Quarantine

Using the Quarantine service collection

Table of Contents

Operation ID	Description
ActionUpdateCount PEP 8 action_update_count	Returns count of potentially affected quarantined files for each action.
GetAggregateFiles PEP 8 get_aggregate_files	Get quarantine file aggregates as specified via json in request body.
GetQuarantineFiles PEP 8 get_quarantine_files	Get quarantine file metadata for specified ids.
UpdateQuarantinedDetectsByIds PEP 8 update_quarantined_detects_by_id	Apply action by quarantine file ids
QueryQuarantineFiles PEP 8 query_quarantine_files	Get quarantine file ids that match the provided filter criteria.
UpdateQfByQuery PEP 8 update_quarantined_detects_by_query	Apply quarantine file actions by query.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

ActionUpdateCount

Returns count of potentially affected quarantined files for each action.

PEP8 method name

action_update_count

Endpoint

Method	Route
	/quarantine/aggregates/action-update-count/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	The filter expression that should be used to filter results. FQL syntax.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.action_update_count(filter="string")
print(response)

Service class example (Operation ID syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.ActionUpdateCount(filter="string")
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ActionUpdateCount", filter="string")
print(response)

GetAggregateFiles

Get quarantine file aggregates as specified via json in request body.

PEP8 method name

get_aggregate_files

Endpoint

Method	Route
	/quarantine/aggregates/quarantined-files/GET/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	list of dictionaries	Full body payload in JSON format.
date_ranges			body	list of dictionaries	Applies to date_range aggregations. Example: [   {     "from": "2016-05-28T09:00:31Z",     "to": "2016-05-30T09:00:31Z"   },   {     "from": "2016-06-01T09:00:31Z",     "to": "2016-06-10T09:00:31Z"   } ]
exclude			body	string	Elements to exclude.
field			body	string	The field on which to compute the aggregation.
filter			body	string	FQL syntax formatted string to use to filter the results.
from			body	integer	Starting position.
include			body	string	Elements to include.
interval			body	string	Time interval for date histogram aggregations. Valid values include: year month week day hour minute
max_doc_count			body	integer	Only return buckets if values are less than or equal to the value here.
min_doc_count			body	integer	Only return buckets if values are greater than or equal to the value here.
missing			body	string	Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name			body	string	Name of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q			body	string	Full text search across all metadata fields.
ranges			body	list of dictionaries	Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [   {     "From": 0,     "To": 70   },   {     "From": 70,     "To": 100   } ]
size			body	integer	The max number of term buckets to be returned.
sub_aggregates			body	list of dictionaries	A nested aggregation, such as: [   {     "name": "max_first_behavior",     "type": "max",     "field": "first_behavior"   } ] There is a maximum of 3 nested aggregations per request.
sort			body	string	FQL syntax string to sort bucket results. _count - sort by document count _term - sort by the string value alphabetically Supports asc and desc using | format. Example: _count|desc
time_zone			body	string	Time zone for bucket results.
type			body	string	Type of aggregation. Valid values include: date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field. date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601. terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names. range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity. cardinality - Returns the count of distinct values in a specified field. max - Returns the maximum value of a specified field. min - Returns the minimum value of a specified field. avg - Returns the average value of the specified field. sum - Returns the total sum of all values for the specified field. percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.get_aggregate_files(date_ranges=date_ranges,
                                      exclude="string",
                                      field="string",
                                      filter="string",
                                      from=integer,
                                      include="string",
                                      interval="string",
                                      max_doc_count=integer,
                                      min_doc_count=integer,
                                      missing="string",
                                      name="string",
                                      q="string",
                                      ranges=ranges,
                                      size=integer,
                                      sort="string",
                                      time_zone="string",
                                      type="string"
                                      )
print(response)

Service class example (Operation ID syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

response = falcon.GetAggregateFiles(date_ranges=date_ranges,
                                    exclude="string",
                                    field="string",
                                    filter="string",
                                    from=integer,
                                    include="string",
                                    interval="string",
                                    max_doc_count=integer,
                                    min_doc_count=integer,
                                    missing="string",
                                    name="string",
                                    q="string",
                                    ranges=ranges,
                                    size=integer,
                                    sort="string",
                                    time_zone="string",
                                    type="string"
                                    )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )
date_ranges = [
    {
        "from": "2021-05-15T14:55:21.892315096Z",
        "to": "2021-05-17T13:42:16.493180643Z"
    }
]

ranges = [
    {
        "From": 1,
        "To": 100
    }
]

BODY = {
    "date_ranges": date_ranges,
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": ranges,
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}

response = falcon.command("GetAggregateFiles", body=BODY)
print(response)

GetQuarantineFiles

Get quarantine file metadata for specified ids.

