FileVantage
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Retrieves the processing results for one or more actions. | ||||
|
Initiates the specified action on the provided change IDs. | ||||
|
Retrieves the content captured for the provided change ID. | ||||
|
Retrieve information on changes | ||||
|
Manage host groups assigned to a policy. | ||||
|
Updates the policy precedence for all policies of a specific type. | ||||
|
Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy. | ||||
|
Retrieves the configuration for 1 or more policies. | ||||
|
Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type. | ||||
|
Deletes 1 or more policies. | ||||
|
Updates the general information of the provided policy. | ||||
|
Retrieves the configuration of 1 or more scheduled exclusions from the provided policy id. | ||||
|
Creates a new scheduled exclusion configuration for the provided policy id. | ||||
|
Deletes 1 or more scheduled exclusions from the provided policy id. | ||||
|
Updates the provided scheduled exclusion configuration within the provided policy. | ||||
|
Updates the rule precedence for all rules in the identified rule group. | ||||
|
Retrieves the configuration for 1 or more rules. | ||||
|
Creates a new rule configuration within the specified rule group. | ||||
|
Deletes 1 or more rules from the specified rule group. | ||||
|
Updates the provided rule configuration within the specified rule group. | ||||
|
Retrieves the rule group details for 1 or more rule groups. | ||||
|
Creates a new rule group of the specified type. | ||||
|
Deletes 1 or more rule groups | ||||
|
Updates the provided rule group. | ||||
|
Initiates a workflow for the provided change IDs. | ||||
|
Returns 1 or more action ids | ||||
|
Returns 1 or more change ids | ||||
|
Returns 1 or more change ids | ||||
|
Retrieve the ids of all policies that are assigned the provided policy type. | ||||
|
Retrieve the ids of all scheduled exclusions contained within the provided policy id. | ||||
|
Retrieve the ids of all rule groups that are of the provided rule group type. | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Retrieves the processing results for one or more actions
get_actions
| Method | Route |
|---|---|
 |
/filevantage/entities/actions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
 |
|
query | string or list of strings | One or more change ids. The maximum number of ids that can be requested at once is 500. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_actions(ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.getActionsMixin0(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("getActionsMixin0", ids=id_list)
print(response)Initiates the specified action on the provided change IDs.
start_actions
| Method | Route |
|---|---|
 |
/filevantage/entities/actions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
 |
body | list of dictionaries | Full body payload in JSON format. |
| change_ids |
|
 |
body | string or list of strings | The IDs of the changes the operation will perform. Maximum of 100 IDs per action. |
| comment |
|
|
body | string | Optional comment to describe reason for action. |
| operation |
|
|
body | string | Operation to perform. Must be one of:
|
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
change_id_list = "ID1,ID2,ID3" # Can also pass a list here ["ID1", "ID2", "ID3"]
response = falcon.start_actions(change_ids=change_id_list,
comment="string",
operation="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
change_id_list = "ID1,ID2,ID3" # Can also pass a list here ["ID1", "ID2", "ID3"]
response = falcon.startActions(change_ids=change_id_list,
comment="string",
operation="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
change_id_list = "ID1,ID2,ID3" # Can also pass a list here ["ID1", "ID2", "ID3"]
body_payload = {
"change_ids": change_id_list,
"comment": "string",
"operation": "string"
}
response = falcon.command("startActions", body=body_payload)
print(response)Retrieves the content captured for the provided change ID.
get_contents
| Method | Route |
|---|---|
|
/filevantage/entities/change-content/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| compress |
|
|
query | boolean | Compress the response using gzip. Defaults to False. |
| id |
|
|
query | string | ID of the change. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_contents(compress=boolean, id="string")
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.getContents(compress=boolean, id="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("getActionsMixin0", compress=boolean, ids="string")
print(response)Retrieve information on changes
get_changes
| Method | Route |
|---|---|
|
/filevantage/entities/changes/v2 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | One or more change ids. The maximum number of ids that can be requested at once is 500. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_changes(ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.getChanges(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("getChanges", ids=id_list)
print(response)Manage host groups assigned to a policy.
update_policy_host_groups
| Method | Route |
|---|---|
 |
/filevantage/entities/policies-host-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| policy_id |
|
|
query | string | The id of the policy for which to perform the action. |
| action |
|
|
query | string | The action to perform with the provided ids, must be one of: assign or unassign. |
| ids |
|
|
query | string or list of strings | One or more host group ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_policy_host_groups(policy_id="string", action="string", ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.updatePolicyHostGroups(policy_id="string", action="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("updatePolicyHostGroups",
policy_id="string",
action="string",
ids=id_list
)
print(response)Updates the policy precedence for all policies of a specific type.
update_policy_precedence
| Method | Route |
|---|---|
|
/filevantage/entities/policies-precedence/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | Precedence of the policies for the provided type. Precedence is determined by element position within the provided list. |
| type |
|
|
query | string | The policy type for which to set the precedence order, must be one of Windows, Linux or Mac. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_policy_precedence(type="string", ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.updatePolicyPrecedence(type="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("updatePolicyPrecedence", type="string", ids=id_list)
print(response)Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy.
update_policy_rule_groups
| Method | Route |
|---|---|
|
/filevantage/entities/policies-rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| policy_id |
|
|
query | string | The id of the policy for which to perform the action. |
| action |
|
|
query | string | The action to perform with the provided ids, must be one of: assign, unassign, or precedence. |
| ids |
|
|
query | string or list of strings | One or more rule group ids. Note, for the precedence action, precedence is controlled by the order of the ids as they are specified in the request. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_policy_rule_groups(policy_id="string", action="string", ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.updatePolicyRuleGroups(policy_id="string", action="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("updatePolicyRuleGroups",
policy_id="string",
action="string",
ids=id_list
)
print(response)Retrieves the configuration for 1 or more policies.
get_policies
| Method | Route |
|---|---|
|
/filevantage/entities/policies/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | One or more (up to 500) policy IDs. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_policies(ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.getPolicies(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("getPolicies", ids=id_list)
print(response)Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type.
create_policy
| Method | Route |
|---|---|
|
/filevantage/entities/policies/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| description |
|
|
body | string | The policy description (Max: 500 characters) |
| name |
|
|
body | string | Name of the policy (Max: 100 characters) |
| platform |
|
|
body | string | Policy platform. Must be one of:
|
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_policy(description="string",
name="string",
platform="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.createPolicies(description="string",
name="string",
platform="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"description": "string",
"name": "string",
"platform": "string"
}
response = falcon.command("createPolicies", body=body_payload)
print(response)Deletes 1 or more policies.
delete_policies
| Method | Route |
|---|---|
 |
/filevantage/entities/policies/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | One or more (up to 500) policy IDs. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_policies(ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.deletePolicies(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("deletePolicies", ids=id_list)
print(response)Updates the general information of the provided policy.
update_policies
| Method | Route |
|---|---|
|
/filevantage/entities/policies/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| description |
|
|
body | string | The policy description (Max: 500 characters) |
| id |
|
|
body | string | The ID of the policy to be updated |
| name |
|
|
body | string | Name of the policy (Max: 100 characters) |
| enabled |
|
|
body | boolean | Policy enablement status. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_policies(description="string",
id="string",
name="string",
enabled=boolean
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.updatePolicies(description="string",
id="string",
name="string",
enabled=boolean
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"description": "string",
"id": "string",
"name": "string",
"enabled": boolean
}
response = falcon.command("updatePolicies", body=body_payload)
print(response)Retrieves the configuration of 1 or more scheduled exclusions from the provided policy id.
get_scheduled_exclusions
| Method | Route |
|---|---|
|
/filevantage/entities/policy-scheduled-exclusions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| policy_id |
|
|
query | string | The id of the policy to retrieve the scheduled exclusion configurations. |
| ids |
|
|
query | string or list of strings | One or more (up to 500) scheduled exclusion IDs. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_scheduled_exclusions(policy_id="string", ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.getScheduledExclusions(policy_id="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("getScheduledExclusions", policy_id="string", ids=id_list)
print(response)Creates a new scheduled exclusion configuration for the provided policy id.
