Firewall Management
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Aggregate events for customer | ||||
|
Aggregate rules within a policy for customer | ||||
|
Aggregate rule groups for customer | ||||
|
Aggregate rules for customer | ||||
|
Get events entities by ID and optionally version | ||||
|
Get the firewall field specifications by ID | ||||
|
Get network locations entities by ID | ||||
|
Updates the network locations metadata such as polling_intervals for the cid | ||||
|
Updates the network locations precedence according to the list of ids provided. | ||||
|
Get a summary of network locations entities by ID | ||||
|
Updates the network locations provided, and return the ID. | ||||
|
Create new network locations provided, and return the ID. | ||||
|
Delete network location entities by ID. | ||||
|
Updates the network locations provided, and return the ID. | ||||
|
Get platforms by ID, e.g., windows or mac or droid | ||||
|
Get policy container entities by policy ID | ||||
|
Update an identified policy container | ||||
|
Update an identified policy container | ||||
|
Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order. | ||||
|
Create new rule group on a platform for a customer with a name and description, and return the ID | ||||
|
Delete rule group entities by ID | ||||
|
Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules | ||||
|
Validates the request of creating a new rule group on a platform for a customer with a name and description | ||||
|
Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules | ||||
|
Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string) | ||||
|
Validates that the test pattern matches the executable filepath glob pattern. | ||||
|
Find all event IDs matching the query with filter | ||||
|
Get the firewall field specification IDs for the provided platform | ||||
|
Get a list of network location IDs | ||||
|
Get the list of platform names | ||||
|
Find all firewall rule IDs matching the query with filter, and return them in precedence order | ||||
|
Find all rule group IDs matching the query with filter | ||||
|
Find all rule IDs matching the query with filter | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Aggregate events for customer
aggregate_events
| Method | Route |
|---|---|
 |
/fwmgr/aggregates/events/GET/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
 |
 |
body | list of dictionaries | Full body payload in JSON format. |
| date_ranges |
|
 |
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude |
|
|
body | string | Elements to exclude. |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| from |
|
|
body | integer | Starting position. |
| include |
|
|
body | string | Elements to include. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count |
|
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_events(date_ranges=date_ranges,
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = [{
"date_ranges": date_ranges,
"exclude": "string",
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": integer,
"sort": "string",
"sub_aggregates": [
null
]
"time_zone": "string",
"type": "string"
}]
response = falcon.command("aggregate_events", body=BODY)
print(response)Back to Table of Contents
Aggregate rules within a policy for customer
aggregate_policy_rules
| Method | Route |
|---|---|
|
/fwmgr/aggregates/policy-rules/GET/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| date_ranges |
|
|
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude |
|
|
body | string | Elements to exclude. |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| from |
|
|
body | integer | Starting position. |
| include |
|
|
body | string | Elements to include. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count |
|
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_policy_rules(date_ranges=date_ranges,
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = [{
"date_ranges": date_ranges,
"exclude": "string",
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": integer,
"sort": "string",
"sub_aggregates": [
null
]
"time_zone": "string",
"type": "string"
}]
response = falcon.command("aggregate_policy_rules", body=BODY)
print(response)Back to Table of Contents
Aggregate rule groups for customer
aggregate_rule_groups
| Method | Route |
|---|---|
|
/fwmgr/aggregates/rule-groups/GET/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| date_ranges |
|
|
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude |
|
|
body | string | Elements to exclude. |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| from |
|
|
body | integer | Starting position. |
| include |
|
|
body | string | Elements to include. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count |
|
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_rule_groups(date_ranges=date_ranges,
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = [{
"date_ranges": date_ranges,
"exclude": "string",
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": integer,
"sort": "string",
"sub_aggregates": [
null
]
"time_zone": "string",
"type": "string"
}]
response = falcon.command("aggregate_rule_groups", body=BODY)
print(response)Back to Table of Contents
Aggregate rules for customer
aggregate_rules
| Method | Route |
|---|---|
|
/fwmgr/aggregates/rules/GET/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | list of dictionaries | Full body payload in JSON format. |
| date_ranges |
|
|
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude |
|
|
body | string | Elements to exclude. |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| from |
|
|
body | integer | Starting position. |
| include |
|
|
body | string | Elements to include. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count |
|
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_rules(date_ranges=date_ranges,
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = [{
"date_ranges": date_ranges,
"exclude": "string",
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": integer,
"sort": "string",
"sub_aggregates": [
null
]
"time_zone": "string",
"type": "string"
}]
response = falcon.command("aggregate_rules", body=BODY)
print(response)Back to Table of Contents
