Discover

Using the Discover service collection

This service collection has code examples posted to the repository.

Table of Contents

Operation ID	Description
get_accounts PEP8 get_accounts	Get details on accounts by providing one or more IDs.
get_applications PEP8 get_applications	Get details on applications by providing one or more IDs.
get_hosts PEP8 get_hosts	Get details on assets by providing one or more IDs.
get_iot_hosts PEP8 get_iot_hosts	Get details on IoT assets by providing one or more IDs.
get_logins PEP8 get_logins	Get details on logins by providing one or more IDs.
query_accounts PEP8 query_accounts	Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_applications PEP8 query_applications	Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.
query_hosts PEP8 query_hosts	Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts PEP8 query_iot_hosts	Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_logins PEP8 query_logins	Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

get_accounts

Get details on assets by providing one or more IDs.

PEP8 method name

get_accounts

Endpoint

Method	Route
	/discover/entities/accounts/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	One or more account IDs. (Max: 100) Find account IDs with query_accounts.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_accounts(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_accounts", ids=id_list)
print(response)

get_applications

Get details on applications by providing one or more IDs.

PEP8 method name

get_applications

Endpoint

Method	Route
	/discover/entities/applications/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	One or more account IDs. (Max: 100) Find account IDs with query_accounts.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_applications(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_applications", ids=id_list)
print(response)

get_hosts

Get details on assets by providing one or more IDs.

PEP8 method name

get_hosts

Endpoint

Method	Route
	/discover/entities/hosts/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	One or more asset IDs. (Max: 100) Find asset IDs with query_hosts.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_hosts(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_hosts", ids=id_list)
print(response)

get_iot_hosts

Get details on assets by providing one or more IDs.

PEP8 method name

get_iot_hosts

Endpoint

Method	Route
	/discover/entities/iot-hosts/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	One or more IoT asset IDs. (Max: 100) Find asset IDs with query_iot_hosts.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_iot_hosts(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_iot_hosts", ids=id_list)

print(response)

get_logins

Get details on assets by providing one or more IDs.

PEP8 method name

get_logins

Endpoint

Method	Route
	/discover/entities/logins/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	One or more login IDs. (Max: 100) Find login IDs with query_logins.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_logins(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_logins", ids=id_list)
print(response)

query_accounts

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_accounts

Endpoint

Method	Route
	/discover/queries/accounts/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Filter accounts using a FQL query. A complete list of available filters can be found here.
limit			query	integer	The number of account IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results.
offset			query	string	An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters			query	dictionary	Full query string parameters payload in JSON format.
sort			query	string	Sort accounts by their properties. A single sort field is allowed. Common sort options include: username|asc last_failed_login_timestamp|desc

Available FQL Filters

Common filters include:

• account_type:'Local'
• admin_privileges:'Yes'
• first_seen_timestamp:<'now-7d'
• last_successful_login_type:'Terminal server'

The following table lists acceptable values for the filter keyword described above.

id	last_successful_login_timestamp
cid	last_successful_login_hostname
user_sid	last_successful_login_remote_ip
login_domain	last_successful_login_host_country
account_name	last_successful_login_host_city
username	last_failed_login_type
account_type	last_failed_login_timestamp
admin_privileges	last_failed_login_hostname
first_seen_timestamp	password_last_set_timestamp
last_successful_login_type

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_accounts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("query_accounts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_applications

Search for applications in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.

PEP8 method name

query_applications

Endpoint

Method	Route
	/discover/queries/applications/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Filter applications using a FQL query.
limit			query	integer	The number of account IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results.
offset			query	string	An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters			query	dictionary	Full query string parameters payload in JSON format.
sort			query	string	Sort accounts by their properties. A single sort field is allowed. Common sort options include: username|asc last_failed_login_timestamp|desc

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_applications(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string"
                                     )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("query_applications",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_hosts

Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_hosts

Endpoint

Method	Route
	/discover/queries/hosts/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Filter assets using a FQL query. A complete list of available filters can be found here.
limit			query	integer	The number of asset IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results.
offset			query	string	An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters			query	dictionary	Full query string parameters payload in JSON format.
sort			query	string	Sort assets by their properties. A single sort field is allowed. Common sort options include: hostname|asc product_type_desc|desc

