These examples are provided as a quick start for your project.
In order to expedite sample delivery, examples will follow one of three standard patterns for defining and providing credentials for API access.
| Pattern | Usage detail |
|---|---|
| Environment variables | Credentials are retrieved from the local environment of the machine the example is executed on. These values are named:
|
| Runtime (Command line arguments) | Credentials are consumed at runtime via command line parameters. Typically this handled via the argparse module. |
| Standardized "credential" file | This file is named config.json, and is in JSON format. This file is not encrypted and may not be suitable for production deployments. A sample of this file, config_sample.json is provided within this folder. Rename this file to config.json, and then update it's contents to reflect your current development API credentials. |
Please note: These are not the only methods for providing these values.
The following samples are categorized by CrowdStrike product, and further categorized by Falcon API service collection. Some samples have specific FalconPy version requirements, check documentation maintained within the source or the sample README.md for more details.
| Topic | Samples |
|---|---|
| Authentication | AES Authentication AES File Crypt Token Authentication |
| Topic | Samples |
|---|---|
| Hosts Host Groups |
List sensors by hostname Manage duplicate sensors CUSSED (Manage stale sensors) Default Groups Get Host Groups Hosts Report Host Search Host Search Advanced Host Tagger Policy Check RFM Report Serial Search Match usernames to hosts Offset vs. Token Prune Hosts by Hostname or AID Quarantine a host Quarantine a host (updated version) |
| Report Executions | Retrieve all report results |
| Sensor Download | Download the CrowdStrike sensor |
| Sensor Update Policies | Clone Update Policy Create Host Group and attach Update Policy Policy Wonk |
| Installation Tokens | Token Dispenser |
| Quarantine | Get Quarantined Files |
| User Management | Bulk user administration Find Users Get user grants |
| Event Streams | Send detections to AWS Security Hub |
| Flight Control (MSSP) | Find child CID Get Child Prevention Policies Host Group Duplicator Execute a command on hosts across multiple children |
| Topic | Samples |
|---|---|
| Custom IOA | Custom IOA Cloner |
| IOA Exclusions | IOA Exclusion Audit |
| Detects | Detects Advisor |
| IOC | Create indicators IOC Audit IOC Restore |
| ML Exclusions | ML Exclusion Audit |
| Prevention Policies | Clone Prevention Policy Create Host Group and attach Prevention Policies Prevention Policy Hawk |
| Incidents | CrowdScore QuickChart Incident Triage |
| Real Time Response | Bulk execute a command Bulk execute a command (queued) Get file from multiple hosts Get host uptime Get RTR result Dump memory for a running process My Little RTR Remotely restart a sensor while taking a capture RTR Script Manager |
| Sensor Visibility Exclusions | Sensor Visibility Exclusion Audit |
| Firewall Management | Export Firewall events to a file |
| Topic | Samples |
|---|---|
| Cloud Workload Protection | Manage Discover accounts (AWS) |
| CSPM Registration | Get CSPM policies |
| Topic | Samples |
|---|---|
| Identity Protection | GraphQL Pagination |
| Topic | Samples |
|---|---|
| Asset Management (Discover) | List discovered hosts Spyglass |
| Vulnerability Management (Spotlight) | Find vulnerable hosts by CVE ID CISA DHS Known Exploited Vulnerabilities Spotlight Quick Report |
| Topic | Samples |
|---|---|
| Workflows | Workflow Manager (terminal) Workflows Manager (GUI) |
| Topic | Samples |
|---|---|
| Falcon Intelligence (includes MalQuery) | Intel Search MISP Import Malqueryinator |
| Falcon Intelligence Sandbox (includes QuickScan) | Manage sandbox uploads Falcon Intelligence sandbox scan Get all artifacts Quick Scan a target Quick Scan quota check S3 Bucket Protection |
| Falcon Intelligence Recon | Create monitoring rules for an email list |
Provided examples are additionally labeled by the type of class used to interact with the CrowdStrike API and if the solution supports MSSP usage scenarios.
| Indicator | Detail |
|---|---|
 |
These samples leverage Service Classes to perform the example task. |
 |
These samples make use of the Uber Class to perform the example task. |
 |
These samples support MSSP usage scenarios. |
 |
These samples were submitted by a member of the community. |
(click to expand)
This group of samples discuss different variations of authentication to CrowdStrike's OAuth2 API.
The AES authentication example demonstrates the technical aspects of implementing a cryptographic solution for storing and retrieving credentials from the file system. Upon successful decryption, a simple API connectivity test is performed.
This sample leverages the Hosts API to perform a connectivity test.
| Operation | Description |
|---|---|
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
The AES file crypt example builds on the code developed for the AES Authentication example to encrypt arbitrary files.
This sample does not communicate with the CrowdStrike API.
This sample demonstrates Token Authentication (also known as Legacy Authentication) and how it can be leveraged to interact with multiple Service Classes.
This sample interacts with seven different Service Classes to authenticate and perform a connectivity test using multiple Service Classes.
| Service Class | Operation | Description |
|---|---|---|
| CloudConnectAWS | QueryAWSAccounts | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria. |
| Detects | QueryDetects | Search for detection IDs that match a given query. |
| Hosts | QueryDevicesByFilter (using the query_devices alias) |
Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
| Incidents | QueryIncidents | Search for incidents by providing a FQL filter, sorting, and paging details. |
| Intel | QueryIntelActorEntities | Get info about actors that match provided FQL filters. |
| IOC | indicator_combined_v1 | Get combined for indicators. |
| OAuth2 | token | Generate an OAuth2 access token. |
Back to top | How to authenticate | Table of Contents
(click to expand)
The samples collected in this section demonstrate leveraging CrowdStrike's Hosts and Host Group API service collections to secure your endpoints.
- List sensors by hostname
- CUSSED (Stale sensor detector)
- Default Groups
- Get Host Groups
- Hosts Report
- Host Search
- Host Search Advanced
- Host Tagger
- Match usernames to hosts
- Offset vs. Token
- Policy Check
- Quarantine a host
- Quarantine a host (updated)
- RFM Report
- Serial Search
This example will demonstrate how to retrieve a list of sensors by hostname.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
Identify and optionally remove duplicate sensors using this example.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| PerformActionV2 | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. |
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
Identify and optionally remove stale sensors using this example.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| PerformActionV2 | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. |
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
This example will demonstrate how to create several host groups within a CID.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| createHostGroups | Create Host Groups by specifying details about the group to create. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| getChildren | Get child customer detail by child CID(s). |
| queryChildren | Query for customers linked as children. |
This example will demonstrate how to list all host groups within a CID.
This sample demonstrates the following CrowdStrike Host Groups API operations:
| Operation | Description |
|---|---|
| queryCombinedHostGroups | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| getChildren | Get child customer detail by child CID(s). |
| queryChildren | Query for customers linked as children. |
This example will demonstrate how to export hosts listed in the Falcon Console to a CSV file.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
This example will demonstrate how to search for host details by hostname.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
This example will demonstrate how to search for host details by hostname.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
This example will demonstrate how to tag or untag multiple hosts in batch.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| UpdateDeviceTags | Append or remove one or more Falcon Grouping Tags on one or more hosts. |
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
Submitted by @micgoetz, the Match Username to Host sample demonstrates mapping usernames to hosts with Falcon Grouping tags.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
| QueryDeviceLoginHistory | Retrieve details about recent login sessions for a set of devices. |
| UpdateDeviceTags | Append or remove one or more Falcon Grouping Tags on one or more hosts. |
This demonstration discusses the pagination differences when using QueryDevicesByFilter versus QueryDevicesByFilterScroll.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
This example will demonstrate how to confirm a host group is attached to a specific prevention policy.
This sample demonstrates the following CrowdStrike Host Groups API operations:
| Operation | Description |
|---|---|
| queryCombinedHostGroups | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| getChildren | Get child customer detail by child CID(s). |
| queryChildren | Query for customers linked as children. |
This sample demonstrates the following CrowdStrike Prevention Policy API operations:
| Operation | Description |
|---|---|
| getPreventionPolicies | Retrieve a set of Prevention Policies by specifying their IDs. |
This sample demonstrates removing and restoring hosts by hostname or AID.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| PerformActionV2 | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. |
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
Developed by one of our maintainers @soggysec, this example demonstrates how to quarantine target hosts.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| PerformActionV2 | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. |
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
This is the same solution, but updated to demonstrate Direct Authentication, Body Payload Abstraction and Parameter Abstraction.
-silver?style=for-the-badge&labelColor=C30A16&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==){kind=icon}
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| PerformActionV2 | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. |
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
This example will demonstrate how to produce a report of hosts that are in Reduced Functionality Mode.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| queryChildren | Query for customers linked as children. |
This example will demonstrate how to search for host details by host serial number.
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilter operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples focus on CrowdStrike's Falcon Report Executions API service collection.
This sample will accept a schedule report ID and download all results for every successful execution of the report.
This sample demonstrates the following CrowdStrike Report Executions API operations:
| Operation | Description |
|---|---|
| report_executions_download_get | Get report entity download. |
| report_executions_get | Retrieve report details for the provided report IDs. |
| report_executions_query | Find all report execution IDs matching the query with filter. |
Back to top | How to authenticate | Table of Contents
(click to expand)
The samples in this section focus on CrowdStrike Sensor Download API service collection.
Use the Uber Class to list or download versions of the CrowdStrike sensor.
This sample demonstrates the following CrowdStrike Sensor Download API operations:
| Operation | Description |
|---|---|
| DownloadSensorInstallerById | Get sensor installer details by providing a query. |
| GetCombinedSensorInstallersByQuery | Download sensor installer by SHA256 ID. |
Back to top | How to authenticate | Table of Contents
(click to expand)
This section has samples that focus on the CrowdStrike Sensor Update Policies API service collection.
This example will demonstrate how to clone sensor update policies from one CID to another.
This sample demonstrates the following CrowdStrike Sensor Update Policy API operations:
| Operation | Description |
|---|---|
| createSensorUpdatePoliciesV2 | Create Sensor Update Policies by specifying details about the policy to create. |
| queryCombinedSensorUpdatePoliciesV2 | Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria. |
This example will demonstrate how to create a host group and attach it to sensor update policies.
This sample demonstrates the following CrowdStrike Host Groups API operations:
| Operation | Description |
|---|---|
| createHostGroups | Create Host Groups by specifying details about the group to create. |
This sample demonstrates the following CrowdStrike Sensor Update Policy API operations:
| Operation | Description |
|---|---|
| performSensorUpdatePoliciesAction | Perform the specified action on the Sensor Update Policies specified in the request. |
Manage your sensor update policies with our Policy Wonk sample.