Get events entities by ID and optionally version
get_events
| Method | Route |
|---|---|
 |
/fwmgr/entities/events/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The events to retrieve, identified by ID. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_events(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_events", ids=id_list)
print(response)Back to Table of Contents
Get the firewall field specifications by ID
get_firewall_fields
| Method | Route |
|---|---|
|
/fwmgr/entities/firewall-fields/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The rule types to retrieve, identified by ID. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_firewall_fields(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_firewall_fields", ids=id_list)
print(response)Back to Table of Contents
Get network locations entities by ID
get_network_locations_details
| Method | Route |
|---|---|
|
/fwmgr/entities/network-locations-details/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID of the network location to retrieve. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format, not required if using ids keyword. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_network_locations_details(ids=id_list)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_network_locations_details", ids=id_list)
print(response)Back to Table of Contents
Updates the network locations metadata such as polling_intervals for the cid
update_network_locations_metadata
| Method | Route |
|---|---|
|
/fwmgr/entities/network-locations-metadata/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| cid |
|
|
body | string | CID for the location. |
| comment |
|
|
query | string | Audit log comment for this action. |
| dns_resolution_targets_polling_interval |
|
|
body | integer | Change the DNS resolution target polling interval. |
| https_reachable_hosts_polling_interval |
|
|
body | integer | Change the HTTPS reachable hosts polling interval. |
| icmp_request_targets_polling_interval |
|
|
body | integer | Change the ICMP request targets polling interval. |
| location_precedence |
|
|
body | list of strings | Reorder location precedence of network locations based upon the order of the list of network location IDs provided. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format, not required if using the comment keyword. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
location_precedence = ["string", "string", "string"]
response = falcon.update_network_locations_metadata(cid="string",
comment="string",
dns_resolution_targets_polling_interval=integer,
https_reachable_hosts_polling_interval=integer,
icmp_request_targets_polling_interval=integer,
location_precedence=location_precedence
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"cid": "string",
"dns_resolution_targets_polling_interval": integer,
"https_reachable_hosts_polling_interval": integer,
"icmp_request_targets_polling_interval": integer,
"location_precedence": [
"string"
]
}
response = falcon.command("update_network_locations_metadata", comment="string", body=BODY)
print(response)Back to Table of Contents
Updates the network locations precedence according to the list of ids provided.
update_network_locations_precedence
| Method | Route |
|---|---|
|
/fwmgr/entities/network-locations-precedence/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| cid |
|
|
body | string | CID for the location. |
| comment |
|
|
query | string | Audit log comment for this action. |
| location_precedence |
|
|
body | list of strings | Reorder location precedence of network locations based upon the order of the list of network location IDs provided. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format, not required if using the comment keyword. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
location_precedence = ["string", "string", "string"]
response = falcon.update_network_locations_precedence(cid="string",
comment="string",
location_precedence=location_precedence
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"cid": "string",
"location_precedence": [
"string"
]
}
response = falcon.command("update_network_locations_precedence", comment="string", body=BODY)
print(response)Back to Table of Contents
Get a summary of network locations entities by ID
get_network_locations
| Method | Route |
|---|---|
|
/fwmgr/entities/network-locations/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID of the network location to retrieve. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format, not required if using ids keyword. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_network_locations(ids=id_list)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_network_locations", ids=id_list)
print(response)Back to Table of Contents
Updates the network locations provided, and return the ID.
upsert_network_locations
| Method | Route |
|---|---|
 |
/fwmgr/entities/network-locations/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| comment |
|
|
query | string | Audit log comment for this action. |
| connection_types |
|
|
body | dictionary | Connections available at this location. |
| created_by |
|
|
body | string | User UUID that created the change. |
| created_on |
|
|
body | string | Datetime formatted string reflecting the time of the change. |
| default_gateways |
|
|
body | list of strings | List of available gateways at this location. |
| description |
|
|
body | string | Description for the location. |
| dhcp_servers |
|
|
body | list of strings | List of available DHCP servers at this location. |
| dns_resolution_targets |
|
|
body | dictionary | Dictionary containing a list of DNS resolution targets for the location. |
| dns_servers |
|
|
body | list of strings | List of available DNS servers at this location. |
| enabled |
|
|
body | boolean | Flag indicating if this location is enabled. |
| host_addresses |
|
|
body | list of strings | List of available host address ranges for this location. |
| https_reachable_hosts |
|
|
body | dictionary | Dictionary containing a list of hostnames reachable via HTTPS at this location. |
| icmp_request_targets |
|
|
body | dictionary | Dictionary containing targets for ICMP monitoring requests at this location. |