create_scheduled_exclusions
| Method | Route |
|---|---|
|
/filevantage/entities/policy-scheduled-exclusions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| description |
|
|
body | string | The scheduled exclusion description (Max: 500 characters) |
| name |
|
|
body | string | Name of the scheduled exclusion (Max: 100 characters) |
| policy_id |
|
|
body | string | ID of the policy the schedule exclusion is assigned. |
| users |
|
|
body | string | Comma-delimited list of users to not monitor changes. (Max: 500 characters). Example: admin* excludes changes made by all usernames that begin with admin.Supports Falcon GLOB syntax |
| processes |
|
|
body | string | Comma-delimited list of processes to not monitor changes. (Max: 500 characters). Example: **\RunMe.exe or **/RunMe.sh excludes changes made by RunMe.exe or RunMe.sh in any location. |
| schedule_start |
|
|
body | string | Indicates the start of the schedule. (RFC3339 format) |
| schedule_end |
|
|
body | string | Indicates the end of the schedule. (RFC3339 format) |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_scheduled_exclusions(description="string",
name="string",
policy_id="string",
users="string",
processes="string",
schedule_start="string",
schedule_end="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.createScheduledExclusions(description="string",
name="string",
policy_id="string",
users="string",
processes="string",
schedule_start="string",
schedule_end="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"description": "string",
"name": "string",
"policy_id": "string",
"processes": "string",
"schedule_end": "string",
"schedule_start": "string",
"users": "string"
}
response = falcon.command("createScheduledExclusions", body=body_payload)
print(response)Deletes 1 or more scheduled exclusions from the provided policy id.
delete_scheduled_exclusions
| Method | Route |
|---|---|
|
/filevantage/entities/policy-scheduled-exclusions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| policy_id |
|
|
query | string | ID of the policy to delete the scheduled exclusions from. |
| ids |
|
|
query | string or list of strings | One or more (up to 500) scheduled exclusion IDs. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_scheduled_exclusions(policy_id="string", ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.deleteScheduledExclusions(policy_id="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("deleteScheduledExclusions", policy_id="string", ids=id_list)
print(response)Updates the provided scheduled exclusion configuration within the provided policy.
update_scheduled_exclusions
| Method | Route |
|---|---|
|
/filevantage/entities/policy-scheduled-exclusions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| description |
|
|
body | string | The scheduled exclusion description (Max: 500 characters) |
| id |
|
|
body | string | ID of the scheduled exclusion to update. |
| name |
|
|
body | string | Name of the scheduled exclusion (Max: 100 characters) |
| policy_id |
|
|
body | string | ID of the policy the schedule exclusion is assigned. |
| users |
|
|
body | string | Comma-delimited list of users to not monitor changes. (Max: 500 characters). Example: admin* excludes changes made by all usernames that begin with admin.Supports Falcon GLOB syntax |
| processes |
|
|
body | string | Comma-delimited list of processes to not monitor changes. (Max: 500 characters). Example: **\RunMe.exe or **/RunMe.sh excludes changes made by RunMe.exe or RunMe.sh in any location. |
| schedule_start |
|
|
body | string | Indicates the start of the schedule. (RFC3339 format) |
| schedule_end |
|
|
body | string | Indicates the end of the schedule. (RFC3339 format) |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_scheduled_exclusions(description="string",
name="string",
id="string",
policy_id="string",
users="string",
processes="string",
schedule_start="string",
schedule_end="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.updateScheduledExclusions(description="string",
name="string",
id="string",
policy_id="string",
users="string",
processes="string",
schedule_start="string",
schedule_end="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"description": "string",
"id": "string",
"name": "string",
"policy_id": "string",
"processes": "string",
"schedule_end": "string",
"schedule_start": "string",
"users": "string"
}
response = falcon.command("updateScheduledExclusions", body=body_payload)
print(response)Updates the rule precedence for all rules in the identified rule group.
update_rule_group_precedence
| Method | Route |
|---|---|
|
/filevantage/entities/rule-groups-rule-precedence/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| rule_group_id |
|
|
query | string | Rule group from which to set the precedence. |
| ids |
|
|
query | string or list of strings | One or more (up to 500) rule group IDs. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_rule_group_precedence(rule_group_id="string", ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.updateRuleGroupPrecedence(rule_group_id="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("updateRuleGroupPrecedence", rule_group_id="string", ids=id_list)
print(response)Retrieves the configuration for 1 or more rules.
