Firewall Management
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Aggregate events for customer | ||||
|
Aggregate rules within a policy for customer | ||||
|
Aggregate rule groups for customer | ||||
|
Aggregate rules for customer | ||||
|
Get events entities by ID and optionally version | ||||
|
Get the firewall field specifications by ID | ||||
|
Get platforms by ID, e.g., windows or mac or droid | ||||
|
Get policy container entities by policy ID | ||||
|
Update an identified policy container | ||||
|
Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order. | ||||
|
Create new rule group on a platform for a customer with a name and description, and return the ID | ||||
|
Delete rule group entities by ID | ||||
|
Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules | ||||
|
Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string) | ||||
|
Find all event IDs matching the query with filter | ||||
|
Get the firewall field specification IDs for the provided platform | ||||
|
Get the list of platform names | ||||
|
Find all firewall rule IDs matching the query with filter, and return them in precedence order | ||||
|
Find all rule group IDs matching the query with filter | ||||
|
Find all rule IDs matching the query with filter | ||||
Aggregate events for customer
aggregate_events
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
 |
 |
body | string | Full body payload in JSON format. |
| date_ranges |
|
 |
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_events(date_ranges=date_ranges,
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = [{
"date_ranges": date_ranges,
"field": "string",
"filter": "string",
"interval": "string",
"min_doc_count": 0,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": 0,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}]
response = falcon.command("aggregate_events", body=BODY)
print(response)Aggregate rules within a policy for customer
aggregate_policy_rules
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| date_ranges |
|
|
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_policy_rules(date_ranges=date_ranges,
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = [{
"date_ranges": date_ranges,
"field": "string",
"filter": "string",
"interval": "string",
"min_doc_count": 0,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": 0,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}]
response = falcon.command("aggregate_policy_rules", body=BODY)
print(response)Aggregate rule groups for customer
aggregate_rule_groups
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| date_ranges |
|
|
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_rule_groups(date_ranges=date_ranges,
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = [{
"date_ranges": date_ranges,
"field": "string",
"filter": "string",
"interval": "string",
"min_doc_count": 0,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": 0,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}]
response = falcon.command("aggregate_rule_groups", body=BODY)
print(response)Aggregate rules for customer
aggregate_rules
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| date_ranges |
|
|
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_rules(date_ranges=date_ranges,
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = [{
"date_ranges": date_ranges,
"field": "string",
"filter": "string",
"interval": "string",
"min_doc_count": 0,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": 0,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}]
response = falcon.command("aggregate_rules", body=BODY)
print(response)Get events entities by ID and optionally version
get_events
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The events to retrieve, identified by ID. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_events(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_events", ids=id_list)
print(response)Get the firewall field specifications by ID
get_firewall_fields
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The rule types to retrieve, identified by ID. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_firewall_fields(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_firewall_fields", ids=id_list)
print(response)Get platforms by ID, e.g., windows or mac or droid
get_platforms
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The platforms to retrieve, identified by ID. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_platforms(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_platforms", ids=id_list)
print(response)Get policy container entities by policy ID
get_policy_containers
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The policy container(s) to retrieve, identified by policy ID. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_policy_containers(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_policy_containers", ids=id_list)
print(response)Update an identified policy container
update_policy_container
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| default_inbound |
|
|
body | string | Default inbound. |
| default_outbound |
|
|
body | string | Default outbound. |
| enforce |
|
|
body | boolean | Enforcement flag. |
| is_default_policy |
|
|
body | boolean | Default policy flag. |
| platform_id |
|
|
body | string | ID of the platform this policy container. |
| policy_id |
|
|
body | string | Policy ID to apply to this container. |
| rule_group_ids |
|
|
body | string or list of strings | Rule group IDs to include in this container. |
| test_mode |
|
|
body | boolean | Flag indicating if this container is in test mode. |
| tracking |
|
|
body | string | Tracking. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
rule_groups = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_policy_container(default_inbound="string",
default_outbound="string",
enforce=boolean,
is_default_policy=boolean,
platform_id="string",
policy_id="string",
rule_group_ids=rule_groups,
test_mode=boolean,
tracking="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
rule_groups = ['ID1', 'ID2', 'ID3']
BODY = {
"default_inbound": "string",
"default_outbound": "string",
"enforce": true,
"is_default_policy": true,
"platform_id": "string",
"policy_id": "string",
"rule_group_ids": rule_groups,
"test_mode": true,
"tracking": "string"
}
response = falcon.command("update_policy_container", body=BODY)
print(response)Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
get_rule_groups
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the rule group to retrieve. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_groups(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rule_groups", ids=id_list)
print(response)Create new rule group on a platform for a customer with a name and description, and return the ID
create_rule_group
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| clone_id |
|
|
query | string | A rule group ID from which to copy rules. If this is provided then the 'rules' property of the body is ignored. |
| comment |
|
|
query | string | Comment for this rule group. |
| description |
|
|
body | string | Rule group description. |
| enabled |
|
|
body | boolean | Flag indicating if the rule group is enabled. |
| library |
|
|
query | string | If this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewal Rule Groups Library. |
| name |
|
|
body | string | Rule group name. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
| rules |
|
|
body | dictionary or list of dictionaries | Rule(s) in JSON format. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
new_rule = {
"action": "string",
"address_family": "string",