| id |
|
|
body | string | Network location ID to upsert. |
| modified_by |
|
|
body | string | User UUID performing this change. |
| modified_on |
|
|
body | string | UTC formatted date string when this location was modified. |
| name |
|
|
body | string | Name for this location. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format, not required if using the comment keyword. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
connection_types = {
"wired": boolean,
"wireless": {
"enabled": boolean,
"require_encryption": boolean,
"ssids": [
"string"
]
}
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
"targets": [
{
"hostname": "string",
"ip_match": [
"string"
]
}
]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
"hostnames": [
"string"
]
}
icmp_request_targets = {
"targets": [
"string"
]
}
response = falcon.upsert_network_locations(comment="string",
connection_types=connection_types,
created_by="string",
created_on="string",
default_gateways=default_gateways,
description="string",
dhcp_servers=dhcp_servers,
dns_resolution_targets=dns_resolution_targets,
dns_servers=dns_servers,
enabled=boolean,
host_addresses=host_addresses,
https_reachable_hosts=https_reachable_hosts,
icmp_request_targets=icmp_request_targets,
name="string",
id="string",
modified_by="string",
modified_on="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
connection_types = {
"wired": boolean,
"wireless": {
"enabled": boolean,
"require_encryption": boolean,
"ssids": [
"string"
]
}
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
"targets": [
{
"hostname": "string",
"ip_match": [
"string"
]
}
]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
"hostnames": [
"string"
]
}
icmp_request_targets = {
"targets": [
"string"
]
}
BODY = {
"connection_types": connection_types,
"created_by": "string",
"created_on": "string",
"default_gateways": default_gateways,
"description": "string",
"dhcp_servers": dhcp_servers,
"dns_resolution_targets": dns_resolution_targets,
"dns_servers": dns_servers,
"enabled": boolean,
"host_addresses": host_addresses,
"https_reachable_hosts": https_reachable_hosts,
"icmp_request_targets": icmp_request_targets,
"name": "string",
"id": "string",
"modified_by": "string",
"modified_on": "string"
}
response = falcon.command("upsert_network_locations", comment="string", body=BODY)
print(response)Back to Table of Contents
Create new network locations provided, and return the ID.
create_network_locations
| Method | Route |
|---|---|
|
/fwmgr/entities/network-locations/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| add_fw_rules |
|
|
query | boolean | Flag to indicate that the cloned location needs to be added to the same firewall rules that encompass the original location. |
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| clone_id |
|
|
query | string | A rule group ID from which to copy rules. If this keyword is provided then all other keywords excluding add_fw_rules and comment are ignored. |
| comment |
|
|
query | string | Audit log comment for this action. |
| connection_types |
|
|
body | dictionary | Connections available at this location. |
| default_gateways |
|
|
body | list of strings | List of available gateways at this location. |
| description |
|
|
body | string | Description for the location. |
| dhcp_servers |
|
|
body | list of strings | List of available DHCP servers at this location. |
| dns_resolution_targets |
|
|
body | dictionary | Dictionary containing a list of DNS resolution targets for the location. |
| dns_servers |
|
|
body | list of strings | List of available DNS servers at this location. |
| enabled |
|
|
body | boolean | Flag indicating if this location is enabled. |
| host_addresses |
|
|
body | list of strings | List of available host address ranges for this location. |
| https_reachable_hosts |
|
|
body | dictionary | Dictionary containing a list of hostnames reachable via HTTPS at this location. |
| icmp_request_targets |
|
|
body | dictionary | Dictionary containing targets for ICMP monitoring requests at this location. |
| name |
|
|
body | string | Name for this location. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format, not required if using the add_fw_rules, clone_id or comment keywords. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
connection_types = {
"wired": boolean,
"wireless": {
"enabled": boolean,
"require_encryption": boolean,
"ssids": [
"string"
]
}
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
"targets": [
{
"hostname": "string",
"ip_match": [
"string"
]
}
]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
"hostnames": [
"string"
]
}
icmp_request_targets = {
"targets": [
"string"
]
}
response = falcon.create_network_locations(add_fw_rules=boolean,
clone_id="string",
comment="string",
connection_types=connection_types,
default_gateways=default_gateways,
description="string",
dhcp_servers=dhcp_servers,
dns_resolution_targets=dns_resolution_targets,
dns_servers=dns_servers,
enabled=boolean,
host_addresses=host_addresses,
https_reachable_hosts=https_reachable_hosts,
icmp_request_targets=icmp_request_targets,
name="string",
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
connection_types = {
"wired": boolean,
"wireless": {
"enabled": boolean,
"require_encryption": boolean,
"ssids": [
"string"
]
}
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
"targets": [
{
"hostname": "string",
"ip_match": [
"string"
]
}
]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
"hostnames": [
"string"
]
}
icmp_request_targets = {
"targets": [
"string"
]
}
BODY = {
"connection_types": connection_types,
"default_gateways": default_gateways,
"description": "string",
"dhcp_servers": dhcp_servers,
"dns_resolution_targets": dns_resolution_targets,
"dns_servers": dns_servers,
"enabled": boolean,
"host_addresses": host_addresses,
"https_reachable_hosts": https_reachable_hosts,
"icmp_request_targets": icmp_request_targets,
"name": "string"
}
response = falcon.command("create_network_locations",
add_fw_rules=boolean,
clone_id="string",
comment="string",
body=BODY
)
print(response)Back to Table of Contents
Delete network location entities by ID.