get_rules
| Method | Route |
|---|---|
|
/filevantage/entities/rule-groups-rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| rule_group_id |
|
|
query | string | Rule group from which to retrieve the rule configuration. |
| ids |
|
|
query | string or list of strings | One or more (up to 500) rule IDs. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules(rule_group_id="string", ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.getRules(rule_group_id="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("getRules", rule_group_id="string", ids=id_list)
print(response)Creates a new rule configuration within the specified rule group.
create_rule
| Method | Route |
|---|---|
|
/filevantage/entities/rule-groups-rules/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| description |
|
|
body | string | The rule description (Max: 500 characters) |
| rule_group_id |
|
|
body | string | Group ID containing the group configuration. |
| path |
|
|
body | string | The file system or registry path to monitor. (Max: 250 characters) All paths must end with the path separator, e.g. \ (Windows) or / (Linux/MacOS) |
| severity |
|
|
body | string | To categorize change events produced by this rule. Allowed values:
|
| depth |
|
|
body | string | Recursion levels below the base path to monitor (1 - 5, or ANY). |
| precedence |
|
|
body | integer | The order in which rules will be evaluated starting with 1. Specifying a precedence value that is already set for another rule in the group will result in this rule being placed before the existing rule. |
| include |
|
|
body | string | The files, directories, registry keys, or registry values that will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported |
| exclude |
|
|
body | string | The files, directories, registry keys, or registry values that will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported |
| include_users |
|
|
body | string | The changes performed by these specific users will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported MacOS is not supported at this time |
| exclude_users |
|
|
body | string | The changes performed by these specific users will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported MacOS is not supported at this time |
| include_processes |
|
|
body | string | The changes performed by these specific processes will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported MacOS is not supported at this time |
| exclude_processes |
|
|
body | string | The changes performed by these specific processes will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported MacOS is not supported at this time |
| content_files |
|
|
body | string | The files whose content will be monitored. Listed files must match the file include pattern and not match the file exclude pattern. |
| content_registry_values |
|
|
body | string | The registry values whose content will be monitored. Listed registry values must match the registry include pattern and not match the registry exclude pattern. |
| enable_content_capture |
|
|
body | boolean | Enable content capturing. |
| enable_hash_capture |
|
|
body | boolean | Enable hash capturing. |
| watch_create_directory_changes |
|
|
body | boolean | File system directory monitoring. |
| watch_delete_directory_changes |
|
|
body | boolean | File system directory monitoring. |
| watch_rename_directory_changes |
|
|
body | boolean | File system directory monitoring. |
| watch_attributes_directory_changes |
|
|
body | boolean | File system directory monitoring. MacOS is not supported at this time |
| watch_permissions_directory_changes |
|
|
body | boolean | File system directory monitoring. MacOS is not supported at this time |
| watch_create_file_changes |
|
|
body | boolean | File system file monitoring. |
| watch_delete_file_changes |
|
|
body | boolean | File system file monitoring. |
| watch_write_file_changes |
|
|
body | boolean | File system file monitoring. |
| watch_rename_file_changes |
|
|
body | boolean | File system file monitoring. |
| watch_attributes_file_changes |
|
|
body | boolean | File system file monitoring. MacOS is not supported at this time |
| watch_permissions_file_changes |
|
|
body | boolean | File system file monitoring. MacOS is not supported at this time |
| watch_create_key_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_delete_key_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_permissions_key_changes |
