firewall_management

Falcon Firewall Management samples

The examples within this folder focus on leveraging CrowdStrike's Falcon Firewall Management API.

Export firewall events

Export firewall events

Exports CrowdStrike firewall events to a file.

Running the program

In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:

Service Collection

Scope

Firewall Management

READ

Execution syntax

This sample leverages simple command-line arguments to implement functionality.

Basic usage

Export firewall events.

python3 get_firewall_events.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET

Limit the number of events returned with the -l argument.

python3 get_firewall_events.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -l 500

Change your CrowdStrike region using the -b argument. (Only required for GovCloud users.)

python3 get_firewall_events.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -b usgov1

Command-line help

Command-line help is available via the -h argument.

python3 get_firewall_events.py -h
usage: get_firewall_events.py [-h] -k FALCON_CLIENT_ID -s FALCON_CLIENT_SECRET [-b BASE_URL] [-l LIMIT]

Dump CrowdStrike Firewall events to a file.

 _______ __                           __ __
|   _   |__.----.-----.--.--.--.---.-|  |  |
|.  1___|  |   _|  -__|  |  |  |  _  |  |  |
|.  __) |__|__| |_____|________|___._|__|__|
|:  |
|::.|        ___ ___                                                    __
`---'       |   Y   .---.-.-----.---.-.-----.-----.--------.-----.-----|  |_
            |.      |  _  |     |  _  |  _  |  -__|        |  -__|     |   _|
            |. \_/  |___._|__|__|___._|___  |_____|__|__|__|_____|__|__|____|
            |:  |   |                 |_____|
            |::.|:. |                               FalconPy v1.0
            `--- ---'

Creation: 05.13.2022, wozboz@CrowdStrike

optional arguments:
  -h, --help            show this help message and exit
  -b BASE_URL, --base_url BASE_URL
                        CrowdStrike base URL (only required for GovCloud, pass usgov1)
  -l LIMIT, --limit LIMIT
                        FQL filter to use to filter detections

required arguments:
  -k FALCON_CLIENT_ID, --falcon_client_id FALCON_CLIENT_ID
                        CrowdStrike Falcon API Client ID
  -s FALCON_CLIENT_SECRET, --falcon_client_secret FALCON_CLIENT_SECRET
                        CrowdStrike Falcon API Client Secret

Example source code

The source code for this example can be found here.

Previoussingle_scan Nextflight_control

Last updated 1 year ago

Was this helpful?