PEP8 method name

get_quarantine_files

Endpoint

Method	Route
	/quarantine/entities/quarantined-files/GET/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
ids			body	string or list of strings	List of Quarantine IDs to retrieve.

Usage

Service class example (PEP8 syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_quarantine_files(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetQuarantineFiles(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "ids": id_list
}

response = falcon.command("GetQuarantineFiles", body=BODY)
print(response)

UpdateQuarantinedDetectsByIds

Apply action by quarantine file ids

PEP8 method name

update_quarantined_detects_by_id

Endpoint

Method	Route
	/quarantine/entities/quarantined-files/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
action			body	string	Action to perform against the quarantined file. Allowed values: delete release unrelease
body			body	dictionary	Full body payload in JSON format.
comment			body	string	Comment to list along with action taken.
ids			body	string or list of strings	List of Quarantine IDs to update.

Usage

Service class example (PEP8 syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.update_quarantined_detects_by_id(action="string",
                                                   comment="string",
                                                   ids=id_list
                                                   )
print(response)

Service class example (Operation ID syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.UpdateQuarantinedDetectsByIds(action="string",
                                                comment="string",
                                                ids=id_list
                                                )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "action": "string",
    "comment": "string",
    "ids": id_list
}

response = falcon.command("UpdateQuarantinedDetectsByIds", body=BODY)
print(response)

QueryQuarantineFiles

Get quarantine file ids that match the provided filter criteria.

PEP8 method name

query_quarantine_files

Endpoint

Method	Route
	/quarantine/queries/quarantined-files/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query specifying the filter parameters. Special value * means to not filter on anything. Filter term criteria: status adversary_id device.device_id device.country device.hostname behaviors.behavior_id behaviors.ioc_type behaviors.ioc_value behaviors.username behaviors.tree_root_hash Filter range criteria: max_severity max_confidence first_behavior last_behavior
limit			query	integer	Maximum number of IDs to return. Max: 5000.
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Match phrase_prefix query criteria, included fields: _all (all filter string fields) sha256 state paths.path paths.state hostname username date_updated date_created
sort			query	string	Possible order by fields: hostname username date_updated date_created paths.path state paths.state Example: date_created|asc. Sort order: asc or desc.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.query_quarantine_files(offset="string",
                                         limit=integer,
                                         sort="string",
                                         filter="string",
                                         q="string"
                                         )
print(response)

Service class example (Operation ID syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.QueryQuarantineFiles(offset="string",
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string"
                                       )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryQuarantineFiles",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

UpdateQfByQuery

Apply quarantine file actions by query.

PEP8 method name

update_quarantined_detects_by_query

Endpoint

Method	Route
	/quarantine/queries/quarantined-files/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
action			body	string	Action to perform against the quarantined file. Allowed values: delete release unrelease
body			body	dictionary	Full body payload in JSON format.
comment			body	string	Comment to list along with action taken.
filter			body	string or list of strings	Filter string to use to match to quarantine records. FQL syntax
q			body	string	Match phrase_prefix query criteria, included fields: _all (all filter string fields) sha256 state paths.path paths.state hostname username date_updated date_created

Usage

Service class example (PEP8 syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.update_quarantined_detects_by_query(action="string",
                                                      comment="string",
                                                      filter="string",
                                                      q="string"
                                                      )
print(response)

Service class example (Operation ID syntax)

from falconpy import Quarantine

# Do not hardcode API credentials!
falcon = Quarantine(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.UpdateQfByQuery(action="string",
                                  comment="string",
                                  filter="string",
                                  q="string"
                                  )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "action": "string",
    "comment": "string",
    "filter": "string",
    "q": "string"
}

response = falcon.command("UpdateQfByQuery", body=BODY)
print(response)