-
Notifications
You must be signed in to change notification settings - Fork 122
Real Time Response Admin
This service collection has code examples posted to the repository.
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Batch executes a RTR administrator command across the hosts mapped to the given batch ID. | ||||
|
Get status of an executed RTR administrator command on a single host. | ||||
|
Execute a RTR administrator command on a single host. | ||||
|
Get Falcon scripts with metadata and content of script | ||||
|
Get put-files based on the ID's given. These are used for the RTR put command. |
||||
|
Get put-files based on the ID's given. These are used for the RTR put command. |
||||
|
Upload a new put-file to use for the RTR put command. |
||||
|
Delete a put-file based on the ID given. Can only delete one file at a time. | ||||
|
Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
||||
|
Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
||||
|
Get a list of Falcon script IDs available to the user to run | ||||
|
Upload a new custom-script to use for the RTR runscript command. |
||||
|
Delete a custom-script based on the ID given. Can only delete one script at a time. | ||||
|
Upload a new scripts to replace an existing one. | ||||
|
Get a list of put-file ID's that are available to the user for the put command. |
||||
|
Get a list of custom-script ID's that are available to the user for the runscript command. |
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Batch executes a RTR administrator command across the hosts mapped to the given batch ID.
batch_admin_command
Method | Route |
---|---|
/real-time-response/combined/batch-admin-command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
base_command |
|
|
body | string | Active Responder base command to perform. For example: get or cp . Refer to this list for a complete listing of available commands. |
batch_id |
|
|
body | string | RTR Batch ID to execute the command against. Received from batch_init_session . |
command_string |
|
|
body | string | Full command line of the command to execute. Example: get some_file.txt . |
host_timeout_duration |
|
|
query | string | Timeout duration for for how long a host has to complete processing in duration syntax. Example, 10s . Valid units: ns, us, ms, s, m, h . Maximum is 10 minutes. |
optional_hosts |
|
|
body | string or list of strings | List of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch. |
persist_all |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. |
timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. |
timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s . Valid units: ns, us, ms, s, m, h . Maximum is 10 minutes. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
Command | Description | Operating System |
---|---|---|
cat |
View file contents | |
cd |
Change directory | |
clear |
Clear the screen | |
cp |
Copy a file | |
csrutil |
Get system integrity protection status | |
encrypt |
Encrypt a file | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
eventlog backup is the recommended solution as opposed to eventlog export , as this method is faster and follows industry-standard file format. |
|
filehash |
Calculate a file hash (MD5 or SHA256) | |
get |
Retrieve a file | |
getsid |
Retrieve the current SID | |
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ifconfig |
Review TCP configuration | |
ipconfig |
Review TCP configuration | |
kill |
Kill a running process | |
ls |
List the contents of a directory | |
map |
Map a UNC (SMB) path to a drive letter | |
memdump |
Dump memory of a running process | |
mkdir |
Create a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
mv |
Move a file | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
put |
Put a file onto a remote host | |
put-and-run |
Put a file onto a remote host and then execute it. The put-and-run command reduces the potential for user error in file selection by ensuring that the file ‘put’ on the host is the same file that is ‘run’ on the host. | |
reg |
Registry operations. Subcommands:
|
|
restart |
Restart the system | |
rm |
Remove a file | |
run |
Run an executable | |
runscript |
Run a script | |
shutdown |
Shutdown the system | |
tar |
Compress a file or directory into a tar file | |
unmap |
Unmap a UNC (SMB) path from a drive letter | |
unmount |
Unmount a file system | |
update |
Install patches through Windows Update. Subcommands:
|
|
users |
Get details about local users | |
xmemdump |
Dump complete memory (kernel) for the system | |
zip |
Create a zip archive |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_admin_command(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchAdminCmd(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"base_command": "string",
"batch_id": "string",
"command_string": "string",
"optional_hosts": target_hosts,
"persist_all": true
}
response = falcon.command("BatchAdminCmd",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)
Back to Table of Contents
Get status of an executed RTR administrator command on a single host.
