diff --git a/.github/wordlist.txt b/.github/wordlist.txt
index f6ee4286..6f880c7b 100644
--- a/.github/wordlist.txt
+++ b/.github/wordlist.txt
@@ -1283,6 +1283,8 @@ shubham
WorkflowUpdateHumanInputV
WorkflowGetHumanInputV
WorkflowDefinitionsCreate
+WorkflowDefinitionsStatus
+WorkflowDefinitionsAction
WorkflowDefinitionsUpdate
WorkflowDefinitionsImport
WorkflowDefinitionsExport
@@ -1658,3 +1660,127 @@ ITAutomationSearchTaskGroups
ITAutomationSearchTasks
Parsers
parsers
+GetCSPMInventoryBAServices
+GetCSPMInventoryServiceDetails
+GetArchiveExport
+SPL
+GetIntelligenceQueries
+slas
+combineVulnMetadataExt
+entitiesRolesGETV
+dweissbacher
+yakeeliuliu
+Matth
+wW
+GetIntelligenceQueries
+SearchIntelligenceQueries
+ReadDetectsCountBySeverity
+djacquensf
+SearchAndRReadUnidentifiedContainers
+iom
+ReplaceControlRules
+GetComplianceControls
+CreateComplianceControl
+UpdateComplianceControl
+DeleteComplianceControl
+GetSupportedSaasV
+GetSystemLogsV
+GetSystemUsersV
+GetUserInventoryV
+GetSensorUsageHourly
+atav
+RenameSectionComplianceFramework
+GetComplianceFrameworks
+CreateComplianceFramework
+UpdateComplianceFramework
+DeleteComplianceFramework
+GetEvaluationResult
+GetRuleOverride
+DismissSecurityCheckV
+GetSecurityChecksV
+GetSecurityCheckComplianceV
+IntegrationBuilderEndTransactionV
+IntegrationBuilderResetV
+IntegrationBuilderGetStatusV
+IntegrationBuilderUploadV
+GetAssetInventoryV
+GetDeviceInventoryV
+GetActivityMonitorV
+CreateRuleOverride
+UpdateRuleOverride
+DeleteRuleOverride
+GetRule
+CreateRule
+UpdateRule
+DeleteRuleMixin
+ListParsers
+ListSavedQueries
+SaaS
+GetMetricsV
+GetAlertsV
+GetAppInventoryUsers
+GetAppInventory
+GetSecurityCheckAffectedV
+DismissAffectedEntityV
+QueryComplianceControls
+QueryComplianceFrameworks
+QueryRule
+ListCloudGroupsExternal
+ListCloudGroupsByIDExternal
+CreateCloudGroupExternal
+UpdateCloudGroupExternal
+GetParser
+CreateParser
+UpdateParser
+DeleteParser
+GetSavedQueryTemplate
+CreateSavedQuery
+UpdateSavedQueryFromTemplate
+DeleteSavedQuery
+ListDashboards
+ListLookupFiles
+DeleteCloudGroupsExternal
+ListCloudGroupIDsExternal
+CombinedDetections
+FetchFilesDownloadInfo
+GetReportByReference
+GetReportByScanID
+PolicyChecks
+logscale
+GetDashboardTemplate
+CreateDashboardFromTemplate
+UpdateDashboardFromTemplate
+DeleteDashboard
+GetLookupFile
+CreateLookupFile
+UpdateLookupFile
+DeleteLookupFile
+GetParserTemplate
+CreateParserFromTemplate
+ITAutomationSearchUserGroup
+ITAutomationGetUserGroup
+ITAutomationCreateUserGroup
+ITAutomationUpdateUserGroup
+ITAutomationDeleteUserGroup
+namespace
+PostSearchKubernetesIOMEntities
+LastUpdated
+KillChain
+MaliciousConfidence
+MaliciousConfidenceValidatedTime
+FirstSeen
+LastSeen
+FamilyName
+gcp
+GetRuleInputSchema
+GetEnrichedAsset
+FileDetails
+DomainDetails
+URLDetails
+FetchFilesDownloadInfoV
+AggregateHuntingGuides
+GetHuntingGuides
+SearchHuntingGuides
+CreateScriptsV
+UpdateScriptsV
+aspm
diff --git a/.github/workflows/bleeding-edge.yml b/.github/workflows/bleeding-edge.yml
new file mode 100644
index 00000000..b52deb58
--- /dev/null
+++ b/.github/workflows/bleeding-edge.yml
@@ -0,0 +1,35 @@
+name: Publish Bleeding Edge Package
+
+on:
+ pull_request:
+ types:
+ - closed
+ branches:
+ - main
+
+jobs:
+ deploy-package:
+ if: >
+ ${{ github.event.pull_request.merged == true &&
+ contains(github.event.pull_request.labels.*.name, 'bleeding-edge') }}
+ timeout-minutes: 45
+ environment: bleeding-edge
+ runs-on: ubuntu-24.04
+ permissions:
+ contents: read
+ steps:
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0
+ - name: Set up Python
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+ with:
+ python-version: '3.x'
+ - name: Install dependencies
+ run: |
+ pipx install hatch
+ - name: Build and publish
+ env:
+ HATCH_INDEX_USER: ${{ secrets.HATCH_USER_ID }}
+ HATCH_INDEX_AUTH: ${{ secrets.HATCH_AUTH }}
+ run: |
+ hatch build
+ hatch publish
\ No newline at end of file
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 094973b6..86b632e5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:
steps:
- name: Checkout repository
- - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0
with:
persist-credentials: false
diff --git a/.github/workflows/development-edge.yml b/.github/workflows/development-edge.yml
new file mode 100644
index 00000000..afd90884
--- /dev/null
+++ b/.github/workflows/development-edge.yml
@@ -0,0 +1,44 @@
+name: Publish Development Confirmation Package
+
+on:
+ pull_request:
+ types:
+ - closed
+ branches:
+ - main
+
+jobs:
+ deploy-package:
+ if: >
+ ${{ github.event.pull_request.merged == true &&
+ contains(github.event.pull_request.labels.*.name, 'bleeding-edge') }}
+ timeout-minutes: 45
+ environment: bleeding-edge
+ runs-on: ubuntu-24.04
+ permissions:
+ contents: read
+ steps:
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0
+ - name: Set up Python
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+ with:
+ python-version: '3.x'
+ - name: Install dependencies
+ run: |
+ pipx install hatch git
+ - name: Build and publish
+ env:
+ HATCH_INDEX_USER: ${{ secrets.HATCH_USER_ID }}
+ HATCH_INDEX_AUTH: ${{ secrets.HATCH_AUTH }}
+ run: |
+ git switch dev
+ sed -i '' 's/src\/falconpy/src\/falconpydev/g' pyproject.toml
+ sed -i '' 's/name = "crowdstrike-falconpy"/name = "crowdstrike-falconpy-dev"/g' pyproject.toml
+ sed -i '' 's/from falconpy import/from falconpydev import/g' README.md
+ sed -i '' 's/install crowdstrike-falconpy/install crowdstrike-falconpy-dev/g' README.md
+ sed -i '' "5,/FalconPy - The CrowdStrike Falcon SDK for Python/s/FalconPy - The CrowdStrike Falcon SDK for Python/$header/" README.md
+ sed -i '' 's/badgeFalconPy - The CrowdStrike Falcon SDK for Pythonlogo/badge&logo/g' README.md
+ sed -i '' 's/!\[CrowdStrike FalconPy\](https:\/\/raw.githubusercontent.com\/CrowdStrike\/falconpy\/main\/docs\/asset\/cs-logo-red.png#gh-dark-mode-only)//g' README.md
