-
Notifications
You must be signed in to change notification settings - Fork 121
Workflows
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Search for activities by name. Returns all supported activities if no filter is specified. | ||||
|
Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s) | ||||
|
Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s) | ||||
|
Executes an on-demand Workflow with mocks | ||||
|
Allows a user to resume/retry a failed workflow execution. | ||||
|
Get execution result of a given execution | ||||
|
Deprovisions a system definition that was previously provisioned on the target CID | ||||
|
Promote a version of a system definition | ||||
|
Provisions a system definition onto the target CID by using the template and provided parameters | ||||
|
Search workflow definitions based on the provided filter | ||||
|
Search for triggers by namespaced identifier, i.e. FalconAudit , Detection , or FalconAudit/Detection/Status . Returns all triggers if no filter is specified. |
||||
|
Search workflow executions based on the provided filter | ||||
|
Exports a workflow definition for the given definition ID | ||||
|
Imports a workflow definition based on the provided model | ||||
|
Updates a workflow definition based on the provided model. | ||||
|
Gets one or more specific human inputs by their IDs. | ||||
|
Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted. |
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Search for activities by name. Returns all supported activities if no filter is specified.
search_activities
Method | Route |
---|---|
/workflows/combined/activities/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter | query | string | FQL query specifying filter parameters. | ||
offset | query | string | Starting pagination offset of records to return. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
limit | query | integer | Maximum number of records to return. | ||
sort | query | string | Sort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_activities(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowActivitiesCombined(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowActivitiesCombined",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Execute an on-demand workflow. Response will contain the execution ID.
execute
Method | Route |
---|---|
/workflows/entities/execute/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
definition_id |
|
|
query | string or list of strings | Definition ID to execute, either a name or an ID can be specified. |
execution_cid |
|
|
query | string or list of strings | CID(s) to execute on. |
name |
|
|
query | string | Workflow name to execute, either a name or an ID can be specified. |
key |
|
|
query | string | Key used to help deduplicate executions, if unset a new UUID is used |
depth |
|
|
query | integer | Used to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4. |
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
source_event_url |
|
|
query | string | Used to record a URL to the source that led to triggering this workflow |
body |
|
|
body | string | Full body payload in JSON format. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
workflow_schema = {
"schema details": "go here"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.execute(definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=workflow_schema
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
workflow_schema = {
"schema details": "go here"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.WorkflowExecute(definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=workflow_schema
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
workflow_schema = {
"schema details": "go here"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.command("WorkflowExecute",
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=workflow_schema
)
print(response)
Execute an on-demand workflow. Response will contain the execution ID.
execute_internal
Method | Route |
---|---|
/workflows/entities/execute/internal/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
batch_size |
|
|
query | integer | Used to set the size of the batch. |
definition_id |
|
|
query | string or list of strings | Definition ID to execute, either a name or an ID can be specified. |
execution_cid |
|
|
query | string or list of strings | CID(s) to execute on. |
name |
|
|
query | string | Workflow name to execute, either a name or an ID can be specified. |
key |
|
|
query | string | Key used to help deduplicate executions, if unset a new UUID is used |
depth |
|
|
query | integer | Used to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4. |
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
source_event_url |
|
|
query | string | Used to record a URL to the source that led to triggering this workflow |
body |
|
|
body | string | Full body payload in JSON format. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
workflow_schema = {
"schema details": "go here"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.execute_internal(batch_size=integer,
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=workflow_schema
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
workflow_schema = {
"schema details": "go here"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.WorkflowExecuteInternal(batch_size=integer,
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=workflow_schema
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
workflow_schema = {
"schema details": "go here"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.command("WorkflowExecuteInternal",
batch_size=integer,
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=workflow_schema
)
print(response)
Execute an on-demand workflow with mocks.
mock_execute
Method | Route |
---|---|
/workflows/entities/execute/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
definition_id |
|
|
query | string or list of strings | Definition ID to execute, either a name or an ID can be specified. |
execution_cid |
|
|
query | string or list of strings | CID(s) to execute on. |
name |
|
|
query | string | Workflow name to execute, either a name or an ID can be specified. |
key |
|
|
query | string | Key used to help deduplicate executions, if unset a new UUID is used |
depth |
|
|
query | integer | Used to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4. |
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
source_event_url |
|
|
query | string | Used to record a URL to the source that led to triggering this workflow |
body |
|
|
body | string | Full body payload in JSON format containing the schema definition, mocks, and the on demand trigger. |
validate_only |
|
|
query | boolean | Prevent execution after validating mocks against definition. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
body_payload = {
"definition" {
Workflow schema
},
"mocks": "string",
"on_demand_trigger": "string"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.mock_execute(definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=body_payload,
validate_only=boolean
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
body_payload = {
"definition" {
Workflow schema
},
"mocks": "string",
"on_demand_trigger": "string"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.WorkflowMockExecute(definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=body_payload,
validate_only=boolean
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
body_payload = {
"definition" {
Workflow schema
},
"mocks": "string",
"on_demand_trigger": "string"
}
id_list = 'CID1,CID2,CID3' # Can also pass a list here: ['CID1', 'CID2', 'CID3']
response = falcon.command("WorkflowMockExecute",
definition_id=["string", "string"],
execution_cid=id_list,
name="string",
key="string",
depth=integer,
source_event_url="string",
body=body_payload,
validate_only=boolean
)
print(response)
Allows a user to resume/retry a failed workflow execution.
execution_action
Method | Route |
---|---|
/workflows/entities/execution-actions/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
action_name |
|
|
query | string | Specify one of these actions: - resume : resume/retry the workflow execution(s) specified in ids |
action_parameters |
|
|
body | list of dictionaries | List of actions to perform. |
body |
|
|
body | dictionary | Full body payload in JSON format. Not required when using other keywords. |
ids |
|
|
body | string or list of strings | Execution IDs. |
name |
|
|
body (action_parameters) | string | Action parameter name. |
value |
|
|
body (action_parameters) | string | Action parameter value. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
response = falcon.execution_action(action_name="string",
ids="string",
name="string",
value="string"
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
response = falcon.WorkflowExecutionsAction(action_name="string",
ids="string",
name="string",
value="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
body_payload = {
"action_parameters": [
{
"name": "string",
"value": "string"
}
],
"ids": [
"string"
]
}
response = falcon.command("WorkflowExecutionsAction", action_name="string", body=body_payload)
print(response)
Get execution result of a given execution
execution_results
Method | Route |
---|---|
/workflows/entities/execution-results/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | Workflow execution ID to return results for. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.execution_results(ids=id_list)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.WorkflowExecutionResults(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("WorkflowExecutionResults", ids=id_list)
print(response)
Deprovisions a system definition that was previously provisioned on the target CID.
deprovision
Method | Route |
---|---|
/workflows/system-definitions/deprovision/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. Not required when using other keywords. |
definition_id |
|
|
body | string | Workflow definition ID. |
deprovision_all |
|
|
body | boolean | Flag indicating if all workflows should be deprovisioned. |
template_id |
|
|
body | string | Template ID. |
template_name |
|
|
body | string | Template name. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
response = falcon.deprovision(definition_id="string",
deprovision_all=boolean,
template_id="string",
template_name="string",
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
response = falcon.WorkflowSystemDefinitionsDeProvision(definition_id="string",
deprovision_all=boolean,
template_id="string",
template_name="string",
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
body_payload = {
"definition_id": "string",
"deprovision_all": boolean,
"template_id": "string",
"template_name": "string"
}
response = falcon.command("WorkflowSystemDefinitionsDeProvision", body=body_payload)
print(response)
Promote a version of a system definition.