This sample demonstrates the following CrowdStrike Sensor Update Policies API operations:
| Operation | Description |
|---|---|
| createSensorUpdatePoliciesV2 | Create Sensor Update Policies by specifying details about the policy to create. |
| deleteSensorUpdatePolicies | Delete a set of Sensor Update Policies by specifying their IDs. |
| performSensorUpdatePoliciesAction | Perform the specified action on the Sensor Update Policies specified in the request. |
| queryCombinedSensorUpdateBuilds | Retrieve available builds for use with Sensor Update Policies. |
| queryCombinedSensorUpdateKernels | Retrieve kernel compatibility info for Sensor Update Builds. |
| queryCombinedSensorUpdatePolicyMembers | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria. |
| queryCombinedSensorUpdatePoliciesV2 | Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria. |
| revealUninstallToken | Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value MAINTENANCE as the value for device_id. |
| setSensorUpdatePoliciesPrecedence | Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence. |
| updateSensorUpdatePoliciesV2 | Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection. |
Back to top | How to authenticate | Table of Contents
(click to expand)
This category is dedicated to demonstrating the functionality provided by the CrowdStrike Installation Tokens API service collection.
Easily manage installation tokens within your tenant or across child tenants with the Token Dispenser.
This sample demonstrates the following CrowdStrike Installation Tokens API operations:
| Operation | Description |
|---|---|
| tokens_create | Creates a token. |
| tokens_delete | Deletes a token immediately. To revoke a token, use token_update instead. |
| tokens_read | Get the details of one or more tokens by ID. |
| tokens_update | Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| queryChildren | Query for customers linked as children. |
This sample demonstrates the following CrowdStrike Sensor Download API operations:
| Operation | Description |
|---|---|
| GetSensorInstallersCCIDByQuery | Get CCID to use with sensor installers. |
Back to top | How to authenticate | Table of Contents
(click to expand)
This category provides samples that demonstrate the CrowdStrike Falcon Quarantine API service collection.
Contributed by @tsullivan06, this sample leverages the Quarantine and Sample Upload APIs to retrieve all quarantined files within your environment and then stores them to a subfolder.
Files can be downloaded raw, or archived with a password (infected).
This sample demonstrates the following CrowdStrike Quarantine and Sample Uploads API operations:
| Operation | Description |
|---|---|
| GetQuarantineFiles | Get quarantine file metadata for specified ids. |
| QueryQuarantineFiles | Get quarantine file ids that match the provided filter criteria. |
| GetSampleV3 | Retrieves the file associated with the given ID (SHA256). |
Back to top | How to authenticate | Table of Contents
(click to expand)
This sample category is focused on examples that leverage CrowdStrike's User Management API service collection.
This sample demonstrates adding, updating and removing users in bulk using the User Management Service Class.
This sample demonstrates the following CrowdStrike User Management API operations:
| Operation | Description |
|---|---|
| CreateUser | Create a new user. After creating a user, assign one or more roles with GrantUserRoleIds. |
| DeleteUser | Delete a user permanently. |
| GetAvailableRoleIds | Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to GetRoles. |
| GetUserRoleIds | Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to GetRoles. |
| GrantUserRoleIds | Assign one or more roles to a user. |
| RetrieveUser | Get info about a user. |
| RetrieveUserUUID | Get a user's ID by providing a username (usually an email address). |
| RetrieveUserUUIDsByCID | List user IDs for all users in your customer account. For more information on each user, provide the user ID to RetrieveUser. |
| RevokeUserRoleIds | Revoke one or more roles from a user. |
This example will demonstrate how to search for and list users in a CID or a child CID.
This sample demonstrates the following CrowdStrike User Management API operations:
| Operation | Description |
|---|---|
| RetrieveUserUUID | Get a user's ID by providing a username (usually an email address). |
| RetrieveUserUUIDsByCID | List user IDs for all users in your customer account. For more information on each user, provide the user ID to RetrieveUser. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| getChildren | Get child customer detail by child CID(s). |
| queryChildren | Query for customers linked as children. |
This sample demonstrates the following CrowdStrike Sensor Download API operations:
| Operation | Description |
|---|---|
| GetSensorInstallersCCIDByQuery | Get CCID to use with sensor installers. |
This sample demonstrates retrieving a list of all user grants asynchronously using the User Management Service Class.
This sample demonstrates the following CrowdStrike User Management API operations:
| Operation | Description |
|---|---|
| queryUserV1 | List user IDs for all users in your customer account. |
| combinedUserRolesV1 | Get User Grant(s). This operation lists both direct as well as flight control grants between a user and a customer. |
| retrieveUsersGETV1 | Get information about users including their name, UID, and CID by providing user UUIDs. |
Back to top | How to authenticate | Table of Contents
(click to expand)
This category is focused on the CrowdStrike Event Streams API service collection.
This example demonstrates publishing AWS Security Hub findings from CrowdStrike Falcon Event Streams API.
This sample demonstrates the following CrowdStrike Event Streams API operations:
| Operation | Description |
|---|---|
| listAvailableStreamsOAuth2 | Discover all event streams in your environment. |
| refreshActiveStreamSession | Refresh an active event stream. Use the URL shown in a listAvailableStreamsOAuth2 response. |
Back to top | How to authenticate | Table of Contents
(click to expand)
The samples in this category demonstrate functionality for MSSP scenarios using the Falcon Flight Control API service collection.
This example demonstrates retrieving a child CID using the CrowdStrike Falcon Flight Control API.
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| QueryChildren | Query for customers linked as children. |
This example uses the Flight Control and Prevention Policies Host Group APIs to demonstrate retrieving prevention policies for some or all child tenants.
This sample demonstrates the following CrowdStrike Flight Control and Prevention Policies API operations:
| Operation | Description |
|---|---|
| QueryChildren | Query for customers linked as children. |
| queryCombinedPreventionPolicies | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria. |
This example uses the Flight Control and Host Group APIs to demonstrate duplicating a Host Group from a Parent to all Children.
