samples

FalconPy Sample Library

These examples are provided as a quick start for your project.

Authentication for these Examples

In order to expedite sample delivery, examples will follow one of three standard patterns for defining and providing credentials for API access.

Pattern

Usage detail

Environment variables

Credentials are retrieved from the local environment of the machine the example is executed on. These values are named:

FALCON_CLIENT_ID
FALCON_CLIENT_SECRET

Runtime (Command line arguments)

Credentials are consumed at runtime via command line parameters. Typically this handled via the argparse module.

Standardized "credential" file

This file is named config.json, and is in JSON format. This file is not encrypted and may not be suitable for production deployments. A sample of this file, config_sample.json is provided within this folder. Rename this file to config.json, and then update it's contents to reflect your current development API credentials.

Please note: These are not the only methods for providing these values.

Samples by API service collection

The following samples are categorized by CrowdStrike product, and further categorized by Falcon API service collection. Some samples have specific FalconPy version requirements, check documentation maintained within the source or the sample README.md for more details.

Table of Contents

General

Topic

Samples

Authentication

AES Authentication AES File Crypt Token Authentication

Deployment and Management

Topic

Samples

Hosts Host Groups

List sensors by hostname Manage duplicate sensors CUSSED (Manage stale sensors) Default Groups Get Host Groups Hosts Report Host Search Host Search Advanced Host Tagger Policy Check RFM Report Serial Search Match usernames to hosts Offset vs. Token Prune Hosts by Hostname or AID Quarantine a host Quarantine a host (updated version)

Report Executions

Retrieve all report results

Sensor Download

Download the CrowdStrike sensor

Sensor Update Policies

Clone Update Policy Create Host Group and attach Update Policy Policy Wonk

Installation Tokens

Token Dispenser

Quarantine

Get Quarantined Files

User Management

Bulk user administration Find Users Get user grants

Event Streams

Send detections to AWS Security Hub

Flight Control (MSSP)

Find child CID Get Child Prevention Policies Host Group Duplicator Execute a command on hosts across multiple children

Endpoint Security

Topic

Samples

Custom IOA Cloner

IOA Exclusion Audit

Detects Advisor

Create indicators IOC Audit IOC Restore

ML Exclusions

ML Exclusion Audit

Prevention Policies

Clone Prevention Policy Create Host Group and attach Prevention Policies Prevention Policy Hawk

Incidents

CrowdScore QuickChart Incident Triage

Real Time Response

Bulk execute a command Bulk execute a command (queued) Get file from multiple hosts Get host uptime Get RTR result Dump memory for a running process My Little RTR Remotely restart a sensor while taking a capture RTR Script Manager Stream file download

Sensor Visibility Exclusions

Sensor Visibility Exclusion Audit

Firewall Management

Export Firewall events to a file

Cloud Security

Topic

Samples

Cloud Workload Protection

Manage Discover accounts (AWS)

CSPM Registration

Get CSPM policies

Identity Protection

Topic

Samples

Identity Protection

GraphQL Pagination

Exposure Management

Topic

Samples

Asset Management (Discover)

List discovered hosts Spyglass

Vulnerability Management (Spotlight)

Find vulnerable hosts by CVE ID CISA DHS Known Exploited Vulnerabilities Spotlight Quick Report

Fusion and Foundry

Topic

Samples

Workflows

Workflow Manager (terminal) Workflows Manager (GUI)

Next-Gen SIEM

Topic

Samples

Correlation Rules

Detection as Code

Threat Intelligence

Topic

Samples

Falcon Intelligence (includes MalQuery)

Intel Search MISP Import Malqueryinator

Falcon Intelligence Sandbox (includes QuickScan)

Manage sandbox uploads Falcon Intelligence sandbox scan Get all artifacts Quick Scan a target Quick Scan quota check S3 Bucket Protection

Falcon Intelligence Recon

Create monitoring rules for an email list

Class type legend

Provided examples are additionally labeled by the type of class used to interact with the CrowdStrike API and if the solution supports MSSP usage scenarios.

Indicator

Detail

These samples leverage Service Classes to perform the example task.

These samples make use of the Uber Class to perform the example task.

These samples support MSSP usage scenarios.

These samples were submitted by a member of the community.

General

Deployment and Management

Endpoint Security

Cloud Security

Identity Protection

Exposure Management

Fusion and Foundry

Next-Gen SIEM

Suggestions

Do you have a suggestion for an example you'd like to see? Are one of the examples not working as expected? Let us know by posting a message to our discussion board.

Have an example you've developed yourself that you'd like to share? Excellent! Please review our contributing guidelines and then submit a pull request.

WE STOP BREACHES

PreviousPACKAGING Nextauthentication

Last updated 4 months ago

Was this helpful?