delete_network_locations
| Method | Route |
|---|---|
 |
/fwmgr/entities/network-locations/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID of the network location to delete. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format, not required if using ids keyword. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_network_locations(ids=id_list)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("delete_network_locations", ids=id_list)
print(response)Back to Table of Contents
Updates the network locations provided, and return the ID.
update_network_locations
| Method | Route |
|---|---|
 |
/fwmgr/entities/network-locations/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| comment |
|
|
query | string | Audit log comment for this action. |
| connection_types |
|
|
body | dictionary | Connections available at this location. |
| created_by |
|
|
body | string | User UUID that created the change. |
| created_on |
|
|
body | string | Datetime formatted string reflecting the time of the change. |
| default_gateways |
|
|
body | list of strings | List of available gateways at this location. |
| description |
|
|
body | string | Description for the location. |
| dhcp_servers |
|
|
body | list of strings | List of available DHCP servers at this location. |
| dns_resolution_targets |
|
|
body | dictionary | Dictionary containing a list of DNS resolution targets for the location. |
| dns_servers |
|
|
body | list of strings | List of available DNS servers at this location. |
| enabled |
|
|
body | boolean | Flag indicating if this location is enabled. |
| host_addresses |
|
|
body | list of strings | List of available host address ranges for this location. |
| https_reachable_hosts |
|
|
body | dictionary | Dictionary containing a list of hostnames reachable via HTTPS at this location. |
| icmp_request_targets |
|
|
body | dictionary | Dictionary containing targets for ICMP monitoring requests at this location. |
| id |
|
|
body | string | Network location ID to upsert. |
| modified_by |
|
|
body | string | User UUID performing this change. |
| modified_on |
|
|
body | string | UTC formatted date string when this location was modified. |
| name |
|
|
body | string | Name for this location. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format, not required if using the comment keyword. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
connection_types = {
"wired": boolean,
"wireless": {
"enabled": boolean,
"require_encryption": boolean,
"ssids": [
"string"
]
}
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
"targets": [
{
"hostname": "string",
"ip_match": [
"string"
]
}
]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
"hostnames": [
"string"
]
}
icmp_request_targets = {
"targets": [
"string"
]
}
response = falcon.update_network_locations(comment="string",
connection_types=connection_types,
created_by="string",
created_on="string",
default_gateways=default_gateways,
description="string",
dhcp_servers=dhcp_servers,
dns_resolution_targets=dns_resolution_targets,
dns_servers=dns_servers,
enabled=boolean,
host_addresses=host_addresses,
https_reachable_hosts=https_reachable_hosts,
icmp_request_targets=icmp_request_targets,
name="string",
id="string",
modified_by="string",
modified_on="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
connection_types = {
"wired": boolean,
"wireless": {
"enabled": boolean,
"require_encryption": boolean,
"ssids": [
"string"
]
}
}
default_gateways = ["string", "string"]
dhcp_servers = ["string", "string"]
dns_resolution_targets = {
"targets": [
{
"hostname": "string",
"ip_match": [
"string"
]
}
]
}
dns_servers = ["string", "string"]
host_addresses = ["string", "string"]
https_reachable_hosts = {
"hostnames": [
"string"
]
}
icmp_request_targets = {
"targets": [
"string"
]
}
BODY = {
"connection_types": connection_types,
"created_by": "string",
"created_on": "string",
"default_gateways": default_gateways,
"description": "string",
"dhcp_servers": dhcp_servers,
"dns_resolution_targets": dns_resolution_targets,
"dns_servers": dns_servers,
"enabled": boolean,
"host_addresses": host_addresses,
"https_reachable_hosts": https_reachable_hosts,
"icmp_request_targets": icmp_request_targets,
"name": "string",
"id": "string",
"modified_by": "string",
"modified_on": "string"
}
response = falcon.command("update_network_locations", comment="string", body=BODY)
print(response)Back to Table of Contents
Get platforms by ID, e.g., windows or mac or droid
get_platforms
| Method | Route |
|---|---|
|
/fwmgr/entities/platforms/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The platforms to retrieve, identified by ID. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_platforms(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_platforms", ids=id_list)
print(response)Back to Table of Contents
Get policy container entities by policy ID
get_policy_containers
| Method | Route |
|---|---|
|
/fwmgr/entities/policies/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The policy container(s) to retrieve, identified by policy ID. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_policy_containers(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_policy_containers", ids=id_list)
print(response)Back to Table of Contents
Update an identified policy container.
PLEASE NOTE: This endpoint is deprecated in favor of
update_policy_container(also known asupdate_policy_container_v2). Using this legacy endpoint could potentially disable your local logging setting.
update-policy-container-v1
| Method | Route |
|---|---|
|
/fwmgr/entities/policies/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| default_inbound |
|
|
body | string | Default inbound. |
| default_outbound |
|
|
body | string | Default outbound. |
| enforce |
|
|
body | boolean | Enforcement flag. |
| is_default_policy |
|
|
body | boolean | Default policy flag. |
| local_logging |
|
|
body | boolean | Local logging flag. |
| platform_id |
|
|
body | string | ID of the platform this policy container. |
| policy_id |
|
|
body | string | Policy ID to apply to this container. |
| rule_group_ids |
|
|
body | string or list of strings | Rule group IDs to include in this container. |
| test_mode |
|
|
body | boolean | Flag indicating if this container is in test mode. |
| tracking |
|
|
body | string | Tracking. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_groups = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_policy_container_v1(default_inbound="string",
default_outbound="string",
enforce=boolean,
is_default_policy=boolean,
local_logging=boolean,
platform_id="string",
policy_id="string",
rule_group_ids=rule_groups,
test_mode=boolean,
tracking="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_groups = ['ID1', 'ID2', 'ID3']
BODY = {
"default_inbound": "string",
"default_outbound": "string",
"enforce": boolean,
"is_default_policy": boolean,
"local_logging": boolean,
"platform_id": "string",
"policy_id": "string",
"rule_group_ids": rule_groups,
"test_mode": boolean,
"tracking": "string"
}
response = falcon.command("update_policy_container_v1", body=BODY)
print(response)Back to Table of Contents
Update an identified policy container
update_policy_container
| Method | Route |
|---|---|
|
/fwmgr/entities/policies/v2 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| default_inbound |
|
|
body | string | Default inbound. |
| default_outbound |
|
|
body | string | Default outbound. |
| enforce |
|
|
body | boolean | Enforcement flag. |
| is_default_policy |
|
|
body | boolean | Default policy flag. |
| local_logging |
|
|
body | boolean | Local logging flag. |
| platform_id |
|
|
body | string | ID of the platform this policy container. |
| policy_id |
|
|
body | string | Policy ID to apply to this container. |
| rule_group_ids |
|
|
body | string or list of strings | Rule group IDs to include in this container. |
| test_mode |
|
|
body | boolean | Flag indicating if this container is in test mode. |
| tracking |
|
|
body | string | Tracking. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_groups = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_policy_container(default_inbound="string",
default_outbound="string",
enforce=boolean,
is_default_policy=boolean,
local_logging=boolean,
platform_id="string",
policy_id="string",
rule_group_ids=rule_groups,
test_mode=boolean,
tracking="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_groups = ['ID1', 'ID2', 'ID3']
BODY = {
"default_inbound": "string",
"default_outbound": "string",
"enforce": boolean,
"is_default_policy": boolean,
"local_logging": boolean,
"platform_id": "string",
"policy_id": "string",
"rule_group_ids": rule_groups,
"test_mode": boolean,
"tracking": "string"
}
response = falcon.command("update_policy_container", body=BODY)
print(response)Back to Table of Contents
Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
get_rule_groups
| Method | Route |
|---|---|
|
/fwmgr/entities/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the rule group to retrieve. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_groups(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rule_groups", ids=id_list)
print(response)Back to Table of Contents
Create new rule group on a platform for a customer with a name and description, and return the ID
create_rule_group
| Method | Route |
|---|---|
|
/fwmgr/entities/rule-groups/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| action |
|
|
body rules |
string | Rule action to perform. String. Overridden if rules keyword is provided. |
| address_family |
|
|
body rules |
string | Address type, String. Either IP4, IP6 or NONE.Overridden if rules keyword is provided. |
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| clone_id |
|
|
query | string | A rule group ID from which to copy rules. If this is provided then the 'rules' property of the body is ignored. |
| comment |
|
|
query | string | Comment for this rule group. |
| description |
|
|
body | string | Rule group description. |
| direction |
|
|
body rules |
string | Traffic direction for created rule. String. Either IN, OUT or BOTH.Overridden if rules keyword is provided. |
| enabled |
|
|
body | boolean | Flag indicating if the rule group is enabled. |
| fields |
|
|
body rules |
dictionary or list of dictionaries | Fields to impact. Dictionary or list of dictionaries. Overridden if rules keyword is provided. |
| icmp |
|
|
body rules |
dictionary | ICMP protocol options. Overridden if rules keyword is provided. |
| library |
|
|
query | string | If this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewal Rule Groups Library. |
| local_address |
|
|
body rules |
dictionary or list of dictionaries | Local address and netmask detail. Overridden if rules keyword is provided. |
| local_port |
|
|
body rules |
dictionary or list of dictionaries | Local port range. Overridden if rules keyword is provided. |
| log |
|
|