Tenant must be already provisioned. This allows the caller to apply an updated template version on a CID and expects all parameters to be supplied. If the template supports multi-instance, the customer scope definition ID must be supplied to determine which customer workflow should be update.
promote
Method | Route |
---|---|
/workflows/system-definitions/promote/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
activities |
|
|
body | dictionary | Dictionary of workflow activities. |
body |
|
|
body | dictionary | Full body payload in JSON format. Not required when using other keywords. |
conditions |
|
|
body | list of dictionaries | List of workflow conditions. |
customer_definition_id |
|
|
body | string | Customer definition ID. |
name |
|
|
body | string | Name of the workflow. |
parameters |
|
|
body | dictionary | Overrides specified activities, conditions and trigger keywords. |
template_id |
|
|
body | string | Template ID. |
template_name |
|
|
body | string | Template name. |
template_version |
|
|
body | string | Template version. |
trigger |
|
|
body | dictionary | Workflow trigger definition. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
response = falcon.promote(activities=activities,
conditions=conditions,
customer_definition_id="string",
name="string",
template_id="string",
template_name="string",
template_version="string",
trigger=trigger
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
response = falcon.WorkflowSystemDefinitionsPromote(activities=activities,
conditions=conditions,
customer_definition_id="string",
name="string",
template_id="string",
template_name="string",
template_version="string",
trigger=trigger
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
body_payload = {
"customer_definition_id": "string",
"name": "string",
"parameters": {
"activities": activities,
"conditions": conditions,
"trigger": trigger
},
"template_id": "string",
"template_name": "string",
"template_version": "string"
}
response = falcon.command("WorkflowSystemDefinitionsPromote", body=body_payload)
print(response)
Provisions a system definition onto the target CID by using the template and provided parameters.
provision
Method | Route |
---|---|
/workflows/system-definitions/provision/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
activities |
|
|
body | dictionary | Dictionary of workflow activities. |
body |
|
|
body | dictionary | Full body payload in JSON format. Not required when using other keywords. |
conditions |
|
|
body | list of dictionaries | List of workflow conditions. |
customer_definition_id |
|
|
body | string | Customer definition ID. |
name |
|
|
body | string | Workflow name. |
parameters |
|
|
body | dictionary | Overrides specified activities, conditions and trigger keywords. |
template_id |
|
|
body | string | Template ID. |
template_name |
|
|
body | string | Template name. |
template_version |
|
|
body | string | Template version. |
trigger |
|
|
body | dictionary | Workflow trigger definition. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
response = falcon.provision(activities=activities,
conditions=conditions,
customer_definition_id="string",
name="string",
template_id="string",
template_name="string",
template_version="string",
trigger=trigger
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
response = falcon.WorkflowSystemDefinitionsProvision(activities=activities,
conditions=conditions,
customer_definition_id="string",
name="string",
template_id="string",
template_name="string",
template_version="string",
trigger=trigger
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
activities = {
"configuration": [
{
"node_id": "string",
"properties": {}
}
],
"selection": [
{
"id": "string",
"properties": {},
"source": "string"
}
]
}
conditions = [
{
"fields": [
{
"name": "string",
"operator": "string"
}
],
"node_id": "string"
}
]
trigger = {
"fields": {},
"node_id": "string"
}
body_payload = {
"customer_definition_id": "string",
"name": "string",
"parameters": {
"activities": activities,
"conditions": conditions,
"trigger": trigger
},
"template_id": "string",
"template_name": "string",
"template_version": "string"
}
response = falcon.command("WorkflowSystemDefinitionsProvision", body=body_payload)
print(response)
Search workflow definitions based on the provided filter.
search_definitions
Method | Route |
---|---|
/workflows/combined/definitions/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter | query | string | FQL query specifying filter parameters. | ||
offset | query | string | Starting pagination offset of records to return. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
limit | query | integer | Maximum number of records to return. | ||
sort | query | string | Sort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_definitions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowDefinitionsCombined(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowDefinitionsCombined",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Search workflow executions based on the provided filter.
search_executions
Method | Route |
---|---|
/workflows/combined/executions/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter | query | string | FQL query specifying filter parameters. | ||
offset | query | string | Starting pagination offset of records to return. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
limit | query | integer | Maximum number of records to return. | ||
sort | query | string | Sort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_executions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowExecutionsCombined(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowExecutionsCombined",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Search for triggers by namespaced identifier, i.e. FalconAudit
, Detection
, or FalconAudit/Detection/Status
. Returns all triggers if no filter is specified.
search_triggers
Method | Route |
---|---|
/workflows/combined/triggers/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter | query | string | FQL query specifying filter parameters. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_activities(filter="string")
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowActivitiesCombined(filter="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowActivitiesCombined", filter="string")
print(response)
Exports a workflow definition for the given definition ID.