check_admin_command_status
Method | Route |
---|---|
/real-time-response/entities/admin-command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
cloud_request_id |
|
|
query | string | Cloud Request ID of the executed command to query. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sequence_id |
|
|
query | integer | Sequence ID that we want to retrieve. Command responses are chunked across sequences. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.check_admin_command_status(cloud_request_id="string", sequence_id=integer)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_CheckAdminCommandStatus(cloud_request_id="string", sequence_id=integer)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_CheckAdminCommandStatus",
cloud_request_id="string",
sequence_id=integer
)
print(response)
Back to Table of Contents
Execute a RTR administrator command on a single host.
execute_admin_command
Method | Route |
---|---|
/real-time-response/entities/admin-command/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
base_command |
|
|
body | string | Active Responder base command to perform. For example: get or cp . Refer to this list for a complete listing of available commands. |
session_id |
|
|
body | string | RTR Session ID to execute the command against. Received from init_session . |
command_string |
|
|
body | string | Full command line of the command to execute. Example: get some_file.txt . |
persist |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. |
Command | Description | Operating System |
---|---|---|
cat |
View file contents | |
cd |
Change directory | |
clear |
Clear the screen | |
cp |
Copy a file | |
csrutil |
Get system integrity protection status | |
encrypt |
Encrypt a file | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
eventlog backup is the recommended solution as opposed to eventlog export , as this method is faster and follows industry-standard file format. |
|
filehash |
Calculate a file hash (MD5 or SHA256) | |
get |
Retrieve a file | |
getsid |
Retrieve the current SID | |
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ifconfig |
Review TCP configuration | |
ipconfig |
Review TCP configuration | |
kill |
Kill a running process | |
ls |
List the contents of a directory | |
map |
Map a UNC (SMB) path to a drive letter | |
memdump |
Dump memory of a running process | |
mkdir |
Create a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
mv |
Move a file | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
put-and-run |
Put a file onto a remote host and then execute it. The put-and-run command reduces the potential for user error in file selection by ensuring that the file ‘put’ on the host is the same file that is ‘run’ on the host. | |
reg |
Registry operations. Subcommands:
|
|
restart |
Restart the system | |
rm |
Remove a file | |
run |
Run an executable | |
runscript |
Run a script | |
shutdown |
Shutdown the system | |
tar |
Compress a file or directory into a tar file | |
unmap |
Unmap a UNC (SMB) path from a drive letter | |
unmount |
Unmount a file system | |
update |
Install patches through Windows Update. Subcommands:
|
|
users |
Get details about local users | |
xmemdump |
Dump complete memory (kernel) for the system | |
zip |
Create a zip archive |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.execute_admin_command(base_command="string",
session_id="string",
command_string="string",
persist=boolean
)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_ExecuteAdminCommand(base_command="string",
session_id="string",
command_string="string",
persist=boolean
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"base_command": "string",
"command_string": "string",
"persist": true,
"session_id": "string"
}
response = falcon.command("RTR_ExecuteAdminCommand", body=BODY)
print(response)
Back to Table of Contents
Get Falcon scripts with metadata and content of script
get_falcon_scripts
Method | Route |
---|---|
/real-time-response/entities/falcon-scripts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | array (string) | IDs of the Falcon scripts you want to retrieve |
from falconpy.real_time_response_admin import RealTimeResponseAdmin
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_falcon_scripts(ids=id_list)
print(response)
from falconpy import RealTimeResponseAdmin
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.RTR_GetFalconScripts(ids=id_list)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("RTR_GetFalconScripts", ids=id_list)
print(response)
Back to Table of Contents
Get put-files based on the ID's given. These are used for the RTR put
command.
get_put_files
Method | Route |
---|---|
/real-time-response/entities/put-files/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | File IDs. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_put_files(ids=id_list)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.RTR_GetPut_Files(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("RTR_GetPut_Files", ids=id_list)
print(response)
Back to Table of Contents
Get put-files based on the ID's given. These are used for the RTR put
command.
get_put_files_v2
Method | Route |
---|---|
/real-time-response/entities/put-files/v2 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | File IDs. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_put_files_v2(ids=id_list)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.RTR_GetPut_FilesV2(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("RTR_GetPut_FilesV2", ids=id_list)
print(response)
Back to Table of Contents
Upload a new put-file to use for the RTR put
command.