+ mv src/falconpy src/falconpydev
+ hatch build
+ hatch publish
\ No newline at end of file
diff --git a/.github/workflows/development-release.yml b/.github/workflows/development-release.yml
new file mode 100644
index 00000000..e0d5c654
--- /dev/null
+++ b/.github/workflows/development-release.yml
@@ -0,0 +1,44 @@
+name: Publish Development Package
+
+on:
+ pull_request:
+ types:
+ - closed
+ branches:
+ - main
+
+jobs:
+ deploy-package:
+ if: >
+ ${{ github.event.pull_request.merged == true &&
+ contains(github.event.pull_request.labels.*.name, 'bleeding-edge') }}
+ timeout-minutes: 45
+ environment: release
+ runs-on: ubuntu-24.04
+ permissions:
+ contents: read
+ steps:
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0
+ - name: Set up Python
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+ with:
+ python-version: '3.x'
+ - name: Install dependencies
+ run: |
+ pipx install hatch git
+ - name: Build and publish
+ env:
+ HATCH_INDEX_USER: ${{ secrets.HATCH_USER_ID }}
+ HATCH_INDEX_AUTH: ${{ secrets.HATCH_AUTH }}
+ run: |
+ git switch dev
+ sed -i '' 's/src\/falconpy/src\/falconpydev/g' pyproject.toml
+ sed -i '' 's/name = "crowdstrike-falconpy"/name = "crowdstrike-falconpy-dev"/g' pyproject.toml
+ sed -i '' 's/from falconpy import/from falconpydev import/g' README.md
+ sed -i '' 's/install crowdstrike-falconpy/install crowdstrike-falconpy-dev/g' README.md
+ sed -i '' "5,/FalconPy - The CrowdStrike Falcon SDK for Python/s/FalconPy - The CrowdStrike Falcon SDK for Python/$header/" README.md
+ sed -i '' 's/badgeFalconPy - The CrowdStrike Falcon SDK for Pythonlogo/badge&logo/g' README.md
+ sed -i '' 's/!\[CrowdStrike FalconPy\](https:\/\/raw.githubusercontent.com\/CrowdStrike\/falconpy\/main\/docs\/asset\/cs-logo-red.png#gh-dark-mode-only)//g' README.md
+ mv src/falconpy src/falconpydev
+ hatch build
+ hatch publish
\ No newline at end of file
diff --git a/.github/workflows/production-release.yml b/.github/workflows/production-release.yml
new file mode 100644
index 00000000..6f82a340
--- /dev/null
+++ b/.github/workflows/production-release.yml
@@ -0,0 +1,29 @@
+name: Publish Production Release
+
+on:
+ release:
+ types: [created]
+
+jobs:
+ deploy:
+ timeout-minutes: 45
+ environment: release
+ runs-on: ubuntu-24.04
+ permissions:
+ contents: read
+ steps:
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0
+ - name: Set up Python
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+ with:
+ python-version: '3.x'
+ - name: Install dependencies
+ run: |
+ pipx install hatch
+ - name: Build and publish
+ env:
+ HATCH_INDEX_USER: ${{ secrets.HATCH_USER_ID }}
+ HATCH_INDEX_AUTH: ${{ secrets.HATCH_AUTH }}
+ run: |
+ hatch build
+ hatch publish
\ No newline at end of file
diff --git a/.github/workflows/unit_testing_eu1.yml b/.github/workflows/unit_testing_eu1.yml
index 84b0c339..c80563d3 100644
--- a/.github/workflows/unit_testing_eu1.yml
+++ b/.github/workflows/unit_testing_eu1.yml
@@ -22,7 +22,7 @@ jobs:
if: github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-24.04
timeout-minutes: 45
- environment: testing
+ environment: testing-eu1
permissions:
contents: read
steps:
diff --git a/.github/workflows/unit_testing_us2.yml b/.github/workflows/unit_testing_us2.yml
index 61ab1931..e77c8d04 100644
--- a/.github/workflows/unit_testing_us2.yml
+++ b/.github/workflows/unit_testing_us2.yml
@@ -22,7 +22,7 @@ jobs:
if: github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-24.04
timeout-minutes: 45
- environment: testing
+ environment: testing-us2
permissions:
contents: read
steps:
diff --git a/AUTHORS.md b/AUTHORS.md
index 577a1756..17b50636 100644
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -107,7 +107,10 @@ This has been a critical element in the development of the FalconPy project.
+ Evan Stoner, `@evanstoner`
+ Gage Schaffer, `@Gage-BCCA`
+ `@JamesLochheadCRWD`
-
++ Matthew, `@Matth3wW`
++ `@dweissbacher`
++ `@atav928`
++ `@subbu-cs`
## Sponsors
Without the support of these executives, the FalconPy project would not have happened.
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6227a0d7..c68d7866 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,664 @@
+# Version 1.5.5
+## Added features and functionality
++ Added: Added 4 new filter and sort options as an allowed value to the _QueryRulesV1_ operation within the __Recon__ service collection.
+ - _permissions_
+ - _priority_
+ - _template_priority_
+ - _topic_
+ - `_endpoint/_recon.py`
+ - `recon.py`
+
++ Added: Added 21 new filter options as an allowed value to the _SearchIndicators_ operation within the __Intelligence Indicator Graph__ service collection.
+ - _Type_
+ - _LastUpdated_
+ - _KillChain_
+ - _MaliciousConfidence_
+ - _MaliciousConfidenceValidatedTime_
+ - _FirstSeen_
+ - _LastSeen_
+ - _Adversaries.Name_
+ - _Adversaries.Slug_
+ - _Reports.Title_
+ - _Reports.Slug_
+ - _Threats.FamilyName_
+ - _Vulnerabilities.CVE_
+ - _Sectors.Name_
+ - _FileDetails.SHA256_
+ - _FileDetails.SHA1_
+ - _FileDetails.MD5_
+ - _DomainDetails.Detail_
+ - _IPv4Details.IPv4_
+ - _IPv6Details.IPv6_
+ - _URLDetails.URL_
+ - `_endpoint/_intelligence_indicator_graph.py`
+ - `intelligence_indicator_graph.py`
+
++ Added: Added new filter and sort options as an allowed value to the _CombinedDevicesByFilter_ and _CombinedHiddenDevicesByFilter_ operations within the __Hosts__ service collection.
+ - _device_policies.fem-browser-extension-control.applied_
+ - _device_policies.fem-browser-extension-control.policy_type_
+ - _device_policies.fem-browser-extension-control.policy_id_
+ - `_endpoint/_hosts.py`
+ - `hosts.py`
+
++ Updated: Removed one resource option (`network.events`) from the resource parameter as an allowed value to the _LaunchExportJob_ operation in the __Falcon Container__ service collection.
+ - `_endpoint/_falcon_container.py`
+ - `falcon_container.py`
+
++ Added: Added one new operation to the __Downloads__ service collection.
