-
Notifications
You must be signed in to change notification settings - Fork 121
Detects
Joshua Hiller edited this page Jan 19, 2022
·
28 revisions
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Get detect aggregates as specified via json in request body. | ||||
|
Modify the state, assignee, and visibility of detections | ||||
|
View information about detections | ||||
|
Search for detection IDs that match a given query |
Get detect aggregates as specified via json in request body.
get_aggregate_detects
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | string | Full body payload in JSON format. |
date_ranges |
|
|
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
field |
|
|
body | string | The field on which to compute the aggregation. |
filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
q |
|
|
body | string | Full text search across all metadata fields. |
ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
size |
|
|
body | integer | The max number of term buckets to be returned. |
sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
time_zone |
|
|
body | string | Time zone for bucket results. |
type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.get_aggregate_detects(date_ranges=[date_range],
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.GetAggregateDetects(date_ranges=[date_range],
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = [
{
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"field": "string",
"filter": "string",
"interval": "string",
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"time_zone": "string",
"type": "string"
}
]
response = falcon.command("GetAggregateDetects", body=BODY)
print(response)
Modify the state, assignee, and visibility of detections. You can update one or more attributes of one or more detections with a single request.
update_detects_by_ids
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
assigned_to_uuid |
|
|
body | string | A user ID (Ex: [email protected]) to assign the detection to. |
body |
|
|
body | string | Full body payload in JSON format. |
comment |
|
|
body | string | Optional comment to add to the detection. Comments are displayed with the detection in Falcon and are usually used to provide context or notes for other Falcon users. A detection can have multiple comments over time. |
ids |
|
|
body | string or list of strings | ID(s) of the detection to update, which you can find with theQueryDetects operation, the Falcon console, or the Streaming API. |
show_in_ui |
|
|
body | boolean | Boolean determining if this detection is displayed in the Falcon console.
|
status |
|
|
body | string | Current status of the detection. Allowed values:
|
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_detects_by_ids(assigned_to_uuid="string",
comment="string",
ids=id_list,
show_in_ui=boolean,
status="string"
)
print(response)
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.UpdateDetectsByIdsV2(assigned_to_uuid="string",
comment="string",
ids=id_list,
show_in_ui=boolean,
status="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"assigned_to_uuid": "string",
"comment": "string",
"ids": id_list,
"show_in_ui": boolean,
"status": "string"
}
response = falcon.command("UpdateDetectsByIdsV2", body=BODY)
print(response)
View information about detections
get_detect_summaries
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | string | Full body payload in JSON format. |
ids |
|
|
body | string or list of strings | ID(s) of the detections to retrieve. View key attributes of detections, including the associated host, disposition, objective/tactic/technique, adversary, and more. Specify one or more detection IDs (max 1000 per request). Find detection IDs with the QueryDetects operation, the Falcon console, or the Streaming API. |
In order to use this method, either a body
keyword or the ids
keyword must be provided.
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_detect_summaries(ids=id_list)
print(response)
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetDetectSummaries(ids=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("GetDetectSummaries", body=BODY)
print(response)
Search for detection IDs that match a given query
query_detects
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard * includes all results.Complete list of available FQL filters. More details regarding filters can be found in the documentation inside the Falcon console. |
limit |
|
|
query | integer | The maximum number of detections to return in this response (default: 9999; max: 9999). Use with the offset parameter to manage pagination of results. |
offset |
|
|
query | integer | The first detection to return, where 0 is the latest detection. Use with the limit parameter to manage pagination of results. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
q |
|
|
query | string | Search all detection metadata for the provided string |
sort |
|
|
query | string | Sort detections using these options:
asc (ascending) or desc (descending).For example: last_behavior|asc
|
The following tables detail acceptable values for the filter
keyword described above.
Filter options are broken out into four categories:
- General
- Behavioral
- Devices
- Miscellaneous
adversary_ids | date_updated | last_behavior | max_severity_displayname | status |
assigned_to_name | detection_id | max_confidence | seconds_to_resolved | |
cid | first_behavior | max_severity | seconds_to_triaged |
Example: behaviors.ioc_type
alleged_filetype | md5 | sha256 |
behavior_id | objective | tactic |
cmdline | parent_details.parent_cmdline | technique |
confidence | parent_details.parent_md5 | timestamp |
contral_graph_id | parent_details.parent_process_id | triggering_process_id |
device_id | parent_details.parent_process_graph_id | triggering_process_graph_id |
filename | parent_details.parent_sha256 | user_id |
ioc_source | pattern_disposition | user_name |
ioc_type | scenario | |
ioc_value | severity |
Example: device.platform_name
agent_load_flags | first_seen | platform_name |
agent_local_time | hostname | product_type |
agent_version | last_seen | product_type_desc |
bios_manufacturer | local_ip | release_group |
bios_version | mac_address | reduced_functionality_mode |
cid | machine_domain | serial_number |
config_id_base | major_version | site_name |
config_id_build | minor_version | status |
config_id_platform | modified_timestamp | system_product_name |
cpu_signature | os_version | system_manufacturer |
device_id | ou | |
external_ip | platform_id |
hostinfo.domain | quarantined_files.id | quarantined_files.sha256 |
hostinfo.active_directory_dn_display | quarantined_files.paths | quarantined_files.state |
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_detects(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.QueryDetects(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"offset": integer,
"limit": integer,
"sort": "string",
"filter": "string",
"q": "string"
}
response = falcon.command("QueryDetects",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust