucket_region": "us-east-1",
"created_timestamp": "2020-08-12T12:43:16Z",
"last_modified_timestamp": "2020-10-07T09:44:00Z",
"last_scanned_timestamp": "2020-11-01T00:13:12Z",
"provisioning_state": "registered",
"access_health": {
"api": {
"valid": false,
"last_checked": "2020-11-12T22:34:00Z",
"reason": "Assume role failed. IAM role arn and/or external is invalid."
}
}
}
]
}
}
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- CAO Hunting
- Certificate Based Exclusions
- Cloud AWS Registration
- Cloud Azure Registration
- Cloud OCI Registration
- Cloud Connect AWS (deprecated)
- Cloud Security Assets
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Image Compliance
- Container Images
- Container Packages
- Container Vulnerabilities
- Content Update Policies
- Correlation Rules
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner (deprecated)
- Delivery Settings
- Deployments
- Detects
- Device Content
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- FaaS Execution
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- Intelligence Feeds
- Intelligence Indicator Graph
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- NGSIEM
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Serverless Vulnerabilities
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