+ - _FetchFilesDownloadInfoV2_
+ - `_endpoint/_downloads.py`
+ - `downloads.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_downloads.py`
+
++ Updated: Adjusted the operation _GetD4CAWSAccountScriptsAttachment_ within the __D4C Registration__ service class to align with new endpoint parameters.
+ - `_endpoint/_d4c_registration.py`
+ - `d4c_registration.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_d4c_registration.py`
+
++ Added: Added three new operations to the __CAO Hunting__ service collection.
+ - _AggregateHuntingGuides_
+ - _GetHuntingGuides_
+ - _SearchHuntingGuides_
+ - `_endpoint/_cao_hunting.py`
+ - `cao_hunting.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cao_hunting.py`
+
++ Added: Added three new operations to the __Real Time Response Admin__ service collection.
+ - _RTR_CreatePut_FilesV2_
+ - _RTR_CreateScriptsV2_
+ - _RTR_UpdateScriptsV2_
+ - `_endpoint/_real_time_response_admin.py`
+ - `_endpoint/deprecated/_real_time_response_admin.py`
+ - `real_time_response_admin.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_real_time_response_admin.py`
+
++ Added: Added new filter and sort options (`description`, `aspm.description.keyword`) as an allowed value to the _query_scheduled_scans_ and _query_scans_ operations within the __On Demand Scan__ service collection.
+ - `_endpoint/_ods.py`
+ - `_endpoint/deprecated/_ods.py`
+ - `ods.py`
+
++ Added: Added new filter and sort options as an allowed value to the _cloud_security_assets_queries_ operation within the __Cloud Security Assets__ service collection.
+ - _aspm.deployment_cloud_resource_id_
+ - _aspm.deployment_provider_
+ - _aspm.deployment_type_
+ - _aspm.technologies_
+ - `_endpoint/_cloud_security_assets.py`
+ - `_endpoint/deprecated/_cloud_security_assets.py`
+ - `cloud_security_assets.py`
+
++ Added: Added one new operation to the __Cloud Security Assets__ service collection.
+ - _cloud_security_assets_combined_application_findings_
+ - `_endpoint/_cloud_security_assets.py`
+ - `_endpoint/deprecated/_cloud_security_assets.py`
+ - `cloud_security_assets.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_security_assets.py`
+
++ Added: Added the new __Cloud Google Cloud Registration__ service collection with 6 operations.
+ - _cloud_registration_gcp_trigger_health_check_
+ - _cloud_registration_gcp_get_registration_
+ - _cloud_registration_gcp_put_registration_
+ - _cloud_registration_gcp_create_registration_
+ - _cloud_registration_gcp_update_registration_
+ - _cloud_registration_gcp_delete_registration_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_cloud_google_cloud_registration.py`
+ - `_endpoint/deprecated/__init__.py`
+ - `_endpoint/deprecated/_cloud_google_cloud_registration.py`
+ - `_payload/__init__.py`
+ - `_payload/_cloud_google_cloud_registration.py`
+ - `__init__.py`
+ - `cloud_google_cloud_registration.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_google_cloud_registration.py`
+
++ Added: Added two new operations to the __Cloud Azure Registration__ service collection.
+ - _cloud_registration_azure_delete_legacy_subscription_
+ - _cloud_registration_azure_validate_registration_
+ - `_endpoint/_cloud_azure_registration.py`
+ - `_endpoint/deprecated/_cloud_azure_registration.py`
+ - `_payload/__init__.py`
+ - `_payload/_cloud_azure_registration.py`
+ - `cloud_azure_registration.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_azure_registration.py`
+
++ Added: Added two new operations to the __Cloud AWS Registration__ service collection.
+ - _cloud_registration_aws_trigger_health_check_
+ - _cloud_registration_aws_validate_accounts_
+ - `_endpoint/_cloud_aws_registration.py`
+ - `_endpoint/deprecated/_cloud_aws_registration.py`
+ - `cloud_aws_registration.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_aws_registration.py`
+
++ Removed: Removed two operations from the __ASPM__ service collection.
+ - _GetCSPMInventoryBAServices_
+ - _GetCSPMInventoryServiceDetails_
+ - `_endpoint/_aspm.py`
+ - `aspm.py`
+ > Unit testing adjusted to complete code coverage.
+ - `tests/test_aspm.py`
+
++ Added: Added "SPL", "AI translated" and "__all__" as allowed values for the `language` argument in the _GetArchiveExport_ operation within the __CAO Hunting__ service collection.
+ - `_endpoint/_cao_hunting.py`
+ - `cao_hunting.py`
+
++ Added: Added `include_translated_content` argument to the _GetIntelligenceQueries_ operation within the __CAO Hunting__ service collection.
+ - `_endpoint/_cao_hunting.py`
+ - `cao_hunting.py`
+
++ Added: Added the new __Case Management__ service collection with 48 operations.
+ - _aggregates_file_details_post_v1_
+ - _combined_file_details_get_v1_
+ - _entities_file_details_get_v1_
+ - _entities_file_details_patch_v1_
+ - _entities_files_bulk_download_post_v1_
+ - _entities_files_download_get_v1_
+ - _entities_files_upload_post_v1_
+ - _entities_files_delete_v1_
+ - _queries_file_details_get_v1_
+ - _aggregates_notification_groups_post_v1_
+ - _aggregates_notification_groups_post_v2_
+ - _aggregates_slas_post_v1_
+ - _aggregates_templates_post_v1_
+ - _entities_fields_get_v1_
+ - _entities_notification_groups_get_v1_
+ - _entities_notification_groups_post_v1_
+ - _entities_notification_groups_patch_v1_
+ - _entities_notification_groups_delete_v1_
+ - _entities_notification_groups_get_v2_
+ - _entities_notification_groups_post_v2_
+ - _entities_notification_groups_patch_v2_
+ - _entities_notification_groups_delete_v2_
+ - _entities_slas_get_v1_
+ - _entities_slas_post_v1_
+ - _entities_slas_patch_v1_
+ - _entities_slas_delete_v1_
+ - _entities_template_snapshots_get_v1_
+ - _entities_templates_export_get_v1_
+ - _entities_templates_import_post_v1_
+ - _entities_templates_get_v1_
+ - _entities_templates_post_v1_
+ - _entities_templates_patch_v1_
+ - _entities_templates_delete_v1_
+ - _queries_fields_get_v1_
+ - _queries_notification_groups_get_v1_
+ - _queries_notification_groups_get_v2_
+ - _queries_slas_get_v1_
+ - _queries_template_snapshots_get_v1_
+ - _queries_templates_get_v1_
+ - _entities_alert_evidence_post_v1_
+ - _entities_case_tags_post_v1_
+ - _entities_case_tags_delete_v1_
+ - _entities_cases_put_v2_
+ - _entities_cases_post_v2_
+ - _entities_cases_patch_v2_
+ - _entities_event_evidence_post_v1_
+ - _queries_cases_get_v1_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_case_management.py`
+ - `_endpoint/deprecated/__init__.py`
+ - `_endpoint/deprecated/_case_management.py`
+ - `_payload/__init__.py`
+ - `_payload/_case_management.py`
+ - `__init__.py`
+ - `case_management.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_case_management.py`
+
++ Added: Added new _cloud_registration_azure_trigger_health_check_ operation to the __Cloud Azure Registration__ service collection.
+ - `_endpoint/_cloud_azure_registration.py`
+ - `_endpoint/deprecated/_cloud_azure_registration.py`
+ - `cloud_azure_registration.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_azure_registration.py`
+
++ Added: Added the new __Cloud Security Compliance__ service collection with 2 operations.
+ - _cloud_compliance_framework_posture_summaries_
+ - _cloud_compliance_rule_posture_summaries_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_cloud_security_compliance.py`
+ - `_endpoint/deprecated/__init__.py`
+ - `_endpoint/deprecated/_cloud_security_compliance.py`
+ - `__init__.py`
+ - `cloud_security_compliance.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_security_compliance.py`
+
++ Added: Added the new __Cloud Security Detections__ service collection with 2 operations.
+ - _cspm_evaluations_iom_entities_
+ - _cspm_evaluations_iom_queries_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_cloud_security_detections.py`
+ - `_endpoint/deprecated/__init__.py`
+ - `_endpoint/deprecated/_cloud_security_detections.py`
+ - `__init__.py`
+ - `cloud_security_detections.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_security_detections.py`
+
++ Added: Added the new __Cloud Policies__ service collection with 24 operations.
+ - _ReplaceControlRules_
+ - _GetComplianceControls_
+ - _CreateComplianceControl_
+ - _UpdateComplianceControl_
+ - _DeleteComplianceControl_
+ - _RenameSectionComplianceFramework_
+ - _GetComplianceFrameworks_
+ - _CreateComplianceFramework_
+ - _UpdateComplianceFramework_
+ - _DeleteComplianceFramework_
+ - _GetEvaluationResult_
+ - _GetRuleOverride_
+ - _CreateRuleOverride_
+ - _UpdateRuleOverride_
+ - _DeleteRuleOverride_
+ - _GetRule_
+ - _CreateRule_
+ - _UpdateRule_
+ - _DeleteRuleMixin0_
+ - _QueryComplianceControls_
+ - _QueryComplianceFrameworks_
+ - _QueryRule_
+ - _GetRuleInputSchema_
+ - _GetEnrichedAsset_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_cloud_policies.py`
+ - `_payload/__init__.py`
+ - `_payload/_cloud_policies.py`
+ - `__init__.py`
+ - `cloud_policies.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_policies.py`
+
++ Added: Added the new __Cloud Security__ service collection with 7 operations.
+ - _combined_cloud_risks_
+ - _ListCloudGroupsExternal_
+ - _ListCloudGroupsByIDExternal_
+ - _CreateCloudGroupExternal_
+ - _UpdateCloudGroupExternal_
+ - _DeleteCloudGroupsExternal_
+ - _ListCloudGroupIDsExternal_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_cloud_security.py`
+ - `_endpoint/deprecated/__init__.py`
+ - `_endpoint/deprecated/_cloud_security.py`
+ - `_payload/__init__.py`
+ - `_payload/_cloud_security`
+ - `__init__.py`
+ - `cloud_security.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_security.py`
+
++ Added: Added new filter option (`control.extension.status`) as an allowed value to the _cloud_security_assets_combined_compliance_by_account_ operation within the __Cloud Security Assets__ service collection.
+ - `_endpoint/_cloud_security_assets.py`
+ - `_endpoint/deprecated/_cloud_security_assets.py`
+ - `cloud_security_assets.py`
+
++ Updated: Removed three options (`application_security.business_applications`, `application_security.business_criticality` and `application_security.service_names`) and added 7 options (`control.benchmark.name`, `control.benchmark.version`, `control.framework`, `control.requirement`, `control.type`, `control.version`, and `non_compliant.rule_name`) as allowed filters in the _cloud_security_assets_queries_ operation within the __Cloud Security Assets__ service collection.
+ - `_endpoint/_cloud_security_assets.py`
+ - `_endpoint/deprecated/_cloud_security_assets.py`
+ - `cloud_security_assets.py`
+
++ Added: Added new __Cloud Security Compliance__ service collection with 2 new operations.
+ - `_endpoint/__init__.py`
+ - `_endpoint/_cloud_security_compliance.py`
+ - `_endpoint/deprecated/__init__.py`
+ - `_endpoint/deprecated/_cloud_security_compliance.py`
+ - `__init__.py`
+ - `cloud_security_compliance.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_security_compliance.py`
+
++ Added: Added new _CombinedDetections_ operation to the __Cloud Snapshots__ service collection.
+ - `_endpoint/_cloud_snapshots.py`
+ - `cloud_snapshots.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_cloud_snapshots.py`
+
++ Added: Added the new __Correlation Rules Admin__ service collection with 1 operation.
+ - _entities_rules_ownership_put_v1_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_correlation_rules_admin.py`
+ - `_endpoint/deprecated/__init__.py`
+ - `_endpoint/deprecated/_correlation_rules_admin.py`
+ - `_payload/__init__.py`
+ - `_payload/_correlation_rules_admin.py`
+ - `__init__.py`
+ - `correlation_rules_admin.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_correlation_rules_admin.py`
+
++ Added: Added `dspm_host_account_id`, `dspm_host_integration_role_name`, and `dspm_host_scanner_role_name` arguments to the _GetD4CAWSAccountScriptsAttachment_ operation within the __D4C Registration__ service collection.
+ - `_endpoint/_d4c_registration.py`
+ - `d4c_registration.py`
+
++ Added: Added the new __Data Protection Configuration__ service collection with 36 operations.
+ - _entities_classification_get_v2_
+ - _entities_classification_post_v2_
+ - _entities_classification_patch_v2_
+ - _entities_classification_delete_v2_
+ - _entities_cloud_application_get_
+ - _entities_cloud_application_create_
+ - _entities_cloud_application_patch_
+ - _entities_cloud_application_delete_
+ - _entities_content_pattern_get_
+ - _entities_content_pattern_create_
+ - _entities_content_pattern_patch_
+ - _entities_content_pattern_delete_
+ - _entities_enterprise_account_get_
+ - _entities_enterprise_account_create_
+ - _entities_enterprise_account_patch_
+ - _entities_enterprise_account_delete_
+ - _entities_file_type_get_
+ - _entities_sensitivity_label_get_v2_
+ - _entities_sensitivity_label_create_v2_
+ - _entities_sensitivity_label_delete_v2_
+ - _entities_policy_get_v2_
+ - _entities_policy_post_v2_
+ - _entities_policy_patch_v2_
+ - _entities_policy_delete_v2_
+ - _entities_web_location_get_v2_
+ - _entities_web_location_create_v2_
+ - _entities_web_location_patch_v2_
+ - _entities_web_location_delete_v2_
+ - _queries_classification_get_v2_
+ - _queries_cloud_application_get_v2_
+ - _queries_content_pattern_get_v2_
+ - _queries_enterprise_account_get_v2_
+ - _queries_file_type_get_v2_
+ - _queries_sensitivity_label_get_v2_
+ - _queries_policy_get_v2_
+ - _queries_web_location_get_v2_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_data_protection_configuration.py`
+ - `_endpoint/deprecated/__init__.py`
+ - `_endpoint/deprecated/_data_protection_configuration.py`
+ - `_payload/__init__.py`
+ - `_payload/_data_protection_configuration.py`
+ - `__init__.py`
+ - `data_protection_configuration.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_data_protection_configuration.py`
+
++ Added: Added `facet` argument to the _combined_applications_ operation within the __Discover__ service collection.