|
|
body | boolean | Windows registry key and value permissions monitoring. |
| watch_set_value_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_delete_value_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_rename_key_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_create_file_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_rule(depth="string",
description="string",
exclude="string",
exclude_processes="string",
exclude_users="string",
include="string",
include_processes="string",
include_users="string",
path="string",
precedence=integer,
rule_group_id="string",
severity="string",
content_files="string",
content_registry_values="string",
enable_content_capture=boolean,
enable_hash_capture=boolean,
watch_attributes_directory_changes=boolean,
watch_attributes_file_changes=boolean,
watch_create_directory_changes=boolean,
watch_create_file_changes=boolean,
watch_create_key_changes=boolean,
watch_delete_directory_changes=boolean,
watch_delete_file_changes=boolean,
watch_delete_key_changes=boolean,
watch_delete_value_changes=boolean,
watch_permissions_directory_changes=boolean,
watch_permissions_file_changes=boolean,
watch_rename_directory_changes=boolean,
watch_rename_file_changes=boolean,
watch_rename_key_changes=boolean,
watch_set_value_changes=boolean,
watch_write_file_changes=boolean
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.createRules(depth="string",
description="string",
exclude="string",
exclude_processes="string",
exclude_users="string",
include="string",
include_processes="string",
include_users="string",
path="string",
precedence=integer,
rule_group_id="string",
severity="string",
content_files="string",
content_registry_values="string",
enable_content_capture=boolean,
enable_hash_capture=boolean,
watch_attributes_directory_changes=boolean,
watch_attributes_file_changes=boolean,
watch_create_directory_changes=boolean,
watch_create_file_changes=boolean,
watch_create_key_changes=boolean,
watch_delete_directory_changes=boolean,
watch_delete_file_changes=boolean,
watch_delete_key_changes=boolean,
watch_delete_value_changes=boolean,
watch_permissions_directory_changes=boolean,
watch_permissions_file_changes=boolean,
watch_rename_directory_changes=boolean,
watch_rename_file_changes=boolean,
watch_rename_key_changes=boolean,
watch_set_value_changes=boolean,
watch_write_file_changes=boolean
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"depth": "string",
"description": "string",
"exclude": "string",
"exclude_processes": "string",
"exclude_users": "string",
"include": "string",
"include_processes": "string",
"include_users": "string",
"path": "string",
"precedence": 0,
"rule_group_id": "string",
"severity": "string",
"content_files": "string",
"content_registry_values": "string",
"enable_content_capture": boolean,
"enable_hash_capture": boolean,
"watch_attributes_directory_changes": boolean,
"watch_attributes_file_changes": boolean,
"watch_create_directory_changes": boolean,
"watch_create_file_changes": boolean,
"watch_create_key_changes": boolean,
"watch_delete_directory_changes": boolean,
"watch_delete_file_changes": boolean,
"watch_delete_key_changes": boolean,
"watch_delete_value_changes": boolean,
"watch_permissions_directory_changes": boolean,
"watch_permissions_file_changes": boolean,
"watch_rename_directory_changes": boolean,
"watch_rename_file_changes": boolean,
"watch_rename_key_changes": boolean,
"watch_set_value_changes": boolean,
"watch_write_file_changes": boolean
}
response = falcon.command("createRules", body=body_payload)
print(response)Deletes 1 or more rules from the specified rule group.
delete_rules
| Method | Route |
|---|---|
|
/filevantage/entities/rule-groups-rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| rule_group_id |
|
|
query | string | The id of the rule group from which the rules will be deleted. |
| ids |
|
|
query | string or list of strings | One or more (up to 500) rule IDs. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rules(rule_group_id="string", ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.deleteRules(rule_group_id="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PARAMS = {
"rule_group_id": "string"
}
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("deleteRules", parameters=PARAMS, ids=id_list)
print(response)Updates the provided rule configuration within the specified rule group.
