Discover

Using the Discover service collection

Uber class support Service class support Documentation Version Page Updated

This service collection has code examples posted to the repository.

from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_accounts", ids=id_list)
print(response)

get_hosts

Get details on assets by providing one or more IDs.

PEP8 method name

get_hosts

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	One or more asset IDs. (Max: 100) Find asset IDs with `query_hosts`.
parameters			query	string	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

falcon = Discover(client_id="API_CLIENT_ID_HERE",
                  client_secret="API_CLIENT_SECRET_HERE"
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_hosts(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_hosts", ids=id_list)
print(response)

get_logins

Get details on assets by providing one or more IDs.

PEP8 method name

get_logins

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	One or more login IDs. (Max: 100) Find login IDs with `query_logins`.
parameters			query	string	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

falcon = Discover(client_id="API_CLIENT_ID_HERE",
                  client_secret="API_CLIENT_SECRET_HERE"
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_logins(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_logins", ids=id_list)
print(response)

query_accounts

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_accounts

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	Filter accounts using a FQL query. A complete list of available filters can be found here.
limit	query	integer	The number of account IDs to return in this response (Max: 100, Default: 100). Use with the `offset` parameter to manage pagination of results.
offset	query	string	An offset used with the `limit` parameter to manage pagination of results. On your first request, don’t provide an `offset`. On subsequent requests, provide the `offset` from the previous response to continue from that place in the results.
parameters	query	string	Full query string parameters payload in JSON format.
sort	query	string	Sort accounts by their properties. A single sort field is allowed. Common sort options include: `username\|asc` `last_failed_login_timestamp\|desc`

Available FQL Filters

Common filters include:

account_type:'Local'
admin_privileges:'Yes'
first_seen_timestamp:<'now-7d'
last_successful_login_type:'Terminal server'

The following table lists acceptable values for the filter keyword described above.


id	last_successful_login_timestamp
cid	last_successful_login_hostname
user_sid	last_successful_login_remote_ip
login_domain	last_successful_login_host_country
account_name	last_successful_login_host_city
username	last_failed_login_type
account_type	last_failed_login_timestamp
admin_privileges	last_failed_login_hostname
first_seen_timestamp	password_last_set_timestamp
last_successful_login_type

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

falcon = Discover(client_id="API_CLIENT_ID_HERE",
                  client_secret="API_CLIENT_SECRET_HERE"
                  )

response = falcon.query_accounts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example

from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("query_accounts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_hosts

Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_hosts

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	Filter assets using a FQL query. A complete list of available filters can be found here.
limit	query	integer	The number of asset IDs to return in this response (Max: 100, Default: 100). Use with the `offset` parameter to manage pagination of results.
offset	query	string	An offset used with the `limit` parameter to manage pagination of results. On your first request, don’t provide an `offset`. On subsequent requests, provide the `offset` from the previous response to continue from that place in the results.
parameters	query	string	Full query string parameters payload in JSON format.
sort	query	string	Sort assets by their properties. A single sort field is allowed. Common sort options include: hostname\|asc product_type_desc\|desc

Available FQL Filters

The following table lists acceptable values for the filter keyword described above.


agent_version	kernel_version
aid	last_discoverer_aid
bios_manufacturer	last_seen_timestamp
bios_version	local_ips_count
cid	machine_domain
city	network_interfaces
confidence	network_interfaces.interface_alias
country	network_interfaces.interface_description
current_local_ip	network_interfaces.local_ip
discoverer_aids	network_interfaces.mac_address
discoverer_count	network_interfaces.network_prefix
discoverer_platform_names	os_version
discoverer_product_type_descs	ou
discoverer_tags	platform_name
entity_type	product_type
external_ip	product_type_desc
first_discoverer_aid	site_name
first_discoverer_ip	system_manufacturer
first_seen_timestamp	system_product_name
groups	system_serial_number
hostname	tags
id

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

falcon = Discover(client_id="API_CLIENT_ID_HERE",
                  client_secret="API_CLIENT_SECRET_HERE"
                  )

response = falcon.query_hosts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example

from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("query_hosts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_logins

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_logins

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	Filter logins using a FQL query. A complete list of available filters can be found here.
limit	query	integer	The number of login IDs to return in this response (Max: 100, Default: 100). Use with the `offset` parameter to manage pagination of results.
offset	query	string	An offset used with the `limit` parameter to manage pagination of results. On your first request, don’t provide an `offset`. On subsequent requests, provide the `offset` from the previous response to continue from that place in the results.
parameters	query	string	Full query string parameters payload in JSON format.
sort	query	string	Sort logins by their properties. A single sort field is allowed. Common sort options include: `account_name\|asc` `login_timestamp\|desc`

Available FQL Filters

Common filters include:

account_type:'Local'
login_type:'Interactive'
first_seen_timestamp:<'now-7d'
admin_privileges:'No'

The following table lists acceptable values for the filter keyword described above.


id	login_timestamp
cid	login_domain
login_status	admin_privileges
account_id	local_ip
host_id	remote_ip
user_sid	host_country
aid	host_city
account_name	is_suspicious
username	failure_description
hostname	login_event_count
account_type	aggregation_time_interval
login_type

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

falcon = Discover(client_id="API_CLIENT_ID_HERE",
                  client_secret="API_CLIENT_SECRET_HERE"
                  )

response = falcon.query_logins(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example

from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("query_logins",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

Home
Discussions Board
Glossary of Terms
Installation, Upgrades and Removal
Samples Collection
Using FalconPy
API Operations
Service Collections
Documentation Support
- Report broken link
- Report documentation error
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust

CrowdStrike Falcon

Discover

Using the Discover service collection

Table of Contents

get_accounts

PEP8 method name

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 / Operation ID syntax)

Uber class example

get_hosts

PEP8 method name

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 / Operation ID syntax)

Uber class example

get_logins

PEP8 method name

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 / Operation ID syntax)

Uber class example

query_accounts

PEP8 method name

Content-Type

Keyword Arguments

Available FQL Filters

Usage

Service class example (PEP8 / Operation ID syntax)

Uber class example

query_hosts

PEP8 method name

Content-Type

Keyword Arguments

Available FQL Filters

Usage

Service class example (PEP8 / Operation ID syntax)

Uber class example

query_logins

PEP8 method name

Content-Type

Keyword Arguments

Available FQL Filters

Usage

Service class example (PEP8 / Operation ID syntax)

Uber class example

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!