body rules |
boolean | Log rule matches. Overridden if rules keyword is provided. |
| name |
|
|
body | string | Rule group name. |
| monitor |
|
|
body rules |
dictionary | Monitor count / period. Overridden if rules keyword is provided. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| platform |
|
|
query | string | Common name for the OS platform this rule applies to. Should be provided instead of platform_ids. |
| platform_ids |
|
|
body rules |
string or list of strings | OS platform(s) covered by rule. Supports comma delimited strings. Overridden if rules keyword is provided. DEPRECATED |
| protocol |
|
|
body rules |
integer | Protocol specified by rule (Integer identifier). Overridden if rules keyword is provided. |
| remote_address |
|
|
body rules |
dictionary or list of dictionaries | Remote address and netmask detail. Overridden if rules keyword is provided. |
| remote_port |
|
|
body rules |
dictionary or list of dictionaries | Remote port range. Overridden if rules keyword is provided. |
| rule_description |
|
|
body rules |
string | Rule description. Overridden if rules keyword is provided. |
| rule_enabled |
|
|
body rules |
boolean | Enablement status for the new rule. Overridden if rules keyword is provided. |
| rule_name |
|
|
body rules |
string | Rule name. Overridden if rules keyword is provided. |
| rules |
|
|
body | dictionary or list of dictionaries | Rule(s) in JSON format. |
| temp_id |
|
|
body rules |
string | String to use for temporary rule ID. Overridden if rules keyword is provided. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
new_rule = {
"action": "string",
"address_family": "string",
"description": "string",
"direction": "string",
"enabled": boolean,
"fields": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
"string"
]
}
],
"icmp": {
"icmp_code": "string",
"icmp_type": "string"
},
"local_address": [
{
"address": "string",
"netmask": integer
}
],
"local_port": [
{
"end": integer,
"start": integer
}
],
"log": boolean,
"monitor": {
"count": "string",
"period_ms": "string"
},
"name": "string",
"platform_ids": [
"string"
],
"protocol": "string",
"remote_address": [
{
"address": "string",
"netmask": integer
}
],
"remote_port": [
{
"end": integer,
"start": integer
}
],
"temp_id": "string"
}
response = falcon.create_rule_group(clone_id="string",
library="string",
comment="string",
description="string",
enabled=boolean,
name="string",
platform="string",
rules=new_rule
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
new_rule = {
"action": "string",
"address_family": "string",
"description": "string",
"direction": "string",
"enabled": boolean,
"fields": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
"string"
]
}
],
"icmp": {
"icmp_code": "string",
"icmp_type": "string"
},
"local_address": [
{
"address": "string",
"netmask": integer
}
],
"local_port": [
{
"end": integer,
"start": integer
}
],
"log": boolean,
"monitor": {
"count": "string",
"period_ms": "string"
},
"name": "string",
"platform_ids": [
"string"
],
"protocol": "string",
"remote_address": [
{
"address": "string",
"netmask": integer
}
],
"remote_port": [
{
"end": integer,
"start": integer
}
],
"temp_id": "string"
}
BODY = {
"description": "string",
"enabled": boolean,
"name": "string",
"platform": "string",
"rules": [new_rule]
}
response = falcon.command("create_rule_group",
body=BODY,
clone_id="string",
library="string",
comment="string"
)
print(response)Back to Table of Contents
Delete rule group entities by ID
delete_rule_groups
| Method | Route |
|---|---|
|
/fwmgr/entities/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| comment |
|
|
query | string or list of strings | Audit log comment for this operation. |
| ids |
|
|
query | string or list of strings | The rules to retrieve, identified by ID. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("delete_rule_groups", comment="string", ids=id_list)
print(response)Back to Table of Contents
Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
update_rule_group
| Method | Route |
|---|---|
|
/fwmgr/entities/rule-groups/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| comment |
|
|
query | string | Audit log comment for this action. |
| diff_from |
|
|
body diff_operations |
string | From value for the diff. Overridden if diff_operations keyword is provided. |
| diff_op |
|
|
body diff_operations |
string | Operation for the diff. Overridden if diff_operations keyword is provided. |
| diff_operations |
|
|
body | dictionary or list of dictionaries | Differential operations to perform against the rule group. |
| diff_path |
|
|
body diff_operations |
string | Path for the diff. Overridden if diff_operations keyword is provided. |
| diff_type |
|
|
body | string | Type of diff to apply. |
| id |
|
|
body | string | ID of the rule group to update. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| rule_ids |
|
|
body | list of strings | Rule ID(s) to add to the rule group. |
| rule_versions |
|
|
body | list of integers | Rule group versions. |
| tracking |
|
|
body | string | Tracking. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
"from": "string",
"op": "string",
"path": "string"
}
response = falcon.update_rule_group(comment="string",
diff_operations=diffs,
diff_type="string",
id="string",
rule_ids=rules,
rule_versions=versions,
tracking="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
"from": "string",
"op": "string",
"path": "string"
}
BODY = {
"diff_operations": [diffs],
"diff_type": "string",
"id": "string",
"rule_ids": rules,
"rule_versions": versions,
"tracking": "string"
}
response = falcon.command("update_rule_group",