update_rule
| Method | Route |
|---|---|
|
/filevantage/entities/rule-groups-rules/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| description |
|
|
body | string | The rule description (Max: 500 characters) |
| rule_group_id |
|
|
body | string | Group ID containing the group configuration. |
| path |
|
|
body | string | The file system or registry path to monitor. (Max: 250 characters) All paths must end with the path separator, e.g. \ (Windows) or / (Linux/MacOS) |
| severity |
|
|
body | string | To categorize change events produced by this rule. Allowed values:
|
| depth |
|
|
body | string | Recursion levels below the base path to monitor (1 - 5, or ANY). |
| precedence |
|
|
body | integer | The order in which rules will be evaluated starting with 1. Specifying a precedence value that is already set for another rule in the group will result in this rule being placed before the existing rule. |
| include |
|
|
body | string | The files, directories, registry keys, or registry values that will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported |
| exclude |
|
|
body | string | The files, directories, registry keys, or registry values that will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported |
| include_users |
|
|
body | string | The changes performed by these specific users will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported MacOS is not supported at this time |
| exclude_users |
|
|
body | string | The changes performed by these specific users will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported MacOS is not supported at this time |
| include_processes |
|
|
body | string | The changes performed by these specific processes will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported MacOS is not supported at this time |
| exclude_processes |
|
|
body | string | The changes performed by these specific processes will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to. Falcon GLOB syntax is supported MacOS is not supported at this time |
| content_files |
|
|
body | string | The files whose content will be monitored. Listed files must match the file include pattern and not match the file exclude pattern. |
| content_registry_values |
|
|
body | string | The registry values whose content will be monitored. Listed registry values must match the registry include pattern and not match the registry exclude pattern. |
| enable_content_capture |
|
|
body | boolean | Enable content capturing. |
| enable_hash_capture |
|
|
body | boolean | Enable hash capturing. |
| watch_create_directory_changes |
|
|
body | boolean | File system directory monitoring. |
| watch_delete_directory_changes |
|
|
body | boolean | File system directory monitoring. |
| watch_rename_directory_changes |
|
|
body | boolean | File system directory monitoring. |
| watch_attributes_directory_changes |
|
|
body | boolean | File system directory monitoring. MacOS is not supported at this time |
| watch_permissions_directory_changes |
|
|
body | boolean | File system directory monitoring. MacOS is not supported at this time |
| watch_create_file_changes |
|
|
body | boolean | File system file monitoring. |
| watch_delete_file_changes |
|
|
body | boolean | File system file monitoring. |
| watch_write_file_changes |
|
|
body | boolean | File system file monitoring. |
| watch_rename_file_changes |
|
|
body | boolean | File system file monitoring. |
| watch_attributes_file_changes |
|
|
body | boolean | File system file monitoring. MacOS is not supported at this time |
| watch_permissions_file_changes |
|
|
body | boolean | File system file monitoring. MacOS is not supported at this time |
| watch_create_key_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_delete_key_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_set_value_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_delete_value_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_rename_key_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
| watch_create_file_changes |
|
|
body | boolean | Windows registry key and value monitoring. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_rule(depth="string",
description="string",
exclude="string",
exclude_processes="string",
exclude_users="string",
id="string",
include="string",
include_processes="string",
include_users="string",
path="string",
precedence=integer,
rule_group_id="string",
severity="string",
content_files="string",
content_registry_values="string",
enable_content_capture=boolean,
enable_hash_capture=boolean,
watch_attributes_directory_changes=boolean,
watch_attributes_file_changes=boolean,
watch_create_directory_changes=boolean,
watch_create_file_changes=boolean,
watch_create_key_changes=boolean,
watch_delete_directory_changes=boolean,
watch_delete_file_changes=boolean,
watch_delete_key_changes=boolean,
watch_delete_value_changes=boolean,
watch_permissions_directory_changes=boolean,
watch_permissions_file_changes=boolean,
watch_rename_directory_changes=boolean,
watch_rename_file_changes=boolean,
watch_rename_key_changes=boolean,
watch_set_value_changes=boolean,
watch_write_file_changes=boolean
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.updateRules(depth="string",
description="string",
exclude="string",
exclude_processes="string",
exclude_users="string",
id="string",
include="string",
include_processes="string",
include_users="string",
path="string",
precedence=integer,
rule_group_id="string",
severity="string",
content_files="string",
content_registry_values="string",
enable_content_capture=boolean,
enable_hash_capture=boolean,
watch_attributes_directory_changes=boolean,
watch_attributes_file_changes=boolean,
watch_create_directory_changes=boolean,
watch_create_file_changes=boolean,
watch_create_key_changes=boolean,
watch_delete_directory_changes=boolean,
watch_delete_file_changes=boolean,
watch_delete_key_changes=boolean,
watch_delete_value_changes=boolean,
watch_permissions_directory_changes=boolean,
watch_permissions_file_changes=boolean,
watch_rename_directory_changes=boolean,
watch_rename_file_changes=boolean,
watch_rename_key_changes=boolean,
watch_set_value_changes=boolean,
watch_write_file_changes=boolean
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"depth": "string",
"description": "string",
"exclude": "string",
"exclude_processes": "string",
"exclude_users": "string",
"id": "string",
"include": "string",
"include_processes": "string",
"include_users": "string",
"path": "string",
"precedence": 0,
"rule_group_id": "string",
"severity": "string",
"content_files": "string",
"content_registry_values": "string",
"enable_content_capture": boolean,
"enable_hash_capture": boolean,
"watch_attributes_directory_changes": boolean,
"watch_attributes_file_changes": boolean,
"watch_create_directory_changes": boolean,
"watch_create_file_changes": boolean,
"watch_create_key_changes": boolean,
"watch_delete_directory_changes": boolean,
"watch_delete_file_changes": boolean,
"watch_delete_key_changes": boolean,
"watch_delete_value_changes": boolean,
"watch_permissions_directory_changes": boolean,
"watch_permissions_file_changes": boolean,
"watch_rename_directory_changes": boolean,
"watch_rename_file_changes": boolean,
"watch_rename_key_changes": boolean,
"watch_set_value_changes": boolean,
"watch_write_file_changes": boolean
}
response = falcon.command("updateRules", body=body_payload)
print(response)Retrieves the rule group details for 1 or more rule groups.
