Detects
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Get detect aggregates as specified via json in request body. | ||||
|
Modify the state, assignee, and visibility of detections | ||||
|
View information about detections | ||||
|
Search for detection IDs that match a given query | ||||
Get detect aggregates as specified via json in request body.
get_aggregate_detects
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
 |
 |
body | string | Full body payload in JSON format. |
| date_ranges |
|
 |
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.get_aggregate_detects(date_ranges=[date_range],
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.GetAggregateDetects(date_ranges=[date_range],
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = [
{
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"field": "string",
"filter": "string",
"interval": "string",
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"time_zone": "string",
"type": "string"
}
]
response = falcon.command("GetAggregateDetects", body=BODY)
print(response)Modify the state, assignee, and visibility of detections. You can update one or more attributes of one or more detections with a single request.
update_detects_by_ids
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| assigned_to_uuid |
|
|
body | string | A user ID (Ex: user@somewhere.com) to assign the detection to. |
| body |
|
|
body | string | Full body payload in JSON format. |
| comment |
|
|
body | string | Optional comment to add to the detection. Comments are displayed with the detection in Falcon and are usually used to provide context or notes for other Falcon users. A detection can have multiple comments over time. |
| ids |
|
|
body | string or list of strings | ID(s) of the detection to update, which you can find with theQueryDetects operation, the Falcon console, or the Streaming API. |
| show_in_ui |
|
|
body | boolean | Boolean determining if this detection is displayed in the Falcon console.
|
| status |
|
|
body | string | Current status of the detection. Allowed values:
|
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_detects_by_ids(assigned_to_uuid="string",
comment="string",
ids=id_list,
show_in_ui=boolean,
status="string"
)
print(response)from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.UpdateDetectsByIdsV2(assigned_to_uuid="string",
comment="string",
ids=id_list,
show_in_ui=boolean,
status="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"assigned_to_uuid": "string",
"comment": "string",
"ids": id_list,
"show_in_ui": boolean,
"status": "string"
}
response = falcon.command("UpdateDetectsByIdsV2", body=BODY)
print(response)View information about detections
get_detect_summaries
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | ID(s) of the detections to retrieve. View key attributes of detections, including the associated host, disposition, objective/tactic/technique, adversary, and more. Specify one or more detection IDs (max 1000 per request). Find detection IDs with the QueryDetects operation, the Falcon console, or the Streaming API. |
In order to use this method, either a body keyword or the ids keyword must be provided.
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_detect_summaries(ids=id_list)
print(response)from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetDetectSummaries(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("GetDetectSummaries", body=BODY)
print(response)Search for detection IDs that match a given query
query_detects
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string | Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard * includes all results.Complete list of available FQL filters. More details regarding filters can be found in the documentation inside the Falcon console. |
| limit |
|
|
query | integer | The maximum number of detections to return in this response (default: 9999; max: 9999). Use with the offset parameter to manage pagination of results. |
| offset |
|
|
query | integer | The first detection to return, where 0 is the latest detection. Use with the limit parameter to manage pagination of results. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Search all detection metadata for the provided string |
| sort |
|
|
query | string | Sort detections using these options:
asc (ascending) or desc (descending).For example: last_behavior|asc
|
The following tables detail acceptable values for the filter keyword described above.
Filter options are broken out into four categories:
- General
- Behavioral
- Devices
- Miscellaneous
| adversary_ids | date_updated | last_behavior | max_severity_displayname | status |
| assigned_to_name | detection_id | max_confidence | seconds_to_resolved | |
| cid | first_behavior | max_severity | seconds_to_triaged |
Example: behaviors.ioc_type
| alleged_filetype | md5 | sha256 |
| behavior_id | objective | tactic |
| cmdline | parent_details.parent_cmdline | technique |
| confidence | parent_details.parent_md5 | timestamp |
| contral_graph_id | parent_details.parent_process_id | triggering_process_id |
| device_id | parent_details.parent_process_graph_id | triggering_process_graph_id |
| filename | parent_details.parent_sha256 | user_id |
| ioc_source | pattern_disposition | user_name |
| ioc_type | scenario | |
| ioc_value | severity |
Example: device.platform_name
| agent_load_flags | first_seen | platform_name |
| agent_local_time | hostname | product_type |
| agent_version | last_seen | product_type_desc |
| bios_manufacturer | local_ip | release_group |
| bios_version | mac_address | reduced_functionality_mode |
| cid | machine_domain | serial_number |
| config_id_base | major_version | site_name |
| config_id_build | minor_version | status |
| config_id_platform | modified_timestamp | system_product_name |
| cpu_signature | os_version | system_manufacturer |
| device_id | ou | |
| external_ip | platform_id |
| hostinfo.domain | quarantined_files.id | quarantined_files.sha256 |
| hostinfo.active_directory_dn_display | quarantined_files.paths | quarantined_files.state |
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_detects(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.QueryDetects(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"offset": integer,
"limit": integer,
"sort": "string",
"filter": "string",
"q": "string"
}
response = falcon.command("QueryDetects",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Admission Control Policies
- Alerts
- API Integrations
- ASPM
- CAO Hunting
- Case Management
- Certificate Based Exclusions
- Cloud AWS Registration
- Cloud Azure Registration
- Cloud GCP Registration
- Cloud OCI Registration
- Cloud Policies
- Cloud Connect AWS (deprecated)
- Cloud Security Assets
- Cloud Security
- Cloud Security Compliance
- Cloud Security Detections
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Image Compliance
- Container Images
- Container Packages
- Container Vulnerabilities
- Content Update Policies
- Correlation Rules
- Correlation Rules Admin
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Data Protection Configuration
- DataScanner (deprecated)
- Delivery Settings
- Deployments
- Detects (deprecated)
- Device Content
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- FaaS Execution
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- Intelligence Feeds
- Intelligence Indicator Graph
- IOA Exclusions
- IOC
- IOCs (deprecated)
- IT Automation
- Kubernetes Container Compliance
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- NGSIEM
- OAuth2
- ODS (On Demand Scan)
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- SaaS Security
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Serverless Exports
- Serverless Vulnerabilities
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Spotlight Vulnerability Metadata
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