comment="string",
body=BODY
)
print(response)Back to Table of Contents
Validates the request of creating a new rule group on a platform for a customer with a name and description
create_rule_group_validation
| Method | Route |
|---|---|
|
/fwmgr/entities/rule-groups/validation/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format, not required if using other keywords. |
| clone_id |
|
|
query | string | A rule group validation ID from which to copy rules. If this is provided then the 'rules' property of the body is ignored. |
| comment |
|
|
query | string | Audit log comment for this action. |
| description |
|
|
body | string | Rule group validation description. |
| enabled |
|
|
body | boolean | Flag indicating if this validation is enabled. |
| library |
|
|
query | boolean | If this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewall Rule Groups Library. |
| name |
|
|
body | string | Name for this rule group validation. |
| parameters |
|
|
query | dictionary | Full parameters payload in JSON format. Not required if using the clone_id and comment keywords. |
| platform |
|
|
body | string | Name of the platform this rule group validation is associated with. |
| rules |
|
|
body | list of dictionaries | JSON formatted list of rules to validate. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_list = [
{
"action": "string",
"address_family": "string",
"description": "string",
"direction": "string",
"enabled": boolean,
"fields": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
"string"
]
}
],
"fqdn": "string",
"fqdn_enabled": boolean,
"icmp": {
"icmp_code": "string",
"icmp_type": "string"
},
"local_address": [
{
"address": "string",
"netmask": integer
}
],
"local_port": [
{
"end": integer,
"start": integer
}
],
"log": boolean,
"monitor": {
"count": "string",
"period_ms": "string"
},
"name": "string",
"protocol": "string",
"remote_address": [
{
"address": "string",
"netmask": integer
}
],
"remote_port": [
{
"end": integer,
"start": integer
}
],
"temp_id": "string"
}
]
response = falcon.create_rule_group_validation(clone_id="string",
comment="string",
description="string",
enabled=boolean,
library="string",
name="string",
platform="string",
rules=rule_list
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_list = [
{
"action": "string",
"address_family": "string",
"description": "string",
"direction": "string",
"enabled": boolean,
"fields": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
"string"
]
}
],
"fqdn": "string",
"fqdn_enabled": boolean,
"icmp": {
"icmp_code": "string",
"icmp_type": "string"
},
"local_address": [
{
"address": "string",
"netmask": integer
}
],
"local_port": [
{
"end": integer,
"start": integer
}
],
"log": boolean,
"monitor": {
"count": "string",
"period_ms": "string"
},
"name": "string",
"protocol": "string",
"remote_address": [
{
"address": "string",
"netmask": integer
}
],
"remote_port": [
{
"end": integer,
"start": integer
}
],
"temp_id": "string"
}
]
BODY = {
"description": "string",
"enabled": boolean,
"name": "string",
"platform": "string",
"rules": rule_list
}
response = falcon.command("create_rule_group_validation",
clone_id="string",
comment="string",
library="string",
body=BODY
)
print(response)Back to Table of Contents
Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
update_rule_group_validation
| Method | Route |
|---|---|
|
/fwmgr/entities/rule-groups/validation/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| comment |
|
|
query | string | Audit log comment for this action. |
| diff_from |
|
|
body diff_operations |
string | From value for the diff. Overridden if diff_operations keyword is provided. |
| diff_op |
|
|
body diff_operations |
string | Operation for the diff. Overridden if diff_operations keyword is provided. |
| diff_operations |
|
|
body | dictionary or list of dictionaries | Differential operations to perform against the rule group. |
| diff_path |
|
|
body diff_operations |
string | Path for the diff. Overridden if diff_operations keyword is provided. |
| diff_type |
|
|
body | string | Type of diff to apply. |
| id |
|
|
body | string | ID of the rule group to update. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| rule_ids |
|
|
body | list of strings | Rule ID(s) to add to the rule group. |
| rule_versions |
|
|
body | list of integers | Rule group versions. |
| tracking |
|
|
body | string | Tracking. |
| | comment | query | string | Audit log comment for this action | | ✅ | body | body | string
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
"from": "string",
"op": "string",
"path": "string"
}
response = falcon.update_rule_group_validation(comment="string",
diff_operations=diffs,
diff_type="string",
id="string",
rule_ids=rules,
rule_versions=versions,
tracking="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rules = ['ID1', 'ID2', 'ID3']
versions = [1, 2, 3]
diffs = {
"from": "string",
"op": "string",
"path": "string"
}
BODY = {
"diff_operations": [diffs],
"diff_type": "string",
"id": "string",
"rule_ids": rules,
"rule_versions": versions,
"tracking": "string"
}
response = falcon.command("update_rule_group_validation",
comment="string",
body=BODY
)
print(response)Back to Table of Contents
Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
get_rules
| Method | Route |
|---|---|
|
/fwmgr/entities/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The rules to retrieve, identified by ID. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rules", ids=id_list)
print(response)Back to Table of Contents
Validates that the test pattern matches the executable filepath glob pattern.