get_rule_groups
| Method | Route |
|---|---|
|
/filevantage/entities/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | One or more (up to 500) rule group ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_groups(ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.getRuleGroups(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("getRuleGroups", ids=id_list)
print(response)Creates a new rule group of the specified type.
create_rule_group
| Method | Route |
|---|---|
|
/filevantage/entities/rule-groups/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| description |
|
|
body | string | The policy description (Max: 500 characters) |
| name |
|
|
body | string | Name of the policy (Max: 100 characters) |
| type |
|
|
body | string | Rule group type. Must be one of:
|
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_rule_group(description="string",
name="string",
type="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.createRuleGroups(description="string",
name="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"description": "string",
"name": "string",
"type": "string"
}
response = falcon.command("createRuleGroups", body=body_payload)
print(response)Deletes 1 or more rule groups
delete_rule_groups
| Method | Route |
|---|---|
|
/filevantage/entities/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | One or more (up to 500) rule group ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rule_groups(ids=id_list)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.deleteRuleGroups(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("deleteRuleGroups", ids=id_list)
print(response)Updates the provided rule group.
update_rule_group
| Method | Route |
|---|---|
|
/filevantage/entities/rule-groups/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| description |
|
|
body | string | The policy description (Max: 500 characters) |
| name |
|
|
body | string | Name of the policy (Max: 100 characters) |
| id |
|
|
body | string | Rule group ID to update. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_rule_group(description="string",
name="string",
id="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.updateRuleGroups(description="string",
name="string",
id="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"description": "string",
"name": "string",
"id": "string"
}
response = falcon.command("updateRuleGroups", body=body_payload)
print(response)Initiates workflows for the provided change IDs.
signal_changes
| Method | Route |
|---|---|
|
/filevantage/entities/workflow/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | Change IDs to initiate the workflows, limited to 100 IDs per request. |
from falconpy import Hosts
# Do not hardcode API credentials!
falcon = Hosts(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.signal_changes(ids=id_list)
print(response)from falconpy import Hosts
# Do not hardcode API credentials!
falcon = Hosts(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.signalChangesExternal(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("signalChangesExternal", ids=id_list)
print(response)Returns one or more action IDs.