This sample demonstrates the following CrowdStrike Flight Control and Host Group API operations:
| Operation | Description |
|---|---|
| QueryChildren | Query for customers linked as children. |
| createHostGroups | Create Host Groups by specifying details about the group to create. |
| queryCombinedHostGroups | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria. |
Execute a single RTR command across multiple hosts within multiple child tenants. This demonstration leverages operations from the Hosts, Flight Control, Real Time Response and Real Time Response APIs.
This sample demonstrates the following CrowdStrike Flight Control, Hosts and Real Time Response API operations:
| Operation | Description |
|---|---|
| QueryChildren | Query for customers linked as children. |
| BatchInitSessions | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. |
| RTR_DeleteSession | Delete a RTR session. |
| BatchAdminCmd | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. |
| RTR_CheckAdminCommandStatus | Get status of an executed RTR administrator command on a single host. |
| QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples demonstrate using CrowdStrike's Custom IOA service collection.
The Custom IOA Cloner demonstrates displaying, deleting and cloning Custom IOA rule groups.
This sample demonstrates the following CrowdStrike Custom IOA API operations:
| Operation | Description |
|---|---|
| create_rule | Create a rule within a rule group. Returns the rule. |
| create_rule_groupMixin0 | Create a rule group for a platform with a name and an optional description. Returns the rule group. |
| delete_rule_groupsMixin0 | Delete rule groups by ID. |
| query_rule_groups_full | Find all rule groups matching the query with optional filter. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples demonstrate using CrowdStrike's IOA Exclusions service collection.
The IOA Audit sample demonstrates how to audit existing IOA exclusions within your tenant or child tenants.
This sample demonstrates the following CrowdStrike IOA Exclusions API operations:
| Operation | Description |
|---|---|
| queryIOAExclusionsV1 | Search for IOA exclusions. |
| getIOAExclusionsV1 | Get a set of IOA exclusions by specifying their IDs. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| getChildren | Get child customer detail by child CID(s). |
| queryChildren | Query for customers linked as children. |
This sample demonstrates the following CrowdStrike Sensor Download API operations:
| Operation | Description |
|---|---|
| GetSensorInstallersCCIDByQuery | Get CCID to use with sensor installers. |
Back to top | How to authenticate | Table of Contents
(click to expand)
The CrowdStrike Detects API service collection is the sole focus of these samples.
Detects Advisor is an example application for triaging inbound detections in your CrowdStrike Falcon tenant.
This sample demonstrates the following CrowdStrike Detects API operations:
| Operation | Description |
|---|---|
| GetDetectSummaries | View information about detections. |
| QueryDetects | Search for detection IDs that match a given query. |
| UpdateDetectsByIdsV2 | Modify the state, assignee, and visibility of detections. |
Back to top | How to authenticate | Table of Contents
(click to expand)
The samples in this section focus on the CrowdStrike IOC API service collection.
Use this example to create an Indicator of Compromise (IOC). This example demonstrates the same operation using both the Service Class and the Uber Class. The Uber Class solution does not make use of Body Payload Abstraction.
This sample demonstrates the following CrowdStrike IOC API operations:
| Operation | Description |
|---|---|
| indicator_create_v1 | Create indicators. |
The IOC Audit sample demonstrates how to audit existing IOCs within your tenant or child tenants.
This sample demonstrates the following CrowdStrike IOC API operations:
| Operation | Description |
|---|---|
| indicator_combined_v1 | Get combined details for indicators. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| getChildren | Get child customer detail by child CID(s). |
| queryChildren | Query for customers linked as children. |
This sample demonstrates the following CrowdStrike Sensor Download API operations:
| Operation | Description |
|---|---|
| GetSensorInstallersCCIDByQuery | Get CCID to use with sensor installers. |
The IOC Restore sample demonstrates how to restore deleted IOCs within your tenant.
This sample demonstrates the following CrowdStrike IOC API operations:
| Operation | Description |
|---|---|
| indicator_combined_v1 | Get combined details for Indicators. |
| indicator_create_v1 | Create Indicators. |
| indicator_get_v1 | Get Indicators by IDs. |
| indicator_search_v1 | Search for Indicators. |
| indicator_update_v1 | Update Indicators. |
This sample demonstrates the following CrowdStrike Host Group API operations:
| Operation | Description |
|---|---|
| getHostGroups | Retrieve a set of Host Groups by specifying their IDs. |
| queryHostGroups | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples demonstrate using CrowdStrike's ML Exclusions service collection.
The MLE Audit sample demonstrates how to audit existing ML exclusions within your tenant or child tenants.
This sample demonstrates the following CrowdStrike ML Exclusions API operations:
| Operation | Description |
|---|---|
| queryMLExclusionsV1 | Search for ML exclusions. |
| getMLExclusionsV1 | Get a set of ML exclusions by specifying their IDs. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| getChildren | Get child customer detail by child CID(s). |
| queryChildren | Query for customers linked as children. |
This sample demonstrates the following CrowdStrike Sensor Download API operations:
| Operation | Description |
|---|---|
| GetSensorInstallersCCIDByQuery | Get CCID to use with sensor installers. |
Back to top | How to authenticate | Table of Contents
(click to expand)
The samples in this section demonstrate using CrowdStrike's Prevention Policy API service collection.
The Clone Prevention Policy sample demonstrates how to clone a prevention policy from one CID to another CID.
