A python client to interact with CrowdStrike Falcon API.
Project description
CSFalcon-Client
Python API client wrapper for CrowdStrike Falcon Query API.
Features
- Retrieve prevention policy details
- Search for falcon agents
- Retrieve falcon agent details
- Contain host (RTR)
References
- CrowdStrike Falcon Swagger UI
- Falcon oAuth2 Token API
- CrowdStrike OAuth2-Based APIs
- Host and host group management APIs
- Detection and Prevention Policy APIs
- Real Time Response APIs
Install
pip install falcon-client
Configuration file
[falcon]
client_id = 4uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
client_key = bAt1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# HTTP Interception Proxy
;proxy_host = localhost
;proxy_port = 8080
Examples
Initialize client
try:
# default config ~/.crowdstrike/csfalcon.ini
fc = falcon_client.FalconClient()
# fc = falcon_client.FalconClient(config_file_path='~/csfalcon.ini')
# fc = FalconClient.basic(client_id='',
# client_key='',
# proxy_host='localhost', proxy_port=8080)
except Exception as err:
sys.exit(err)
else:
fc.login()
print(fc)
Retrieve prevention policy details
# POLICY DETAILS
print("Prevention Policies")
for result in fc.prevention_policies_details(ids=None):
print(json.dumps(result, indent=2))
Device Scroll
Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
print("DEVICE SCROLL")
hosts_resp = fc.device_scroll(limit=10, fql_filter='platform_name: "Linux" +first_seen: >= "2020-12-11T00:00:00Z"')
for host in hosts_resp:
print(json.dumps(host, indent=2))
Device Search
Search for hosts in your environment by platform, hostname, IP, and other criteria.
Device Search supports the same options as Device Scroll. The only difference between Device Search and Device Scroll is their pagination and response limit:
- Device Search: Standard pagination (page number, page size) up to 150,000 devices
- Device Scroll: Continuous pagination (based on an offset pointer) with no maximum limit
print("DEVICE SEARCH")
hosts_resp = fc.device_search(limit=10, fql_filter='platform_name: "Windows"', q="dubai")
# hosts_resp = fc.device_search(limit=10, q="rooster")
for host in hosts_resp:
print(json.dumps(host, indent=2))
Device Details
Get details on one or more hosts by providing agent IDs (AID).
# find host AIDs
hosts_resp = fc.device_search(limit=10, q="rooster")
aids = set()
for host in hosts_resp:
aids.update(host)
# Get details for each AID
host_details = fc.device_details(aids)
for host in host_details:
print(json.dumps(host, indent=2))
Device Containment
Contain or lift containment on a specified host. When contained, a host can only communicate with the CrowdStrike cloud and any IPs specified in your containment policy.
# DEVICE CONTAINMENT
aids = set(['7983795a198d40xxxxxxxxxx418aa385', 'fb8456dfe15xxxxxxxxxxxc9893e1a06'])
print("DEVICE CONTAINMENT")
for hosts in fc.device_details(list(aids)):
for host in hosts:
print(json.dumps(host['hostname'], indent=2))
success, fail, err = fc.lift_containment(list(aids))
print(f"Success: {success}")
print(f"Failure: {fail}")
print(f"Errors: {err}")
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for falcon_client-0.0.7-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e90c4e969b41db2bd1b247bb87dd5fc4c5da8efe0baa5208f7c0e4e4592c86b0 |
|
| MD5 | e2eed32444af5c4a6c69723dc68d8a22 |
|
| BLAKE2b-256 | bf1137ce54709dafc81d5098f5779d97dd17c40f6eee48af96bef863150131a5 |