query_actions
| Method | Route |
|---|---|
|
/filevantage/queries/actions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| offset |
|
|
query | integer | The offset to start retrieving records from. Defaults to 0 if not specified. |
| limit |
|
|
query | integer | The maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 500. |
| sort |
|
|
query | string | Sort results using options like: - created_date (timestamp of the change occurrence) Sort either asc (ascending) or desc (descending). For example: created_date|asc. The full list of allowed sorting options can be reviewed in our API documentation. |
| filter |
|
|
query | string | Filter changes using a query in Falcon Query Language (FQL). Common filter options include: - status - operation_type The full list of allowed filter parameters can be reviewed in our API documentation. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_actions(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.queryActionsMixin0(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("queryActionsMixin0",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)Returns 1 or more change ids
query_changes
| Method | Route |
|---|---|
|
/filevantage/queries/changes/v2 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| offset |
|
|
query | integer | The offset to start retrieving records from. Defaults to 0 if not specified. |
| limit |
|
|
query | integer | The maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 500. |
| sort |
|
|
query | string | Sort results using options like: - action_timestamp (timestamp of the change occurrence) Sort either asc (ascending) or desc (descending). For example: action_timestamp|asc. The full list of allowed sorting options can be reviewed in our API documentation. |
| filter |
|
|
query | string | Filter changes using a query in Falcon Query Language (FQL). Common filter options include: - host.name - action_timestamp The full list of allowed filter parameters can be reviewed in our API documentation. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_changes(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.queryChanges(offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("queryChanges",
offset=integer,
limit=integer,
sort="string",
filter="string"
)
print(response)Returns 1 or more change ids
query_changes_scroll
| Method | Route |
|---|---|
|
/filevantage/queries/changes/v3 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request don't provide a value for the after token. On subsequent requests provide the after token value from the previous response to continue pagination from where you left. If the response returns an empty after token it means there are no more results to return. |
| limit |
|
|
query | integer | The maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 5000. |
| sort |
|
|
query | string | Sort results using options like: - action_timestamp (timestamp of the change occurrence) Sort either asc (ascending) or desc (descending). For example: action_timestamp|asc. Defaults to action_timestamp|desc no value is specified. The full list of allowed sorting options can be reviewed in our API documentation. |
| filter |
|
|
query | string | Filter changes using a query in Falcon Query Language (FQL). Common filter options include: - host.name - action_timestamp The full list of allowed filter parameters can be reviewed in our API documentation. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_changes_scroll(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.highVolumeQueryChanges(after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("highVolumeQueryChanges",
after="string",
limit=integer,
sort="string",
filter="string"
)
print(response)Retrieve the ids of all policies that are assigned the provided policy type.
query_policies
| Method | Route |
|---|---|
|
/filevantage/queries/policies/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| offset |
|
|
query | integer | The offset to start retrieving records from. Defaults to 0 if not specified. |
| limit |
|
|
query | integer | The maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 500. |
| sort |
|
|
query | string | Sort the returned ids based on one of the following properties: precedence, created_timestamp or modified_timestamp Sort either asc (ascending) or desc (descending); for example: precedence|asc. |
| type |
|
|
query | string | The types of policies to retrieve. Allowed values are: Windows, Linux or Mac. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_policies(offset=integer,
limit=integer,
sort="string",
type="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.queryPolicies(offset=integer,
limit=integer,
sort="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("queryPolicies",
offset=integer,
limit=integer,
sort="string",
type="string"
)
print(response)Retrieve the ids of all scheduled exclusions contained within the provided policy id.
query_scheduled_exclusions
| Method | Route |
|---|---|
|
/filevantage/queries/policy-scheduled-exclusions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| policy_id |
|
|
query | string | The id of the policy from which to retrieve the scheduled exclusion ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_scheduled_exclusions(policy_id="string")
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.queryScheduledExclusions(policy_id="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("queryScheduledExclusions", policy_id="string")
print(response)Retrieve the ids of all rule groups that are of the provided rule group type.
query_rule_groups
| Method | Route |
|---|---|
|
/filevantage/queries/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| offset |
|
|
query | integer | The offset to start retrieving records from. Defaults to 0 if not specified. |
| limit |
|
|
query | integer | The maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 500. |
| sort |
|
|
query | string | Sort the returned ids based on one of the following properties: created_timestamp or modified_timestamp Sort either asc (ascending) or desc (descending); for example: created_timestamp|asc. |
| type |
|
|
query | string | The rule group type to retrieve the ids of. Allowed values are: WindowsFiles, WindowsRegistry, LinuxFiles or MacFiles. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groups(offset=integer,
limit=integer,
sort="string",
type="string"
)
print(response)from falconpy import FileVantage
# Do not hardcode API credentials!
falcon = FileVantage(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.queryRuleGroups(offset=integer,
limit=integer,
sort="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("queryRuleGroups",
offset=integer,
limit=integer,
sort="string",
type="string"
)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