validate_filepath_pattern
| Method | Route |
|---|---|
|
/fwmgr/entities/rules/validate-filepath/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| filepath_pattern |
|
|
body | string | Pattern to test against. |
| filepath_test_string |
|
|
body | string | File path string to be tested. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.validate_filepath_pattern(filepath_pattern="string",
filepath_test_string="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"filepath_pattern": "string",
"filepath_test_string": "string"
}
response = falcon.command("validate_filepath_pattern", body=BODY)
print(response)Back to Table of Contents
Find all event IDs matching the query with filter
query_events
| Method | Route |
|---|---|
|
/fwmgr/queries/events/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| filter |
|
|
query | string | FQL Syntax formatted filter that should be used to limit the results. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_events(sort="string",
filter="string",
q="string",
offset=integer,
after="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_events",
sort="string",
filter="string",
q="string",
offset=integer,
after="string",
limit=integer
)
print(response)Back to Table of Contents
Get the firewall field specification IDs for the provided platform
query_firewall_fields
| Method | Route |
|---|---|
|
/fwmgr/queries/firewall-fields/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| platform_id |
|
|
query | string | Field configurations specific to this platform. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_firewall_fields(platform_id="string",
offset=integer,
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_firewall_fields",
platform_id="string",
limit=integer,
offset=integer
)
print(response)Back to Table of Contents
Get a list of network location IDs
query_network_locations
| Method | Route |
|---|---|
|
/fwmgr/queries/network-locations/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| filter |
|
|
query | string | FQL Syntax formatted filter that should be used to limit the results. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_network_locations(sort="string",
filter="string",
q="string",
offset="string",
after="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_network_locations",
sort="string",
filter="string",
q="string",
offset="string",
after="string",
limit=integer
)
print(response)Back to Table of Contents
Get the list of platform names
query_platforms
| Method | Route |
|---|---|
|
/fwmgr/queries/platforms/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_platforms(offset=integer, limit=integer)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_platforms", limit=integer, offset=integer)
print(response)Back to Table of Contents
Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_policy_rules
| Method | Route |
|---|---|
|
/fwmgr/queries/policy-rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| filter |
|
|
query | string | FQL Syntax formatted filter that should be used to limit the results. |
| id |
|
|
query | string | The ID of the policy container within which to query. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_policy_rules(id="string",
sort="string",
filter="string",
q="string",
offset=integer,
limit=integer,
after="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_policy_rules",
id="string",
sort="string",
filter="string",
q="string",
offset=integer,
limit=integer,
after="string"
)
print(response)Back to Table of Contents
Find all rule group IDs matching the query with filter
query_rule_groups
| Method | Route |
|---|---|
|
/fwmgr/queries/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| filter |
|
|
query | string | FQL Syntax formatted filter that should be used to limit the results. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groups(sort="string",
filter="string",
q="string",
offset="string",
after="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rule_groups",
sort="string",
filter="string",
q="string",
offset="string",
after="string",
limit=integer
)
print(response)Back to Table of Contents
Find all rule IDs matching the query with filter
query_rules
| Method | Route |
|---|---|
|
/fwmgr/queries/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
| filter |
|
|
query | string | FQL Syntax formatted filter that should be used to limit the results. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import FirewallManagement
# Do not hardcode API credentials!
falcon = FirewallManagement(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rules(sort="string",
filter="string",
q="string",
offset=integer,
after="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rules",
sort="string",
filter="string",
q="string",
offset=integer,
after="string",
limit=integer
)
print(response)Back to Table of Contents
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