This sample demonstrates the following CrowdStrike Prevention Policy API operations:
| Operation | Description |
|---|---|
| createPreventionPolicies | Create Prevention Policies by specifying details about the policy to create. |
| queryCombinedPreventionPolicies | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria. |
This example will demonstrate how to create a host group and attach it to prevention policies.
This sample demonstrates the following CrowdStrike Host Groups API operations:
| Operation | Description |
|---|---|
| createHostGroups | Create Host Groups by specifying details about the group to create. |
This sample demonstrates the following CrowdStrike Prevention Policy API operations:
| Operation | Description |
|---|---|
| performPreventionPoliciesAction | Perform the specified action on the Prevention Policies specified in the request. |
Manage your CrowdStrike prevention policy settings using the Prevention Policy Hawk sample.
This sample demonstrates the following CrowdStrike Prevention Policy API operations:
| Operation | Description |
|---|---|
| deletePreventionPolicies | Delete a set of Prevention Policies by specifying their IDs. |
| performPreventionPoliciesAction | Perform the specified action on the Prevention Policies specified in the request. |
| queryCombinedPreventionPolicies | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria. |
| getPreventionPolicies | Retrieve a set of Prevention Policies by specifying their IDs. |
| queryPreventionPolicies | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria. |
| updatePreventionPolicies | Update Prevention Policies by specifying the ID of the policy and details to update. |
Back to top | How to authenticate | Table of Contents
(click to expand)
This category is dedicated to demonstrating the functionality provided by the CrowdStrike Incidents API service collection.
Quickly chart your past 24 hours of CrowdScore results with the CrowdScore QuickChart sample.
This sample demonstrates the following CrowdStrike Incidents API operations:
| Operation | Description |
|---|---|
| CrowdScore | Query environment wide CrowdScore and return the entity data. |
This example demonstrates triaging Incidents. You can assign / unassign responders, add / remove tags, and change name, description and status of an incident using the Incident Triage utility.
This sample demonstrates the following CrowdStrike Incidents API operations:
| Operation | Description |
|---|---|
| PerformIncidentAction | Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description. |
| GetIncidents | Get details on incidents by providing incident IDs. |
| QueryIncidents | Search for incidents by providing a FQL filter, sorting, and paging details. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples focus on CrowdStrike's Real Time Response and Real Time Response Admin API service collections.
- Bulk execute a command
- Bulk execute a command (queued)
- Get file from multiple hosts
- Get RTR result
- Dump memory for a running process
- My Little RTR
- Remotely restart a sensor while taking a capture
- Script Manager
Using this demonstration, you can execute a command on multiple hosts that have a hostname matching a search string you provide.
This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations:
| Operation | Description |
|---|---|
| BatchAdminCmd | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. |
| BatchInitSessions | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. |
| RTR_DeleteSession | Delete a session. |
Building on the previous demonstration, this sample also executes a command on multiple hosts that have a hostname matching a search string, with the addition of queuing the commands for later processing should the host be offline.
This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations:
| Operation | Description |
|---|---|
| BatchAdminCmd | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. |
| BatchInitSessions | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. |
| RTR_CheckAdminCommandStatus | Get status of an executed RTR administrator command on a single host. |
| RTR_DeleteSession | Delete a session. |
| RTR_ListQueuedSessions | Get queued session metadata by session ID. |
Use the runscript command to retrieve host uptime.
This sample demonstrates the following CrowdStrike Hosts, Real Time Response and Real Time Response Admin API operations:
| Operation | Description |
|---|---|
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilterScroll operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
| RTR_CheckAdminCommandStatus | Get status of an executed RTR administrator command on a single host. |
| RTR_DeleteSession | Delete a session. |
| RTR_ExecuteAdminCommand | Execute a RTR administrator command on a single host. |
| RTR_InitSession | Initialize a new session with the RTR cloud. |
This sample will retrieve a file of the same name from multiple hosts.
This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations:
| Operation | Description |
|---|---|
| RTR_GetExtractedFileContents | Get RTR extracted file contents for specified session and sha256. |
| RTR_DeleteSession | Delete a session. |
| RTR_ListFilesV2 | Get a list of files for the specified RTR session. |
| RTR_DeleteFileV2 | Delete a RTR session file. |
| BatchInitSessions | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. |
| BatchGetCmd | Batch execute a GET command across hosts to retrieve files. After this call is made, BatchGetCmdStatus can be used to query for the results. |
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
Retrieve the results for previously executed RTR commands.
This sample demonstrates the following CrowdStrike Real Time Response Admin API operations:
| Operation | Description |
|---|---|
| RTR_CheckAdminCommandStatus | Get status of an executed RTR administrator command on a single host. |
This example demonstrates using the CrowdStrike Real Time Response API to dump the memory contents of a specific process on the target host using the PID.
This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations:
| Operation | Description |
|---|---|
| RTR_CheckAdminCommandStatus | Get status of an executed RTR administrator command on a single host. |
| RTR_CreatePut_Files | Upload a new put-file to use for the RTR put command. |
| RTR_CreateScripts | Upload a new custom-script to use for the RTR runscript command. |
| RTR_DeletePut_Files | Delete a put-file based on the ID given. Can only delete one file at a time. |
| RTR_DeleteScripts | Delete a custom-script based on the ID given. Can only delete one script at a time. |
| RTR_DeleteSession | Delete a session. |
| RTR_ExecuteAdminCommand | Execute a RTR administrator command on a single host. |
| RTR_GetExtractedFileContents | Get RTR extracted file contents for specified session and sha256. |
| RTR_InitSession | Initialize a new session with the RTR cloud. |
| RTR_ListPut_Files | Get a list of put-file ID's that are available to the user for the put command. |
| RTR_ListScripts | Get a list of custom-script ID's that are available to the user for the runscript command. |
This demonstration leverages the ASCII-Pony open source project to retrieve basic system information from a target host (and draw My Little Ponies).