"description": "string",
"direction": "string",
"enabled": boolean,
"fields": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
"string"
]
}
],
"icmp": {
"icmp_code": "string",
"icmp_type": "string"
},
"local_address": [
{
"address": "string",
"netmask": integer
}
],
"local_port": [
{
"end": integer,
"start": integer
}
],
"log": boolean,
"monitor": {
"count": "string",
"period_ms": "string"
},
"name": "string",
"platform_ids": [
"string"
],
"protocol": "string",
"remote_address": [
{
"address": "string",
"netmask": integer
}
],
"remote_port": [
{
"end": integer,
"start": integer
}
],
"temp_id": "string"
}
response = falcon.create_rule_group(clone_id="string",
library="string",
comment="string",
description="string",
enabled=boolean,
name="string",
rules=new_rule
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
new_rule = {
"action": "string",
"address_family": "string",
"description": "string",
"direction": "string",
"enabled": boolean,
"fields": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
"string"
]
}
],
"icmp": {
"icmp_code": "string",
"icmp_type": "string"
},
"local_address": [
{
"address": "string",
"netmask": integer
}
],
"local_port": [
{
"end": integer,
"start": integer
}
],
"log": boolean,
"monitor": {
"count": "string",
"period_ms": "string"
},
"name": "string",
"platform_ids": [
"string"
],
"protocol": "string",
"remote_address": [
{
"address": "string",
"netmask": integer
}
],
"remote_port": [
{
"end": integer,
"start": integer
}
],
"temp_id": "string"
}
BODY = {
"description": "string",
"enabled": boolean,
"name": "string",
"rules": [new_rule]
}
response = falcon.command("create_rule_group",
body=BODY,
clone_id="string",
library="string",
comment="string"
)
print(response)Delete rule group entities by ID
delete_rule_groups
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| comment |
|
|
query | string or list of strings | Audit log comment for this operation. |
| ids |
|
|
query | string or list of strings | The rules to retrieve, identified by ID. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("delete_rule_groups", comment="string", ids=id_list)
print(response)Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
update_rule_group
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| comment |
|
|
query | string | Audit log comment for this action. |
| diff_operations |
|
|
body | dictionary or list of dictionaries | Differential operations to perform against the rule group. |
| diff_type |
|
|
body | string | Type of diff to apply. |
| id |
|
|
body | string | ID of the rule group to update. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
| rule_ids |
|
|
body | list of strings | Rule ID(s) to add to the rule group. |
| rule_versions |
|
|
body | list of integers | Rule group versions. |
| tracking |
|
|
body | string | Tracking. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
"from": "string",
"op": "string",
"path": "string"
}
response = falcon.update_rule_group(comment="string",
diff_operations=diffs,
diff_type="string",
id="string",
rule_ids=rules,
rule_versions=versions,
tracking="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
"from": "string",
"op": "string",
"path": "string"
}
BODY = {
"diff_operations": [diffs],
"diff_type": "string",
"id": "string",
"rule_ids": rules,
"rule_versions": versions,
"tracking": "string"
}
response = falcon.command("update_rule_group",
comments="string",
body=BODY
)
print(response)Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
get_rules
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The rules to retrieve, identified by ID. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rules", ids=id_list)
print(response)Find all event IDs matching the query with filter
query_events
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| filter |
|
|
query | string | FQL Syntax formatted filter that should be used to limit the results. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_events(sort="string",
filter="string",
q="string",
offset=integer,
after="string",
limit=integer
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("query_events",
sort="string",
filter="string",
q="string",
offset=integer,
after="string",
limit=integer
)
print(response)Get the firewall field specification IDs for the provided platform
query_firewall_fields
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
| platform_id |
|
|
query | string | Field configurations specific to this platform. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_firewall_fields(platform_id="string",
offset=integer,
limit=integer
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("query_firewall_fields",
platform_id="string",
limit=integer,
offset=integer
)
print(response)Get the list of platform names
query_platforms
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_platforms(offset=integer, limit=integer)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("query_platforms", limit=integer, offset=integer)
print(response)Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_policy_rules
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| filter |
|
|
query | string | FQL Syntax formatted filter that should be used to limit the results. |
| id |
|
|
query | string | The ID of the policy container within which to query. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_policy_rules(id="string",
sort="string",
filter="string",
q="string",
offset=integer,
limit=integer,
after="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("query_policy_rules",
id="string",
sort="string",
filter="string",
q="string",
offset=integer,
limit=integer,
after="string"
)
print(response)Find all rule group IDs matching the query with filter
query_rule_groups
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| filter |
|
|
query | string | FQL Syntax formatted filter that should be used to limit the results. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_rule_groups(sort="string",
filter="string",
q="string",
offset="string",
after="string",
limit=integer
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("query_rule_groups",
sort="string",
filter="string",
q="string",
offset="string",
after="string",
limit=integer
)
print(response)Find all rule IDs matching the query with filter
query_rules
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| filter |
|
|
query | string | FQL Syntax formatted filter that should be used to limit the results. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_rules(sort="string",
filter="string",
q="string",
offset=integer,
after="string",
limit=integer
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("query_rules",
sort="string",
filter="string",
q="string",
offset=integer,
after="string",
limit=integer
)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- CAO Hunting
- Certificate Based Exclusions
- Cloud AWS Registration
- Cloud Azure Registration
- Cloud OCI Registration
- Cloud Connect AWS (deprecated)
- Cloud Security Assets
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Image Compliance
- Container Images
- Container Packages
- Container Vulnerabilities
- Content Update Policies
- Correlation Rules
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner (deprecated)
- Delivery Settings
- Deployments
- Detects
- Device Content
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- FaaS Execution
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- Intelligence Feeds
- Intelligence Indicator Graph
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- NGSIEM
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Serverless Vulnerabilities
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