create_put_files
Method | Route |
---|---|
/real-time-response/entities/put-files/v1 |
- Consumes: multipart/form-data
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
comments_for_audit_log |
|
|
formData | string | A descriptive comment for the audit log. |
data |
|
|
formData | file | Full formData payload in JSON format. |
description |
|
|
formData | string | File description. |
name |
|
|
formData | string | File name (if different than actual file name). |
files |
|
|
query | list of tuples | File(s) to be uploaded. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
filename = "somefile.ext"
with open(filename, "rb") as upload_file:
file_upload = [('file', ('MyPutFile', upload_file.read(), 'application/octet-stream'))]
response = falcon.create_put_files(comments_for_audit_log="string",
description="string",
name="string",
files=file_upload
)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
filename = "somefile.ext"
with open(filename, "rb") as upload_file:
file_upload = [('file', ('MyPutFile', upload_file.read(), 'application/octet-stream'))]
response = falcon.RTR_CreatePut_Files(comments_for_audit_log="string",
description="string",
name="string",
files=file_upload
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PAYLOAD = {
"description": "string",
"name": "string",
"comments_for_audit_log": "string"
}
filename = "somefile.ext"
with open(filename, "rb") as upload_file:
file_upload = [('file', ('MyPutFile', upload_file.read(), 'application/octet-stream'))]
response = falcon.command("RTR_CreatePut_Files", data=PAYLOAD, files=file_upload)
print(response)
Back to Table of Contents
Delete a put-file based on the ID given. Can only delete one file at a time.
delete_put_files
Method | Route |
---|---|
/real-time-response/entities/put-files/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | File IDs. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_put_files(ids=id_list)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.RTR_DeletePut_Files(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("RTR_DeletePut_Files", ids=id_list)
print(response)
Back to Table of Contents
Get custom-scripts based on the ID's given. These are used for the RTR runscript
command.
get_scripts
Method | Route |
---|---|
/real-time-response/entities/scripts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | File IDs. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_scripts(ids=id_list)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.RTR_GetScripts(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("RTR_GetScripts", ids=id_list)
print(response)
Back to Table of Contents
Get custom-scripts based on the ID's given. These are used for the RTR runscript
command.
get_scripts_v2
Method | Route |
---|---|
/real-time-response/entities/scripts/v2 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | File IDs. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_scripts_v2(ids=id_list)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.RTR_GetScriptsV2(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("RTR_GetScriptsV2", ids=id_list)
print(response)
Back to Table of Contents
Upload a new custom-script to use for the RTR runscript
command.
create_scripts
Method | Route |
---|---|
/real-time-response/entities/scripts/v1 |
- Consumes: multipart/form-data
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
comments_for_audit_log |
|
|
formData | string | A descriptive comment for the audit log. |
content |
|
|
formData | string | The text contents you want to use for the script. Takes place of a file upload. |
data |
|
|
formData | file | Full formData payload in JSON format. |
description |
|
|
formData | string | File description. |
name |
|
|
formData | string | File name (if different than actual file name). |
permission_type |
|
|
formData | string | Permissions for the custom-script. Valid permission values include:
|
platform |
|
|
formData | list of strings | Platform for the script. Currently supports windows , mac , and linux . If no platform is provided, windows is assumed. |
files |
|
|
query | list of tuples | File(s) to be uploaded. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
filename = "somefile.ext"
with open(filename, "rb") as upload_file:
file_upload = [('file', ('MyScript', upload_file.read(), 'application/script'))]
response = falcon.create_scripts(comments_for_audit_log="string",
description="string",
name="string",
files=file_upload,
platform=["string"],
permission_type="string",
content="string"
)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
filename = "somefile.ext"
with open(filename, "rb") as upload_file:
file_upload = [('file', ('MyScript', upload_file.read(), 'application/script'))]
response = falcon.RTR_CreateScripts(comments_for_audit_log="string",
description="string",
name="string",
files=file_upload,
platform=["string"],
permission_type="string",
content="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PAYLOAD = {
"description": "string",
"name": "string",
"comments_for_audit_log": "string",
"permission_type": "string",
"content": "string",
"platform": [
"string",
"string"
]
}
filename = "somefile.ext"
with open(filename, "rb") as upload_file:
file_upload = [('file', ('MyScript', upload_file.read(), 'application/script'))]
response = falcon.command("RTR_CreateScripts", data=PAYLOAD, files=file_upload)
print(response)
Back to Table of Contents
Delete a custom-script based on the ID given. Can only delete one script at a time.