Available FQL Filters

The following table lists acceptable values for the filter keyword described above.

agent_version	kernel_version
aid	last_discoverer_aid
bios_manufacturer	last_seen_timestamp
bios_version	local_ips_count
cid	machine_domain
city	network_interfaces
confidence	network_interfaces.interface_alias
country	network_interfaces.interface_description
current_local_ip	network_interfaces.local_ip
discoverer_aids	network_interfaces.mac_address
discoverer_count	network_interfaces.network_prefix
discoverer_platform_names	os_version
discoverer_product_type_descs	ou
discoverer_tags	platform_name
entity_type	product_type
external_ip	product_type_desc
first_discoverer_aid	site_name
first_discoverer_ip	system_manufacturer
first_seen_timestamp	system_product_name
groups	system_serial_number
hostname	tags
id

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_hosts(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("query_hosts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

query_iot_hosts

Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_iot_hosts

Endpoint

Method	Route
	/discover/queries/iot-hosts/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Filter assets using a FQL query. A complete list of available filters can be found here.
limit			query	integer	The number of IoT asset IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results.
offset			query	string	An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters			query	dictionary	Full query string parameters payload in JSON format.
sort			query	string	Sort IoT assets by their properties. A single sort field is allowed. Common sort options include: hostname|asc product_type_desc|desc

Available FQL Filters

The following table lists acceptable values for the filter keyword described above.

agent_version	local_ips_count
aid	mac_addresses
bios_manufacturer	machine_domain
bios_version	network_id
business_criticality	network_interfaces
cid	network_interfaces.interface_alias
city	network_interfaces.interface_description
claroty_id	network_interfaces.local_ip
confidence	network_interfaces.mac_address
country	network_interfaces.network_prefix
current_local_ip	number_of_disk_drives
data_providers	os_is_eol
data_providers_count	os_version
device_class	ou
device_family	physical_core_count
device_type	platform_name
discoverer_count	processor_package_count
discoverer_product_type_descs	product_type_desc
discoverer_tags	protocols
entity_type	purdue_level
external_ip	reduced_functionality_mode
first_seen_timestamp	site_name
groups	subnet
hostname	system_manufacturer
ics_id	system_product_name
id	system_serial_number
internet_exposure	tags
kernel_version	virtual_zone
last_seen_timestamp	vlan
local_ip_addresses

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_iot_hosts(offset=integer,
                                  limit=integer,
                                  sort="string",
                                  filter="string"
                                  )

print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("query_iot_hosts",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )

print(response)

query_logins

Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

PEP8 method name

query_logins

Endpoint

Method	Route
	/discover/queries/logins/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Filter logins using a FQL query. A complete list of available filters can be found here.
limit			query	integer	The number of login IDs to return in this response (Max: 100, Default: 100). Use with the offset parameter to manage pagination of results.
offset			query	string	An offset used with the limit parameter to manage pagination of results. On your first request, don’t provide an offset. On subsequent requests, provide the offset from the previous response to continue from that place in the results.
parameters			query	dictionary	Full query string parameters payload in JSON format.
sort			query	string	Sort logins by their properties. A single sort field is allowed. Common sort options include: account_name|asc login_timestamp|desc

Available FQL Filters

Common filters include:

• account_type:'Local'
• login_type:'Interactive'
• first_seen_timestamp:<'now-7d'
• admin_privileges:'No'

The following table lists acceptable values for the filter keyword described above.

id	login_timestamp
cid	login_domain
login_status	admin_privileges
account_id	local_ip
host_id	remote_ip
user_sid	host_country
aid	host_city
account_name	is_suspicious
username	failure_description
hostname	login_event_count
account_type	aggregation_time_interval
login_type

Usage

Service class example (PEP8 / Operation ID syntax)

from falconpy import Discover

# Do not hardcode API credentials!
falcon = Discover(client_id=CLIENT_ID,
                  client_secret=CLIENT_SECRET
                  )

response = falcon.query_logins(offset=integer,
                              limit=integer,
                              sort="string",
                              filter="string"
                              )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("query_logins",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string"
                          )
print(response)