+ - `_endpoint/_discover.py`
+ - `_endpoint/deprecated/_discover.py`
+ - `discover.py`
+
++ Added: Added "scan_details.scan_id", "scan_details.schedule_id", "scan_details.scan_date", and "vulnerability_assessment_date" as allowed values for the `filter` argument in the _combined_hosts_ and _query_hosts_ operations within the __Discover__ service collection.
+ - `_endpoint/_discover.py`
+ - `_endpoint/deprecated/_discover.py`
+ - `discover.py`
+
++ Added: Added _FetchFilesDownloadInfo_ operation to the __Downloads__ service collection. Deprecated _DownloadFile_ and _EnumerateFile_.
+ - `_endpoint/_downloads.py`
+ - `downloads.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_downloads.py`
+
++ Added: Added _PolicyChecks_, _GetReportByReference_ and _GetReportByScanID_ operations to the __Falcon Container__ service collection.
+ - `_endpoint/_falcon_container.py`
+ - `_util/_functions.py`
+ - `_util/_uber.py`
+ - `falcon_container.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_falcon_container.py`
+
++ Added: Added "add-rule-group" and "remove-rule-group" as allowed values for the `action_name` argument in the _performFirewallPoliciesAction_ operation within the __FirewallPolicies__ Service Class.
+ - `firewall_policies.py`
+
++ Updated: Added 9 possible values for the `sort` argument in the _CombinedHiddenDevicesByFilter_ and _CombinedDevicesByFilter_ operations within the __Hosts__ service collection.
+ - _device_policies.exposure-management.applied_
+ - _device_policies.exposure-management.policy_id_
+ - _device_policies.exposure-management.policy_type_
+ - _device_policies.logscale-collector.applied_
+ - _device_policies.logscale-collector.policy_id_
+ - _device_policies.logscale-collector.policy_type_
+ - _device_policies.cloud-ml.policy_id_
+ - _device_policies.cloud-ml.policy_type_
+ - _device_policies.cloud-ml.applied_
+ - `_endpoint/_hosts.py`
+ - `hosts.py`
+
++ Added: Added `limit`, `from` and `to` arguments to the _QueryDeviceLoginHistoryV2_ operation within the __Hosts__ service collection.
+ - `_endpoint/_hosts.py`
+ - `hosts.py`
+
++ Added: Added "reports.slug" as an allowed `filter` value to the _QueryIntelIndicatorEntities_ and _QueryIntelIndicatorIds_ operations within the __Intel__ service collection.
+ - `_endpoint/_intel.py`
+ - `intel.py`
+
++ Added: Added "summary" as an allowed `filter` value to the _QueryIntelReportEntities_ and _QueryIntelReportIds_ operations within the __Intel__ service collection.
+ - `_endpoint/_intel.py`
+ - `intel.py`
+
++ Added: Added "any" as an allowed `feed_interval` value to the _QueryFeedArchives_ operation within the __Intelligence Feeds__ service collection.
+ - `_endpoint/_intelligence_feeds.py`
+ - `intelligence_feeds.py`
+
++ Added: Added 5 new operations to the __IT Automation__ service collection.
+ - _ITAutomationSearchUserGroup_
+ - _ITAutomationGetUserGroup_
+ - _ITAutomationCreateUserGroup_
+ - _ITAutomationUpdateUserGroup_
+ - _ITAutomationDeleteUserGroup_
+ - `_endpoint/_it_automation.py`
+ - `_payload/__init__.py`
+ - `_payload/_it_automation.py`
+ - `it_automation.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_it_automation.py`
+
++ Added: Added "namespace" and "pod_name" as allowed `filter` values in the _ReadClustersByKubernetesVersionCount_, _ReadClustersByStatusCount_, _ReadClusterCount_, _ReadClusterCombined_, and _ReadClusterCombinedV2_ operations within the __Kubernetes Protection__ service collection.
+ - `_endpoint/_kubernetes_protection.py`
+ - `kubernetes_protection.py`
+
++ Added: Added the operation _PostSearchKubernetesIOMEntities_ to the __Kubernetes Protection__ service collection.
+ - `_endpoint/_kubernetes_protection.py`
+ - `kubernetes_protection.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_kubernetes_protection.py`
+
++ Added: Added 22 new operations to the __NGSIEM__ service collection.
+ - _GetDashboardTemplate_
+ - _CreateDashboardFromTemplate_
+ - _UpdateDashboardFromTemplate_
+ - _DeleteDashboard_
+ - _GetLookupFile_
+ - _CreateLookupFile_
+ - _UpdateLookupFile_
+ - _DeleteLookupFile_
+ - _GetParserTemplate_
+ - _CreateParserFromTemplate_
+ - _GetParser_
+ - _CreateParser_
+ - _UpdateParser_
+ - _DeleteParser_
+ - _GetSavedQueryTemplate_
+ - _CreateSavedQuery_
+ - _UpdateSavedQueryFromTemplate_
+ - _DeleteSavedQuery_
+ - _ListDashboards_
+ - _ListLookupFiles_
+ - _ListParsers_
+ - _ListSavedQueries_
+ - `_endpoint/_ngsiem.py`
+ - `_payload/__init__.py`
+ - `_payload/_ngsiem.py`
+ - `ngsiem.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_dashboard.yml`
+ - `tests/test_ngsiem.py`
+
++ Added: Added the `file_name` argument to the _UploadFileQuickScanPro_ operation within the __Quick Scan Pro__ service collection.
+ - `_endpoint/_quick_scan_pro.py`
+
++ Added: Added the new __SaaS Security__ service collection with 24 operations.
+ - _GetMetricsV3_
+ - _GetAlertsV3_
+ - _GetAppInventoryUsers_
+ - _GetAppInventory_
+ - _GetSecurityCheckAffectedV3_
+ - _DismissAffectedEntityV3_
+ - _DismissSecurityCheckV3_
+ - _GetSecurityChecksV3_
+ - _GetSecurityCheckComplianceV3_
+ - _IntegrationBuilderEndTransactionV3_
+ - _IntegrationBuilderResetV3_
+ - _IntegrationBuilderGetStatusV3_
+ - _IntegrationBuilderUploadV3_
+ - _GetAssetInventoryV3_
+ - _GetDeviceInventoryV3_
+ - _GetIntegrationsV3_
+ - _GetActivityMonitorV3_
+ - _GetSupportedSaasV3_
+ - _GetSystemLogsV3_
+ - _GetSystemUsersV3_
+ - _GetUserInventoryV3_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_saas_security.py`
+ - `__init__.py`
+ - `saas_security.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_saas_security.py`
+
++ Added: Added new _GetSensorUsageHourly_ operation to the __Sensor Usage__ service collection.
+ - `_endpoint/_sensor_usage.py`
+ - `sensor_usage.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_sensor_usage.py`
+ > Thanks go out to @atav982 for submitting this update! 🙇
+
++ Added: Added the new __Spotlight Vulnerability Metadata__ service collection with 1 operation.
+ - _combineVulnMetadataExt_
+ - `_endpoint/__init__.py`
+ - `_endpoint/_spotlight_vulnerability_metadata.py`
+ - `__init__.py`
+ - `spotlight_vulnerability_metadata.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_spotlight_vulnerability_metadata.py`
+
++ Added: Added "uuid" as an allowed `filter` value in the _queryUserV1_ operation within the __User Management__ service collection.
+ - `_endpoint/_user_management.py`
+ - `user_management.py`
+
++ Updated: Added the _entitiesRolesGETV2_ operation and deprecated the _entitiesRolesV1_ operation within the __User Management__ service collection.
+ - `_endpoint/_user_management.py`
+ - `user_management.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_user_management.py`
+
++ Added: Added new _WorkflowDefinitionsStatus_ operation to the __Workflows__ service class.
+ - `_constant/__init__.py`
+ - `_endpoint/_workflows.py`
+ - `workflows.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_workflows.py`
+ - Special thanks go out to @dweissbacher for contributing this update and related unit tests! 🙇
+
++ Added: Added "cancel" as an allowed value for `action_name` in the _WorkflowExecutionsAction_ operation within the __Workflows__ service collection.
+ - `_endpoint/_workflows.py`
+
++ Added: Added `skip_validation` and `ignore_activity_mock_references` arguments to the _WorkflowMockExecute_ operation within the __Workflows__ service collection.
+ - `_endpoint/_workflows.py`
+ - `workflows.py`
+
++ Added: Added the _child_login_ and _child_logout_ helper methods to the authentication object and implemented aliases for Service Classes. This method allows login using existing parent credentials to a child tenant by providing the `member_cid` argument only.
+ - `_auth_object/_falcon_interface.py`
+ - `_service_class/_service_class.py`
+ > Unit testing expanded to complete code coverage.
+ - `tests/test_authentications.py`
+
+## Issues resolved
++ Fixed: Resolved path interpolation issue for the `search_id` keyword when using the Uber Class to call the _GetSearchStatusV1_ operation. Closes #1365.
+ - `_util/_uber.py`
+ - Thanks go out to @yakeeliuliu for reporting this issue! 🙇
+
++ Fixed: Resolved body payload generation issue with the _userActionV1_ operation within the __UserManagement__ service class.
+ - `user_management.py`
+
++ Fixed: Resolved availability issue with FDR service collection endpoints within the endpoint module. Closes #1371.
+ - `_endpoint/__init__.py`
+ > Thanks go out to @Don-Swanson-Adobe for reporting this issue! 🙇
+
++ Fixed: Body payload issue with the _userActionV1_ operation within the __User Management__ service class.
+ - `user_management.py`
+ > Thanks go out to @Matth3wW for identifying and resolving this issue! 🙇
+
+
+## Other
++ Deprecated: Moved the _get\_/executor\_nodes/{ID:[0-9]+}/instances/csv_, _delete\_/group/{ID:[0-9]+}_, _post\_/group/{ID:[0-9]+}/update_default_, _get\_/group/{ID:[0-9]+}/v2_, and _post\_/group/{ID:[0-9]+}/v2_ operations within the __ASPM__ service collection to a deprecated status.
+ - `_endpoint/__init__.py`
+ - `_endpoint/deprecated/__init__.py`
+ - `_endpoint/deprecated/aspm.py`
+
++ Updated: Cosmetic updates to operation descriptions for the _GetIntelligenceQueries_ and _SearchIntelligenceQueries_ operations within the __CAO Hunting__ service collection.
+ - `_endpoint/_cao_hunting.py`
+
++ Updated: Converted `offset` argument data type from _String_ to _Integer_ in the _QueryActivityByCaseID_ and _QueryCasesIdsByFilter_ operations within the __Message Center__ service collection.
+ - `_endpoint/_message_center.py`
+ - `message_center.py`
+
++ Updated: Cosmetic updates to parameter descriptions in the _cloud_security_registration_oci_get_account_ operation within the __Cloud OCI Registration__ service collection.
+ - `_endpoint/_cloud_oci_registration.py`
+ - `_endpoint/deprecated/_cloud_oci_registration.py`
+
++ Updated: Cosmetic update to parameter descriptions in the _SearchAndReadContainerAlerts_ operation within the __Container Alerts__ service collection.
+ - `_endpoint/_container_alerts.py`
+
++ Updated: Cosmetic update adding "image_digest" as an allowed value to the `filter` argument description in the _ReadDetectsCountBySeverity_, _ReadDetectionsCountByType_, _ReadDetectionsCount_, _ReadCombinedDetections_, _ReadDetections_, and _SearchDetections_ operations within the __Container Detections__ service collection.
+ - `_endpoint/_container_detections.py`
+
++ Updated: Cosmetic update to the `limit` and `offset` descriptions in the _ReadCombinedDetections_, _GetRuntimeDetectionsCombinedV2_, _ReadDetections_, and _SearchDetections_ operations within the __Container Detections__ service collection.
+ - `_endpoint/_container_detections.py`
+
++ Updated: Cosmetic update to operation and parameter descriptions in the _GetCombinedImages_, _CombinedImageDetail_, and _ReadCombinedImagesExport_ operations within the __Container Images__ service collection.
+ - `_endpoint/_container_images.py`
+
++ Updated: Cosmetic update to operation and parameter descriptions in the _ReadPackagesByFixableVulnCount_, _ReadPackagesByVulnCount_, _ReadPackagesCombinedExport_, _ReadPackagesCombined_, and _ReadPackagesCombinedV2_ operations within the __Container Packages__ service collection.
+ - `_endpoint/_container_packages.py`
+
++ Updated: Cosmetic update to operation and parameter descriptions in the _ReadVulnerabilityCountByActivelyExploited_, _ReadVulnerabilityCountByCPSRating_, _ReadVulnerabilityCountByCVSSScore_, _ReadVulnerabilityCountBySeverity_, _ReadVulnerabilityCount_, _ReadVulnerabilitiesByImageCount_, _ReadVulnerabilitiesPublicationDate_, _ReadCombinedVulnerabilitiesDetails_, _ReadCombinedVulnerabilitiesInfo_, and _ReadCombinedVulnerabilities_ operations within the __Container Vulnerabilities__ service collection.
+ - `_endpoint/_container_vulnerabilities.py`
+
++ Deprecated: Deprecated the __Detects__ service collection and all included endpoints. Closes #1378.
+ - `_endpoint/_detects.py`
+ - `_endpoint/deprecated/_mapping.py`
+ - `detects.py`
+ > Thanks go out to @djacquensf9 for reporting this update! 🙇
+
++ Updated: Cosmetic update to the `limit` and `offset` descriptions in the _SearchAndReadDriftIndicatorEntities_ and _SearchDriftIndicators_ operations within the __Drift Indicators__ service collection.
+ - `_endpoint/_container_detections.py`
+
++ Updated: Cosmetic update to the `sort` enum and `filter` argument description in the _GetHostMigrationIDsV1_ and _GetMigrationIDsV1_ operations within the __Host Migration__ service collection.