delete_scripts
Method | Route |
---|---|
/real-time-response/entities/scripts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | File IDs. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_scripts(ids=id_list)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.RTR_DeleteScripts(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("RTR_DeleteScripts", ids=id_list)
print(response)
Back to Table of Contents
Upload a new scripts to replace an existing one.
update_scripts
Method | Route |
---|---|
/real-time-response/entities/scripts/v1 |
- Consumes: multipart/form-data
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
comments_for_audit_log |
|
|
formData | string | A descriptive comment for the audit log. |
content |
|
|
formData | string | The text contents you want to use for the script. Takes place of a file upload. |
data |
|
|
formData | file | Full formData payload in JSON format. |
description |
|
|
formData | string | File description. |
id |
|
|
formData | string | The ID of the script to be updated. |
name |
|
|
formData | string | File name (if different than actual file name). |
permission_type |
|
|
formData | string | Permissions for the custom-script. Valid permission values include:
|
platform |
|
|
formData | list of strings | Platform for the script. Currently supports windows , mac , and linux . If no platform is provided, windows is assumed. |
files |
|
|
query | list of tuples | File(s) to be uploaded. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_upload = [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]
response = falcon.update_scripts(comments_for_audit_log="string",
description="string",
id="string",
name="string",
files=file_upload,
platform=["string"],
permission_type="string",
content="string"
)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_upload = [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]
response = falcon.RTR_UpdateScripts(comments_for_audit_log="string",
description="string",
id="string",
name="string",
files=file_upload,
platform=["string"],
permission_type="string",
content="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PAYLOAD = {
"id": "string",
"description": "string",
"name": "string",
"comments_for_audit_log": "string",
"permission_type": "string",
"content": "string",
"platform": [
"string",
"string"
]
}
file_upload = [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]
response = falcon.command("RTR_UpdateScripts", data=PAYLOAD, files=file_upload)
print(response)
Back to Table of Contents
Get a list of Falcon script IDs available to the user to run
list_falcon_scripts
Method | Route |
---|---|
/real-time-response/queries/falcon-scripts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon. |
offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
limit |
|
|
query | integer | Number of ids to return. |
sort |
|
|
query | string | Sort by spec. Ex: 'created_at |
from falconpy.real_time_response_admin import RealTimeResponseAdmin
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_falcon_scripts(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
from falconpy import RealTimeResponseAdmin
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_ListFalconScripts(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_ListFalconScripts",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)
Back to Table of Contents
Get a list of put-file ID's that are available to the user for the put
command.
list_put_files
Method | Route |
---|---|
/real-time-response/queries/put-files/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string |
FQL query expression that should be used to limit the results.user_id can accept a special value ‘@me’ which will restrict results to records with current user’s ID. |
limit |
|
|
query | integer | Maximum number of records to return. |
offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
sort |
|
|
query | string | The property to sort by. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_put_files(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_ListPut_Files(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_ListPut_Files",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Back to Table of Contents
Get a list of custom-script ID's that are available to the user for the runscript
command.
list_scripts
Method | Route |
---|---|
/real-time-response/queries/scripts/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string |
FQL query expression that should be used to limit the results.user_id can accept a special value ‘@me’ which will restrict results to records with current user’s ID. |
limit |
|
|
query | integer | Maximum number of records to return. |
offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
sort |
|
|
query | string | The property to sort by. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_scripts(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import RealTimeResponseAdmin
# Do not hardcode API credentials!
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.RTR_ListScripts(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("RTR_ListScripts",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Back to Table of Contents
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust