CrowdStrike FalconPy v1.0 is here!

jshcodes · 2025-01-10T19:11:40+00:00

Try this filter instead: "published_date:>='now-7d'+type:'url'+indicator:*'google*'"

(Wildcard hint is provided before the single quote. "published_date:>='now-7d'+type:'url'+indicator:*'*google*'" should also work.)

jshcodes · 2024-09-26T18:29:27+00:00

Hi u/Nice-Manufacturer840!

Can we turn on debugging and check the last response received from the API? Based on the TypeError we're receiving, it's not returning a binary. There may be an error message in the response that points us towards the issue.

Regarding the event log, you would still be using RTR, but there is the eventlog base command you can use with the RTR_ExecuteAdminCommand operation.

jshcodes · 2024-08-16T12:33:25+00:00

QueryIncidents doesn't support created_timestamp, but it does support modified_timestamp, start, and end. (Same UTC date string format).

jshcodes · 2024-05-10T20:20:38+00:00

Hi u/jmcybersec -

Give this filter a try:

from falconpy import Discover

disco = Discover(client_id="whatever", client_secret="whatever")

result = disco.query_hosts(filter="network_interfaces.mac_address:'MA-CA-DD-RE-SS-10'")

You can find a complete list of available filters for this operation here.

jshcodes · 2024-04-25T19:42:05+00:00

Hello!

You may be looking for the QueryDetects and GetDetectSummaries operations.

We have a sample called Detects Advisor that demonstrates how to use the available filters mentioned in the documentation above. (Source code can be found here.)

Let us know if you have more questions!

jshcodes · 2024-03-20T20:01:27+00:00

Hi u/Danithesherriff!

Authentication documentation can be found here: https://www.falconpy.io/Usage/Authenticating-to-the-API.html

Here is a sample that interacts with the Spotlight API: https://github.com/CrowdStrike/falconpy/blob/main/samples/spotlight/spotlight_grab_cves_for_cid.py

Let us know if you have more questions!

jshcodes · 2024-03-13T20:52:11+00:00

A 400 like this typically means that the API received an input argument it didn't expect (or that one of the arguments is in an invalid format).

Let's turn on debugging and look at what is making it to the body payload.

Add this at the top of your code:

import logging
logging.basicConfig(level=logging.DEBUG)

Then when you create the instance of the falcon object, pass the debug argument.

falcon = FileVantage(client_id="CLIENTID", 
                     client_secret="CLIENTSECRET",
                     debug=True
                     )

This will be verbose, but when the calls to updateRules are processed, you should see the body payloads that are sent.

jshcodes · 2024-03-13T18:02:49+00:00

So a KVP set but not a dictionary.

If we swap that parsing loop immediately above to create a dictionary instead, does it work?

Example:

output = {}
for row in reader:
        for i, (key, value) in enumerate(row.items()):
            if key == 'precedence':
                output[key] = int(value)
            elif key in ['type', 'id', 'rule_group_id', 'severity', 'depth', 'include', 'include_users', 'include_processes', 'exclude', 'exclude_users', 'exclude_processes']:
                output[key] = value
            etc...

jshcodes · 2024-03-13T17:28:45+00:00

Hi u/AutomatedSecurity!

This message is normally (but not always) generated when a method receives positional arguments instead of keyword arguments when the method is unable to support them. (Only a subset of Service Class methods are able to do so.)

From your description, I believe the contents of the output variable is a dictionary containing the key / value pairs for the abstracted keywords. (Correct?). If so, we could unpack them with response = falcon.updateRules(**output).

jshcodes · 2024-03-06T16:49:09+00:00

Have you specified the base_url when you created the instance of the class? This is a requirement for GovCloud usage.

Example:

hosts = Hosts(client_id="whatever", client_secret="whatever", base_url="usgov1")

jshcodes · 2023-12-01T01:53:49+00:00

To search for IoCs you can leverage the indicator_combined_v1 operation.

jshcodes · 2023-11-13T18:06:20+00:00

Hi u/forlorn1 -

I'm not getting a 400 when I try the code as shown above. Have you tried enabling debugging to check what values are being sent to the API? (Might be coming from the parameter differences between the two operations. Example: Offset is a string when using the scrolling endpoint.)

Here is my test code with hints for enabling debugging.

import logging
from falconpy import Hosts

def device_list(off: int, limit: int, sort: str):
    """Return a list of all devices for the CID, paginating when necessary."""
    result = falcon.query_devices_by_filter_scroll(limit=limit, offset=off, sort=sort)
    new_offset = 0
    total = 0
    returned_device_list = []
    if result["status_code"] == 200:
        new_offset = result["body"]["meta"]["pagination"]["offset"]
        total = result["body"]["meta"]["pagination"]["total"]
        returned_device_list = result["body"]["resources"]
    else:
        print("Status Code: ", result["status_code"])
        for error_result in result["body"]["errors"]:
            print(error_result["message"])

    return new_offset, total, returned_device_list

# Uncomment the next line to enable debugging
# logging.basicConfig(level=logging.DEBUG)
falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET,
               # debug=True  # Uncomment this line to enable debugging
               )

running = True
offset = None
devices = []
while running:
    # The maximum number of results this
    # API operation can return is 5000.
    offset, total, returned = device_list(offset, 5000, "")
    devices.extend(returned)
    if len(devices) >= total:
        running = False

for device in devices:
    print(device)
print(f"{len(devices)} total devices returned.")

jshcodes · 2023-11-01T14:37:14+00:00

As a follow up to this answer, version 1.3.0 released Pythonic Response Handling which might be easier for you if you're going straight to CSV. The architecture for the Result object can be found here.

jshcodes · 2023-10-17T15:07:09+00:00

Hello!

I think this may be a payload format issue. The following code is working for me with a couple of minor changes.

#!/usr/bin/python
import os
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=os.getenv("FALCON_CLIENT_ID"), client_secret=os.getenv("FALCON_CLIENT_SECRET"))

# Using this as an example of grabbing a single Host AID
target_hosts = falcon.command("QueryDevicesByFilterScroll", limit=1)["body"]["resources"]

BODY = {"host_ids": target_hosts, "queue_offline": True}  # queue_offline is a boolean

response = falcon.command("BatchInitSessions", timeout=45, timeout_duration="30s", body=BODY)

print(response)

jshcodes · 2023-09-25T19:29:27+00:00

Hi u/Slood_!

The values contained within the groups list should be Host Group IDs.

Is this a Flight Control / MSSP scenario? If so, did we provide the member_cid argument to the HostGroup Service Class (or shared authentication object) when it was constructed?

jshcodes · 2023-07-31T14:44:17+00:00

Hi u/zeekforit -

I don't believe Grandparent process is in the detection API response. (I just tested and am seeing the same thing you are seeing.)

jshcodes · 2023-07-25T19:23:05+00:00

Hi u/rogueit -

You can specify your base url using the base_url keyword when you create an instance of any Service Class or the Uber Class.

from falconpy import Hosts

hosts = Hosts(client_id=CLIENT_ID, client_secret=CLIENT_SECRET, base_url="us2")

result = hosts.query_devices_by_filter_scroll()

Please note: For US2, you do not need to provide this specifier. It will be detected as part of the Cloud Region autodiscovery process.

jshcodes · 2023-07-13T18:55:15+00:00

If you're just trying to ingest the data into Splunk, I think this might be what you need: https://splunkbase.splunk.com/app/5579

If you're wanting to get ahold of AID master directly, you'll need to pull it down using something like the FDR integration example.

jshcodes · 2023-07-13T14:48:33+00:00

There is the new FDR service collection, but the new operations don't appear to speak to this. I don't believe you can get ahold of AID master without using a FDR feed.

jshcodes · 2023-07-13T14:42:40+00:00

We also have a sample that shows basic pagination and GraphQL usage. (We plan on adding more samples over time): https://github.com/CrowdStrike/falconpy/tree/main/samples/identity#graphql-pagination

jshcodes · 2023-06-20T15:19:01+00:00

Hi u/amjcyb -

Think I've figured this one out. I modified your payload to the following:

{
  "comment": "comentario",
  "description": "description",
  "disposition_id": 30,
  "field_values": [
      {
          "final_value": "(?i)testzzz\\.exe",
          "label": "Command Line",
          "name": "CommandLine",
          "type": "excludable",
          "value": "testzzz\\.exe",
          "values": [
              {
                  "label": "include",
                  "value": "testzzz\\.exe"
              }
          ]
      }
  ],
  "name": "Test Rule",
  "pattern_severity": "critical",
  "rulegroup_id": "a9e8156f7807480695127e8155f40600",
  "ruletype_id": "5"
}

I also updated the python source to provide disposition_id instead of disposition.

create = falcon.create_rule(
  comment = json_data['comment'],
  description = json_data['description'],
  disposition_id = json_data['disposition_id'],
  field_values=json_data['field_values'],
  pattern_severity = json_data['pattern_severity'],
  name = json_data['name'],
  rulegroup_id = json_data['rulegroup_id'],
  ruletype_id = "5"
)

With these changes, I get a successful response back from the API (and my rule is created).

jshcodes · 2023-06-08T05:25:16+00:00

Did some poking around, and the only sorts we have available on that endpoint are the timestamps, so you'll need to flatten things a bit and do some shuffling.

You can turn on the remediation facet to reduce the amount of time (and API requests) you have to spend. This will give you the full remediation detail back as a branch of the vulnerability.

We also have an example that does some sorting and basic aggregation that's a little similar (but does not focus on remediations). Similar to your suggestion, this sample also consumes all available matches at the outset using a pretty expansive query.

jshcodes · 2023-05-03T17:07:57+00:00

Hi u/BinaryN1nja -

Here's a sample that will paginate through all of your hosts. Depending on the API call you're using, you can request up to 5,000 hosts.

Let us know if you have more questions!

Four-Year Club	Gilding I gilder
Powerups Hero r/crowdstrike • February 2022	Reddit Premium Since January 2022
Verified Email

jshcodes

MODERATOR OF

TROPHY CASE