This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations:
| Operation | Description |
|---|---|
| RTR_CreateScripts | Upload a new custom-script to use for the RTR runscript command. |
| RTR_CheckAdminCommandStatus | Get status of an executed RTR administrator command on a single host. |
| RTR_DeleteSession | Delete a session. |
| RTR_DeleteScripts | Delete a custom-script based on the ID given. Can only delete one script at a time. |
| RTR_ExecuteAdminCommand | Execute a RTR administrator command on a single host. |
| RTR_InitSession | Initialize a new session with the RTR cloud. |
| RTR_ListScripts | Get a list of custom-script ID's that are available to the user for the runscript command. |
This sample will start a TCP capture, restart the sensor, and then retrieve the capture result.
This sample demonstrates the following CrowdStrike Real Time Response and Real Time Response Admin API operations:
| Operation | Description |
|---|---|
| RTR_CreateScripts | Upload a new custom-script to use for the RTR runscript command. |
| RTR_CheckAdminCommandStatus | Get status of an executed RTR administrator command on a single host. |
| RTR_ExecuteAdminCommand | Execute a RTR administrator command on a single host. |
| RTR_InitSession | Initialize a new session with the RTR cloud. |
| RTR_ListScripts | Get a list of custom-script ID's that are available to the user for the runscript command. |
| RTR_GetExtractedFileContents | Get RTR extracted file contents for specified session and sha256. |
| RTR_ListFiles | Get a list of files for the specified RTR session. |
| RTR_DeleteSession | Delete a session. |
This sample demonstrates the following CrowdStrike Hosts API operations:
| Operation | Description |
|---|---|
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilterScroll operation, the Falcon console or the Streaming API. |
This sample demonstrates the following CrowdStrike Sensor Download API operations:
| Operation | Description |
|---|---|
| GetSensorInstallersCCIDByQuery | Get CCID to use with sensor installers. |
This example demonstrates RTR script management within a CID.
This sample demonstrates the following CrowdStrike Real Time Response API operations:
| Operation | Description |
|---|---|
| RTR_CreateScripts | Upload a new custom-script to use for the RTR runscript command. |
| RTR_DeleteScripts | Delete a custom-script based on the ID given. Can only delete one script at a time. |
| RTR_ListScripts | Get a list of custom-script ID's that are available to the user for the runscript command. |
| RTR_GetScripts | Get custom-scripts based on the IDs given. These are used for the RTR runscript command. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| getChildren | Get child customer detail by child CID(s). |
| queryChildren | Query for customers linked as children. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples demonstrate using CrowdStrike's Sensor Visibility Exclusions service collection.
The SVE Audit sample demonstrates how to audit existing sensor visibility exclusions within your tenant or child tenants.
This sample demonstrates the following CrowdStrike Sensor Visibility Exclusions API operations:
| Operation | Description |
|---|---|
| querySensorVisibilityExclusionsV1 | Search for Sensor Visibility exclusions. |
| getSensorVisibilityExclusionsV1 | Get a set of Sensor Visibility exclusions by specifying their IDs. |
This sample demonstrates the following CrowdStrike Flight Control API operations:
| Operation | Description |
|---|---|
| getChildren | Get child customer detail by child CID(s). |
| queryChildren | Query for customers linked as children. |
This sample demonstrates the following CrowdStrike Sensor Download API operations:
| Operation | Description |
|---|---|
| GetSensorInstallersCCIDByQuery | Get CCID to use with sensor installers. |
Back to top | How to authenticate | Table of Contents
(click to expand)
The CrowdStrike Falcon Firewall Management and Firewall Policies APIs are the focus of this section.
Developed by @wozboz, this example demonstrates exporting Firewall events using the Firewall Management Service Class. This sample also provides an example of tokenized pagination leveraging the after return parameter found in the meta branch. More details regarding this style of pagination can be found here.
This sample demonstrates the following CrowdStrike Firewall Management API operations:
| Operation | Description |
|---|---|
| get_events | Get events entities by ID and optionally version. |
| query_events | Find all event IDs matching the query with filter. |
Back to top | How to authenticate | Table of Contents
(click to expand)
This section discusses Falcon Discover for Cloud and Containers, and the two API service collections, Cloud Connect AWS and D4C Registration.
This example demonstrates using FalconPy to register and remove accounts managed by CrowdStrike Falcon Discover for Cloud (AWS). Both Service Class and Uber Class examples are provided.
These samples demonstrate the following CrowdStrike Cloud Connect AWS (Discover for Cloud and Containers) API operations:
| Operation | Description |
|---|---|
| DeleteAWSAccounts | Delete a set of AWS Accounts by specifying their IDs. |
| ProvisionAWSAccounts | Provision AWS Accounts by specifying details about the accounts to provision. |
| QueryAWSAccounts | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria. |
| UpdateAWSAccounts | Update AWS Accounts by specifying the ID of the account and details to update. |
| VerifyAWSAccountAccess | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples focus on CrowdStrike Falcon Horizon and the available API operations within the CSPM Registration service collection.
Submitted by @mccbryan3, this example uses FalconPy to report or export as CSV, all or selective Falcon Horizon CSPM Policies.