export_definition
Method | Route |
---|---|
/workflows/entities/definitions/export/v1 |
- Consumes: application/json
- Produces: application/yaml
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
id | query | string | ID of workflow definitions to return details for. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
sanitize | query | boolean | Sanitize PII from workflow before it is exported. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.export_definition(id="string", sanitize=boolean)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowDefinitionsExport(id="string", sanitize=boolean)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("WorkflowDefinitionsExport", id="string", sanitize=boolean)
print(response)
Imports a workflow definition based on the provided model
import_definition
Method | Route |
---|---|
/workflows/entities/definitions/import/v1 |
- Consumes: multipart/form-data
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
data_file | formData | file | A workflow definition in YAML format to import. | ||
name | query | string | Workflow name to override. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
validate_only | query | boolean | When enabled, prevents saving workflow after validating. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.yml", "r") as yaml_file:
response = falcon.import_definition(name="string", validate_only=boolean, data_file=yaml_file)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.yml", "r") as yaml_file:
response = falcon.WorkflowDefinitionsImport(name="string",
validate_only=boolean,
data_file=yaml_file
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.yml", "r") as yaml_file:
response = falcon.command("WorkflowDefinitionsImport",
name="string",
validate_only=boolean,
data_file=yaml_file
)
print(response)
Updates a workflow definition based on the provided model.
WorkflowDefinitionsUpdate
Method | Route |
---|---|
/workflows/entities/definitions/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body | body | dictionary | Full workflow definition with all parameters in JSON format. | ||
change_log | body | string | Workflow revision change log comment. | ||
definition | body | dictionary | Workflow definition parameters. | ||
flight_control | body | dictionary | Workflow flight control functionality definitions. | ||
id | body | dictionary | Workflow ID to update. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
validate_only | query | boolean | When enabled, prevents saving workflow after validating. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
workflow_definition = {
"Workflow definition in JSON format"
}
fc_params = {
"all_cids": boolean,
"excluded_cids": [
"string"
],
"include_parent_cid": boolean,
"selected_cids": [
"string"
]
}
response = falcon.WorkflowDefinitionsUpdate(change_log="string",
definition=workflow_definition,
flight_control=fc_params,
id="string",
validate_only=boolean
)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
workflow_definition = {
"Workflow definition in JSON format"
}
fc_params = {
"all_cids": boolean,
"excluded_cids": [
"string"
],
"include_parent_cid": boolean,
"selected_cids": [
"string"
]
}
response = falcon.WorkflowDefinitionsUpdate(change_log="string",
definition=workflow_definition,
flight_control=fc_params,
id="string",
validate_only=boolean
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
workflow_definition = {
"Workflow definition in JSON format"
}
fc_params = {
"all_cids": boolean,
"excluded_cids": [
"string"
],
"include_parent_cid": boolean,
"selected_cids": [
"string"
]
}
body_payload = {
"Definition": workflow_definition,
"change_log": "string",
"enabled": boolean,
"flight_control": fc_params,
"id": "string"
}
response = falcon.command("WorkflowDefinitionsUpdate", body=body_payload)
print(response)
Gets one or more specific human inputs by their IDs.
get_human_input
Method | Route |
---|---|
/workflows/entities/human-inputs/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids | query | string or list of strings | ID(s) of human inputs to retrieve. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_human_input(ids=id_list)
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.WorkflowGetHumanInputV1(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("WorkflowGetHumanInputV1", ids=id_list)
print(response)
Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.
update_human_input
Method | Route |
---|---|
/workflows/entities/human-inputs/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body | body | dictionary | Full body payload in JSON format. | ||
id | query | string | ID of human input to provide an input to. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
input | body | string | Input value. | ||
note | body | string | Input note. |
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_human_input(id="string", input="string", note="string")
print(response)
from falconpy import Workflows
# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.WorkflowUpdateHumanInputV1(id="string", input="string", note="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"input": "string",
"note": "string"
}
response = falcon.command("WorkflowUpdateHumanInputV1", id="string", body=body_payload)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust