Detects

Using the Detects service collection

This service collection has code examples posted to the repository.

Table of Contents

Operation ID	Description
GetAggregateDetects PEP 8 get_aggregate_detects	Get detect aggregates as specified via json in request body.
UpdateDetectsByIdsV2 PEP 8 update_detects_by_ids	Modify the state, assignee, and visibility of detections
GetDetectSummaries PEP 8 get_detect_summaries	View information about detections
QueryDetects PEP 8 query_detects	Search for detection IDs that match a given query

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

GetAggregateDetects

Get detect aggregates as specified via json in request body.

PEP8 method name

get_aggregate_detects

Endpoint

Method	Route
	/detects/aggregates/detects/GET/v1

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	list of dictionaries	Full body payload in JSON format.
date_ranges			body	list of dictionaries	Applies to date_range aggregations. Example: [   {     "from": "2016-05-28T09:00:31Z",     "to": "2016-05-30T09:00:31Z"   },   {     "from": "2016-06-01T09:00:31Z",     "to": "2016-06-10T09:00:31Z"   } ]
exclude			body	string	Elements to exclude.
field			body	string	The field on which to compute the aggregation.
filter			body	string	FQL syntax formatted string to use to filter the results.
from			body	integer	Starting position.
include			body	string	Elements to include.
interval			body	string	Time interval for date histogram aggregations. Valid values include: year month week day hour minute
max_doc_count			body	integer	Only return buckets if values are less than or equal to the value here.
min_doc_count			body	integer	Only return buckets if values are greater than or equal to the value here.
missing			body	string	Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name			body	string	Name of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q			body	string	Full text search across all metadata fields.
ranges			body	list of dictionaries	Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [   {     "From": 0,     "To": 70   },   {     "From": 70,     "To": 100   } ]
size			body	integer	The max number of term buckets to be returned.
sub_aggregates			body	list of dictionaries	A nested aggregation, such as: [   {     "name": "max_first_behavior",     "type": "max",     "field": "first_behavior"   } ] There is a maximum of 3 nested aggregations per request.
sort			body	string	FQL syntax string to sort bucket results. _count - sort by document count _term - sort by the string value alphabetically Supports asc and desc using | format. Example: _count|desc
time_zone			body	string	Time zone for bucket results.
type			body	string	Type of aggregation. Valid values include: date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field. date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601. terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names. range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity. cardinality - Returns the count of distinct values in a specified field. max - Returns the maximum value of a specified field. min - Returns the minimum value of a specified field. avg - Returns the average value of the specified field. sum - Returns the total sum of all values for the specified field. percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)

from falconpy import Detects

# Do not hardcode API credentials!
falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )

date_range = {
    "from": "string",
    "to": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.get_aggregate_detects(date_ranges=[date_range],
                                        exclude="string",
                                        field="string",
                                        filter="string",
                                        from=integer,
                                        include="string",
                                        interval="string",
                                        max_doc_count=integer,
                                        min_doc_count=integer,
                                        missing="string",
                                        name="string",
                                        q="string",
                                        ranges=[search_range],
                                        size=integer,
                                        sort="string",
                                        time_zone="string",
                                        type="string"
                                        )
print(response)

Service class example (Operation ID syntax)

from falconpy import Detects

# Do not hardcode API credentials!
falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )

date_range = {
    "from": "string",
    "to": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.GetAggregateDetects(date_ranges=[date_range],
                                      exclude="string",
                                      field="string",
                                      filter="string",
                                      from=integer,
                                      include="string",
                                      interval="string",
                                      max_doc_count=integer,
                                      min_doc_count=integer,
                                      missing="string",
                                      name="string",
                                      q="string",
                                      ranges=[search_range],
                                      size=integer,
                                      sort="string",
                                      time_zone="string",
                                      type="string"
                                      )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = [{
    "date_ranges": [
        {
            "from": "string",
            "to": "string"
        }
    ],
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": [
        {
            "From": integer,
            "To": integer
        }
    ],
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}]

response = falcon.command("GetAggregateDetects", body=BODY)
print(response)

UpdateDetectsByIdsV2

Modify the state, assignee, and visibility of detections. You can update one or more attributes of one or more detections with a single request.

PEP8 method name

update_detects_by_ids

Endpoint

Method	Route
	/detects/entities/detects/v2

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
assigned_to_uuid			body	string	A user UID (Ex: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) to assign the detection to.
body			body	dictionary	Full body payload in JSON format.
comment			body	string	Optional comment to add to the detection. Comments are displayed with the detection in Falcon and are usually used to provide context or notes for other Falcon users. A detection can have multiple comments over time.
ids			body	string or list of strings	ID(s) of the detection to update, which you can find with theQueryDetects operation, the Falcon console, or the Streaming API.
new_behaviors_processed			body	string or list of strings	New behaviors processed.
show_in_ui			body	boolean	Boolean determining if this detection is displayed in the Falcon console. true: This detection is displayed in Falcon false: This detection is not displayed in Falcon. Most commonly used together with the status key's false_positive value.
status			body	string	Current status of the detection. Allowed values: ignored new in_progress true_positive false_positive

Usage

Service class example (PEP8 syntax)

from falconpy import Detects

# Do not hardcode API credentials!
falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

behaviors = 'B1,B2,B3'  # Can also pass a list here: ['B1', 'B2', 'B3']

response = falcon.update_detects_by_ids(assigned_to_uuid="string",
                                        comment="string",
                                        ids=id_list,
                                        new_behaviors_processed=behaviors,
                                        show_in_ui=boolean,
                                        status="string"
                                        )

print(response)

Service class example (Operation ID syntax)

from falconpy import Detects

# Do not hardcode API credentials!
falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.UpdateDetectsByIdsV2(assigned_to_uuid="string",
                                       comment="string",
                                       ids=id_list,
                                       new_behaviors_processed=behaviors,
                                       show_in_ui=boolean,
                                       status="string"
                                       )

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

behaviors = ['B1','B2','B3']

BODY = {
    "assigned_to_uuid": "string",
    "comment": "string",
    "ids": id_list,
    "new_behaviors_processed": behaviors, 
    "show_in_ui": boolean,
    "status": "string"
}
response = falcon.command("UpdateDetectsByIdsV2", body=BODY)

print(response)

GetDetectSummaries

View information about detections

PEP8 method name

get_detect_summaries

Endpoint

Method	Route
	/detects/entities/summaries/GET/v1

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
ids			body	string or list of strings	ID(s) of the detections to retrieve. View key attributes of detections, including the associated host, disposition, objective/tactic/technique, adversary, and more. Specify one or more detection IDs (max 1000 per request). Find detection IDs with the QueryDetects operation, the Falcon console, or the Streaming API.

Usage

In order to use this method, either a body keyword or the ids keyword must be provided.

Service class example (PEP8 syntax)

from falconpy import Detects

# Do not hardcode API credentials!
falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_detect_summaries(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Detects

# Do not hardcode API credentials!
falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetDetectSummaries(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "ids": id_list
}

response = falcon.command("GetDetectSummaries", body=BODY)
print(response)

QueryDetects

Search for detection IDs that match a given query

PEP8 method name

query_detects

Endpoint

Method	Route
	/detects/queries/detects/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard * includes all results. Complete list of available FQL filters. More details regarding filters can be found in the documentation inside the Falcon console.
limit			query	integer	The maximum number of detections to return in this response (default: 100; max: 9999). Use with the offset parameter to manage pagination of results.
offset			query	integer	The first detection to return, where 0 is the latest detection. Use with the limit parameter to manage pagination of results.
parameters			query	dictionary	Full query string parameters payload in JSON format.
q			query	string	Search all detection metadata for the provided string
sort			query	string	Sort detections using these options: first_behavior: Timestamp of the first behavior associated with this detection last_behavior: Timestamp of the last behavior associated with this detection max_severity: Highest severity of the behaviors associated with this detection max_confidence: Highest confidence of the behaviors associated with this detection adversary_id: ID of the adversary associated with this detection, if any devices.hostname: Hostname of the host where this detection was detected Sort either asc (ascending) or desc (descending). For example: last_behavior|asc

Available FQL Filters

The following tables detail acceptable values for the filter keyword described above. Filter options are broken out into four categories:

• General
• Behavioral
• Devices
• Miscellaneous

General

adversary_ids	date_updated	last_behavior	max_severity_displayname	status
assigned_to_name	detection_id	max_confidence	seconds_to_resolved
cid	first_behavior	max_severity	seconds_to_triaged

Behavioral - behaviors.filter

Example: behaviors.ioc_type

alleged_filetype	md5	sha256
behavior_id	objective	tactic
cmdline	parent_details.parent_cmdline	technique
confidence	parent_details.parent_md5	timestamp
contral_graph_id	parent_details.parent_process_id	triggering_process_id
device_id	parent_details.parent_process_graph_id	triggering_process_graph_id
filename	parent_details.parent_sha256	user_id
ioc_source	pattern_disposition	user_name
ioc_type	scenario
ioc_value	severity

Devices - device.filter

Example: device.platform_name

agent_load_flags	first_seen	platform_name
agent_local_time	hostname	product_type
agent_version	last_seen	product_type_desc
bios_manufacturer	local_ip	release_group
bios_version	mac_address	reduced_functionality_mode
cid	machine_domain	serial_number
config_id_base	major_version	site_name
config_id_build	minor_version	status
config_id_platform	modified_timestamp	system_product_name
cpu_signature	os_version	system_manufacturer
device_id	ou
external_ip	platform_id

Miscellaneous

hostinfo.domain	quarantined_files.id	quarantined_files.sha256
hostinfo.active_directory_dn_display	quarantined_files.paths	quarantined_files.state

Usage

Service class example (PEP8 syntax)

from falconpy import Detects

# Do not hardcode API credentials!
falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )

response = falcon.query_detects(offset=integer,
                                limit=integer,
                                sort="string",
                                filter="string",
                                q="string"
                                )
print(response)

Service class example (Operation ID syntax)

from falconpy import Detects

# Do not hardcode API credentials!
falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )

response = falcon.QueryDetects(offset=integer,
                               limit=integer,
                               sort="string",
                               filter="string",
                               q="string"
                               )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryDetects",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)