This sample demonstrates the following CrowdStrike CSPM Registration (Horizon) API operations:
| Operation | Description |
|---|---|
| GetCSPMPolicySettings | Returns information about current policy settings. |
Back to top | How to authenticate | Table of Contents
(click to expand)
This category is dedicated to demonstrating the functionality provided by the CrowdStrike Identity Protection API service collection.
This sample demonstrates pagination using GraphQL within the Identity Protection service collection.
This sample demonstrates the following CrowdStrike Identity Protection API operations:
| Operation | Description |
|---|---|
| api_preempt_proxy_post_graphql | Identity Protection GraphQL API. Allows for retrieving entities, timeline activities, identity-based incidents and security assessment. Allows for performing actions on entities and identity-based incidents. |
Back to top | How to authenticate | Table of Contents
(click to expand)
The samples in this section focus on the CrowdStrike Falcon Discover API service collection.
In this example, we demonstrate listing up to the first 100 hosts identified by Falcon Discover.
This sample demonstrates the following CrowdStrike Discover API operations:
| Operation | Description |
|---|---|
| get_hosts | Get details on assets by providing one or more IDs. |
| query_hosts | Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
In this example, we demonstrate running a full Falcon Discover audit report (accounts, applications, hosts and logins).
This sample demonstrates the following CrowdStrike Discover API operations:
| Operation | Description |
|---|---|
| get_accounts | Get details on accounts by providing one or more IDs. |
| get_applications | Get details on applications by providing one or more IDs. |
| get_hosts | Get details on assets by providing one or more IDs. |
| get_logins | Get details on logins by providing one or more IDs. |
| query_accounts | Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of account IDs which match the filter criteria. |
| query_applications | Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria. |
| query_hosts | Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
| query_logins | Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of login IDs which match the filter criteria. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples discuss leveraging the CrowdStrike Spotlight Evaluation Logic and Spotlight Vulnerabilities API service collections.
In this example we demonstrate searching Falcon Spotlight for vulnerable hosts based upon CVE ID.
This sample demonstrates the following CrowdStrike Spotlight Vulnerability API operations:
| Operation | Description |
|---|---|
| getRemediationsV2 | Get details on remediation by providing one or more IDs. |
| getVulnerabilities | Get details on vulnerabilities by providing one or more IDs. |
| queryVulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria. |
Developed and submitted by @ciberesponce, this solution provides simple CSV formatted output, sorting by DHS CISA's Due Date field, to allow for prioritization of mitigation actions across hosts. This is particularly useful for Departments and agencies (D/a) who are subject to CISA's due dates.
This sample demonstrates the following CrowdStrike Spotlight Vulnerability API operations:
| Operation | Description |
|---|---|
| queryVulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria. |
In this example we demonstrate generating a report of CVE matches within a Falcon tenant using the Spotlight and Hosts service collections.
This sample demonstrates the following CrowdStrike Spotlight Vulnerability API and Hosts API operations:
| Operation | Description |
|---|---|
| combinedQueryVulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria. |
| GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the QueryDevicesByFilterScroll operation, the Falcon console or the Streaming API. |
| QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit). |
Back to top | How to authenticate | Table of Contents
(click to expand)
The samples in this section focus on the CrowdStrike Falcon Workflows API service collection.
This sample demonstrates how to leverage the Workflows API to provide the following functionality:
- List all workflows
- Execute a workflow
- List all executions for a workflow
- Print the results of a workflow execution
- Import a workflow
- Export a workflow
This sample demonstrates the following CrowdStrike Workflows API operations:
| Operation | Description |
|---|---|
| WorkflowDefinitionsCombined | Search workflow definitions based on the provided filter. |
| WorkflowDefinitionsExport | Export a workflow definition for the given definition ID. |
| WorkflowDefinitionsImport | Import a workflow definition from a file. |
| WorkflowExecute | Execute an on-demand workflow. The response will contain the execution ID. |
| WorkflowExecutionsCombined | Search workflow executions based on the provided filter. |
| WorkflowExecutionsResults | Get execution result of a given execution. |
Like the sample above, this sample demonstrates how to leverage the Workflows API to provide the following functionality:
- List all workflows
- Execute a workflow
- List all executions for a workflow
- Print the results of a workflow execution
- Import a workflow
- Export a workflow
Additional functionality provided by this sample include:
- Full GUI interface
- Activity logging (to a local file)
- Exporting list results to CSV
This sample demonstrates the following CrowdStrike Workflows API operations:
| Operation | Description |
|---|---|
| WorkflowDefinitionsCombined | Search workflow definitions based on the provided filter. |
| WorkflowDefinitionsExport | Export a workflow definition for the given definition ID. |
| WorkflowDefinitionsImport | Import a workflow definition from a file. |
| WorkflowExecute | Execute an on-demand workflow. The response will contain the execution ID. |
| WorkflowExecutionsCombined | Search workflow executions based on the provided filter. |
| WorkflowExecutionsResults | Get execution result of a given execution. |
Back to top | How to authenticate | Table of Contents
(click to expand)
This category is dedicated to Falcon Intelligence, and discusses the Falcon Intelligence and MalQuery API service collections.
Retrieve some or all available adversary MITRE ATT&CK reports.
This sample demonstrates the following CrowdStrike Intel API operations:
| Operation | Description |
|---|---|
| GetIntelActorEntities | Retrieve specific actors using their actor IDs. |
| GetMitreReport | Export Mitre ATT&CK information for a given actor. |
| QueryMitreAttacks | Gets MITRE tactics and techniques for the given actor. |
Quickly search CrowdStrike Falcon Intelligence data for string matches.
Displays lists of matches and extended details for individual records when only one result is returned.
When a value for output prefix (-o) is provided, results will also be written to individual files in CSV format.
This sample demonstrates the following CrowdStrike Intel API operations:
| Operation | Description |
|---|---|
| QueryIntelActorEntites | Get info about actors that match provided FQL filters. |
| QueryIntelIndicatorEntities | Get info about indicators that match provided FQL filters. |
| QueryIntelReportEntities | Get info about reports that match provided FQL filters. |
| GetIntelActorEntities | Retrieve specific actors using their actor IDs. |
| GetIntelIndicatorEntities | Retrieve specific indicators using their indicator IDs. |
| GetIntelReportEntities | Retrieve specific reports using their report IDs. |
This utility will import CrowdStrike Intel Threat indicators (Actors, Indicators and Reports) into your instance of MISP.
This sample demonstrates the following CrowdStrike Intel API operations:
| Operation | Description |
|---|---|
| GetIntelActorEntities | Retrieve specific actors using their actor IDs. |
| GetIntelIndicatorEntities | Retrieve specific indicators using their indicator IDs. |
| GetIntelReportEntities | Retrieve specific reports using their report IDs. |
| QueryIntelActorEntities | Get info about actors that match provided FQL filters. |
| QueryIntelIndicatorEntities | Get info about indicators that match provided FQL filters. |
| QueryIntelReportEntities | Get info about reports that match provided FQL filters. |
Coded by our Purveyor of Lint @jlangdev, Malqueryinator demonstrates how to use the CrowdStrike MalQuery API to search and download malware samples.
This sample has been used in other integrations! You can check out the related integration here.
This sample demonstrates the following CrowdStrike MalQuery API operations:
| Operation | Description |
|---|---|
| GetMalQueryEntitiesSamplesFetchV1 | Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing. |
| GetMalQueryRequestV1 | Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time. |
| PostMalQueryEntitiesSamplesMultidownloadV1 | Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip. |
| PostMalQueryFuzzySearchV1 | Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples focus on CrowdStrike's Falcon Intelligence Sandbox API service collections.
- Manage sandbox uploads
- Falcon Intelligence Sandbox scan
- Get all artifacts
- Quick Scan a target
- S3 Bucket Protection
These samples use the CrowdStrike Sample Uploads API to upload, retrieve and delete files from Falcon Intelligence Sandbox. An example for using the Service Class and the Uber Class is provided.
These samples demonstrate the following CrowdStrike Sample Uploads API operations:
| Operation | Description |
|---|---|
| GetSampleV3 | Retrieves the file associated with the given ID (SHA256). |
| UploadSampleV3 | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. |
| DeleteSampleV3 | Removes a sample, including file, meta and submissions from the collection. |
Analyze a single file for malware using the Falcon Intelligence Sandbox API with these examples. A sample using the Service Class and one using the Uber Class is provided.
These samples demonstrates the following CrowdStrike Falcon Intelligence Sandbox API operations:
| Operation | Description |
|---|---|
| DeleteSampleV3 | Removes a sample, including file, meta and submissions from the collection. |
| GetReports | Get a full sandbox report. |
| GetSubmissions | Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
| UploadSampleV3 | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. |
| Submit | Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
This example demonstrates retrieving all artifacts for all reports (in all supported formats).
This sample demonstrates the following CrowdStrike Falcon Intelligence Sandbox API operations:
| Operation | Description |
|---|---|
| GetArtifacts | Download IOC packs, PCAP files, and other analysis artifacts. |
| GetReports | Get a full sandbox report. |
| QueryReports | Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. |
This demonstration leverages the Falcon Quick Scan and Sample Uploads APIs to scan the contents of a target folder. (Either on the local filesystem or a bucket in S3.)
This sample demonstrates the following CrowdStrike Quick Scan and Sample Uploads API operations:
| Operation | Description |
|---|---|
| DeleteSampleV3 | Removes a sample, including file, meta and submissions from the collection. |
| GetScans | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. |
| ScanSamples | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. |
| UploadSampleV3 | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. |
This demonstration will report your current scan quota.
This sample demonstrates the following CrowdStrike Quick Scan API operations:
| Operation | Description |
|---|---|
| GetScans | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. |
Building on the previous example, this solution demonstrates a complete integration with AWS Lambda, AWS S3 and AWS Security Hub that scans files as they are uploaded to the bucket. Files that are found to be malicious are removed from the bucket and a finding is published to AWS Security Hub.
This sample demonstrates the following CrowdStrike Quick Scan and Sample Uploads API operations:
| Operation | Description |
|---|---|
| DeleteSampleV3 | Removes a sample, including file, meta and submissions from the collection. |
| GetScans | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. |
| ScanSamples | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute. |
| UploadSampleV3 | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. |
Back to top | How to authenticate | Table of Contents
(click to expand)
These samples focus on CrowdStrike's Falcon Intelligence Recon API service collection.
Provided by @wozboz, this example demonstrates creating Falcon Intelligence Recon monitoring rules for a list of email addresses provided in CSV format.
This sample demonstrates the following CrowdStrike Recon API operations:
| Operation | Description |
|---|---|
| CreateRulesV1 | Create monitoring rules. |
Back to top | How to authenticate | Table of Contents
Do you have a suggestion for an example you'd like to see? Are one of the examples not working as expected? Let us know by posting a message to our discussion board.
Have an example you've developed yourself that you'd like to share? Excellent! Please review our contributing guidelines and then submit a pull request.
Back to top | How to authenticate | Table of Contents