+ - `_endpoint/_host_migration.py`
+
++ Updated: Cosmetic update to remove unnecessary Authorization headers from the _post_graphql_, _GetSensorDetails_, _get_policy_rules_, _delete_policy_rules_, and _get_policy_rules_query_ operations within the __Identity Protection__ service collection.
+ - `_endpoint/_identity_protection.py`
+
++ Updated: Cosmetic updates to operation descriptions for the _ITAutomationStartExecutionResultsSearch_ and _ITAutomationGetExecutionResults_ operations within the __IT Automation__ service collection.
+ - `_endpoint/_it_automation.py`
+
++ Updated: Cosmetic update to the `limit` and `offset` argument descriptions for the _FindContainersByContainerRunTimeVersion_, _ReadClusterCombined_, _ReadClusterCombinedV2_, _ReadRunningContainerImages_, _ReadContainerCombined_, _ReadDeploymentCombined_, _SearchAndReadKubernetesIomEntities_, _ReadNodeCombined_, _ReadPodCombined_ and _SearchKubernetesIoms_ operations within the __Kubernetes Protection__ service collection.
+ - `_endpoint/_it_automation.py`
+
++ Updated: Cosmetic update to operation descriptions for the _ReadClusterCombinedV2_, _ReadContainerCombined_ and _SearchAndReadKubernetesIomEntities_ operations within the __Kubernetes Protection__ service collection.
+ - `_endpoint/_it_automation.py`
+
++ Updated: Cosmetic update to the `limit` and `offset` argument descriptions in the _SearchAndRReadUnidentifiedContainers_ operation within the __Unidentified Containers__ service collection.
+ - `_endpoint/_unidentified_containers.py`
+
++ Updated: Cosmetic updates to argument and operation descriptions in the _WorkflowDefinitionsCombined_, _WorkflowDefinitionsStatus_, _WorkflowExecutionsAction_ and _WorkflowMockExecute_ operations within the __Workflows__ service collection.
+ - `_endpoint/_workflows.py`
+
+---
+
# Version 1.5.4
## Added features and functionality
+ Added: Added _tag_key_ and _tag_value_ as allowed values for the `filter` parameter in the _cloud_security_assets_combined_compliance_by_account_ operation within the __Cloud Security Assets__ service collection.
diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py
index 94da774b..63a26191 100644
--- a/src/falconpy/__init__.py
+++ b/src/falconpy/__init__.py
@@ -110,11 +110,17 @@
from .api_complete import APIHarness, APIHarnessV2
from .aspm import ASPM
from .cao_hunting import CAOHunting
+from .case_management import CaseManagement
from .certificate_based_exclusions import CertificateBasedExclusions
from .cloud_aws_registration import CloudAWSRegistration
from .cloud_azure_registration import CloudAzureRegistration
+from .cloud_google_cloud_registration import CloudGoogleCloudRegistration
from .cloud_oci_registration import CloudOCIRegistration
+from .cloud_policies import CloudPolicies
+from .cloud_security import CloudSecurity
from .cloud_security_assets import CloudSecurityAssets
+from .cloud_security_compliance import CloudSecurityCompliance
+from .cloud_security_detections import CloudSecurityDetections
from .cloud_snapshots import CloudSnapshots
from .container_image_compliance import ContainerImageCompliance, ComplianceAssessments
from .configuration_assessment_evaluation_logic import ConfigurationAssessmentEvaluationLogic
@@ -125,12 +131,14 @@
from .container_packages import ContainerPackages
from .container_vulnerabilities import ContainerVulnerabilities
from .correlation_rules import CorrelationRules
+from .correlation_rules_admin import CorrelationRulesAdmin
from .cloud_connect_aws import CloudConnectAWS
from .content_update_policies import ContentUpdatePolicies
from .cspm_registration import CSPMRegistration
from .custom_ioa import CustomIOA
from .custom_storage import CustomStorage
from .d4c_registration import D4CRegistration
+from .data_protection_configuration import DataProtectionConfiguration
from .delivery_settings import DeliverySettings
from .deployments import Deployments
from .detects import Detects
@@ -185,6 +193,7 @@
from .recon import Recon
from .report_executions import ReportExecutions
from .response_policies import ResponsePolicies
+from .saas_security import SaasSecurity
from .sample_uploads import SampleUploads
from .scheduled_reports import ScheduledReports
from .sensor_download import SensorDownload
@@ -193,6 +202,7 @@
from .sensor_visibility_exclusions import SensorVisibilityExclusions
from .serverless_vulnerabilities import ServerlessVulnerabilities
from .spotlight_vulnerabilities import SpotlightVulnerabilities
+from .spotlight_vulnerability_metadata import SpotlightVulnerabilityMetadata
from .spotlight_evaluation_logic import SpotlightEvaluationLogic
from .tailored_intelligence import TailoredIntelligence
from .threatgraph import ThreatGraph
@@ -249,7 +259,10 @@
"ContainerImageCompliance", "FaaSExecution", "HEC", "IngestBaseURL", "IngestFormat",
"IngestPayload", "HTTPEventCollector", "IngestConfig", "SessionManager", "TimeUnit",
"Color", "Indicator", "random_string", "KubernetesContainerCompliance", "find_operation",
- "InvalidRoute", "InvalidServiceCollection", "InvalidOperationSearch", "ITAutomation", "F4IT"
+ "InvalidRoute", "InvalidServiceCollection", "InvalidOperationSearch", "ITAutomation", "F4IT",
+ "CloudSecurityCompliance", "CaseManagement", "SaasSecurity", "SpotlightVulnerabilityMetadata",
+ "DataProtectionConfiguration", "CorrelationRulesAdmin", "CloudSecurityDetections",
+ "CloudPolicies", "CloudGoogleCloudRegistration", "CloudSecurity"
]
"""
This is free and unencumbered software released into the public domain.
diff --git a/src/falconpy/_auth_object/_falcon_interface.py b/src/falconpy/_auth_object/_falcon_interface.py
index eed0fb7f..00628085 100644
--- a/src/falconpy/_auth_object/_falcon_interface.py
+++ b/src/falconpy/_auth_object/_falcon_interface.py
@@ -260,6 +260,36 @@ def logout(self) -> Union[dict, bool]:
"""Log out of the Falcon API by revoking the current token."""
return self._logout_handler()
+ def child_login(self, member_cid: str = None) -> bool:
+ """Perform a login leveraging the provided member_cid."""
+ returned = False
+ if member_cid:
+ self.creds["member_cid"] = member_cid
+ do_login = self.login()
+ if isinstance(do_login, bool):
+ returned = do_login
+ else:
+ if do_login["status_code"] == 201:
+ returned = True
+ return returned
+
+ def child_logout(self, login_as_parent: bool = True) -> bool:
+ """Perform a logout of the child, and potentially relog in as the parent."""
+ returned = False
+ if self.creds["member_cid"]:
+ self.creds.pop("member_cid", None)
+ if login_as_parent:
+ do_loginout = self.login()
+ else:
+ do_loginout = self.logout()
+ if isinstance(do_loginout, bool):
+ returned = do_loginout
+ else:
+ if do_loginout["status_code"] == 201:
+ returned = True
+
+ return returned
+
# The default behavior for both the login and logout handlers is to return
# the entire dictionary created by the token API response.
def _login_handler(self, stateful: bool = True) -> dict:
diff --git a/src/falconpy/_constant/__init__.py b/src/falconpy/_constant/__init__.py
index 19868b5a..f2497457 100644
--- a/src/falconpy/_constant/__init__.py
+++ b/src/falconpy/_constant/__init__.py
@@ -57,7 +57,8 @@
"setContentUpdatePoliciesPrecedence", "setDeviceControlPoliciesPrecedence",
"setFirewallPoliciesPrecedence", "setPreventionPoliciesPrecedence", "signalChangesExternal",
"setRTResponsePoliciesPrecedence", "setSensorUpdatePoliciesPrecedence", "GetDeviceDetails",
- "CreateSavedSearchesDeployV1", "cancel-scans", "get-rules-get"
+ "CreateSavedSearchesDeployV1", "cancel-scans", "get-rules-get", "WorkflowDefinitionsStatus",
+ "WorkflowDefinitionsAction"
]
MOCK_OPERATIONS: List[str] = [
"GetImageAssessmentReport", "DeleteImageDetails", "ImageMatchesPolicy"
@@ -74,3 +75,5 @@
MAX_TOKEN_RENEW_WINDOW: int = 1200
# Minimum available token renew window (in seconds).
MIN_TOKEN_RENEW_WINDOW: int = 120
+# Maximum length for strings generated with the random_string function (in seconds).
+MAX_RANDOM_STRING_LENGTH: int = 4096
diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py
index d68e8bad..8dd2f5fa 100644
--- a/src/falconpy/_endpoint/__init__.py
+++ b/src/falconpy/_endpoint/__init__.py
@@ -20,14 +20,20 @@
`---' OAuth2 API SDK for Python 3 `---'
"""
from typing import List, Any
+from .deprecated import _case_management_deprecated
from .deprecated import _cloud_aws_registration_deprecated
from .deprecated import _cloud_azure_registration_deprecated
+from .deprecated import _cloud_google_cloud_registration_deprecated
from .deprecated import _cloud_oci_registration_deprecated
+from .deprecated import _cloud_security_deprecated
from .deprecated import _cloud_security_assets_deprecated
+from .deprecated import _cloud_security_compliance_deprecated
+from .deprecated import _cloud_security_detections_deprecated
+from .deprecated import _correlation_rules_admin_deprecated
from .deprecated import _correlation_rules_deprecated
from .deprecated import _custom_ioa_deprecated
from .deprecated import _d4c_registration_deprecated
-from .deprecated import _datascanner_deprecated
+from .deprecated import _data_protection_configuration_deprecated
from .deprecated import _device_content_deprecated
from .deprecated import _discover_deprecated
from .deprecated import _fdr_deprecated
@@ -51,11 +57,17 @@
from ._api_integrations import _api_integrations_endpoints
from ._aspm import _aspm_endpoints
from ._cao_hunting import _cao_hunting_endpoints
+from ._case_management import _case_management_endpoints
from ._certificate_based_exclusions import _certificate_based_exclusions_endpoints
from ._cloud_aws_registration import _cloud_aws_registration_endpoints
from ._cloud_azure_registration import _cloud_azure_registration_endpoints
+from ._cloud_google_cloud_registration import _cloud_google_cloud_registration_endpoints
from ._cloud_oci_registration import _cloud_oci_registration_endpoints
+from ._cloud_policies import _cloud_policies_endpoints
+from ._cloud_security import _cloud_security_endpoints
from ._cloud_security_assets import _cloud_security_assets_endpoints
+from ._cloud_security_compliance import _cloud_security_compliance_endpoints
+from ._cloud_security_detections import _cloud_security_detections_endpoints
from ._cloud_connect_aws import _cloud_connect_aws_endpoints
from ._cloud_snapshots import _cloud_snapshots_endpoints
from ._container_image_compliance import _container_image_compliance_endpoints
@@ -68,10 +80,12 @@
from ._container_vulnerabilities import _container_vulnerabilities_endpoints
from ._content_update_policies import _content_update_policies_endpoints
from ._correlation_rules import _correlation_rules_endpoints
+from ._correlation_rules_admin import _correlation_rules_admin_endpoints
from ._cspm_registration import _cspm_registration_endpoints
from ._custom_ioa import _custom_ioa_endpoints
from ._custom_storage import _custom_storage_endpoints
from ._d4c_registration import _d4c_registration_endpoints
+from ._data_protection_configuration import _data_protection_configuration_endpoints
from ._delivery_settings import _delivery_settings_endpoints
from ._deployments import _deployments_endpoints
from ._detects import _detects_endpoints
@@ -86,6 +100,7 @@
from ._falcon_complete_dashboard import _falcon_complete_dashboard_endpoints
from ._falcon_container import _falcon_container_endpoints
from ._falconx_sandbox import _falconx_sandbox_endpoints
+from ._fdr import _fdr_endpoints
from ._filevantage import _filevantage_endpoints
from ._firewall_management import _firewall_management_endpoints
from ._firewall_policies import _firewall_policies_endpoints
@@ -125,6 +140,7 @@
from ._recon import _recon_endpoints
from ._report_executions import _report_executions_endpoints
from ._response_policies import _response_policies_endpoints
+from ._saas_security import _saas_security_endpoints
from ._sample_uploads import _sample_uploads_endpoints
from ._scheduled_reports import _scheduled_reports_endpoints
from ._sensor_download import _sensor_download_endpoints
@@ -134,6 +150,7 @@
from ._serverless_vulnerabilities import _serverless_vulnerabilities_endpoints
from ._spotlight_evaluation_logic import _spotlight_evaluation_logic_endpoints
from ._spotlight_vulnerabilities import _spotlight_vulnerabilities_endpoints
+from ._spotlight_vulnerability_metadata import _spotlight_vulnerability_metadata_endpoints
from ._tailored_intelligence import _tailored_intelligence_endpoints
from ._threatgraph import _threatgraph_endpoints
from ._unidentified_containers import _unidentified_containers_endpoints
@@ -146,12 +163,18 @@
api_endpoints.extend(_api_integrations_endpoints)
api_endpoints.extend(_aspm_endpoints)
api_endpoints.extend(_cao_hunting_endpoints)
+api_endpoints.extend(_case_management_endpoints)
api_endpoints.extend(_certificate_based_exclusions_endpoints)
api_endpoints.extend(_cloud_connect_aws_endpoints)
api_endpoints.extend(_cloud_aws_registration_endpoints)
api_endpoints.extend(_cloud_azure_registration_endpoints)
+api_endpoints.extend(_cloud_google_cloud_registration_endpoints)
api_endpoints.extend(_cloud_oci_registration_endpoints)
+api_endpoints.extend(_cloud_policies_endpoints)
+api_endpoints.extend(_cloud_security_endpoints)
api_endpoints.extend(_cloud_security_assets_endpoints)
+api_endpoints.extend(_cloud_security_compliance_endpoints)
+api_endpoints.extend(_cloud_security_detections_endpoints)
api_endpoints.extend(_cloud_snapshots_endpoints)
api_endpoints.extend(_container_image_compliance_endpoints)
api_endpoints.extend(_configuration_assessment_evaluation_logic_endpoints)
@@ -162,11 +185,13 @@
api_endpoints.extend(_container_packages_endpoints)
api_endpoints.extend(_container_vulnerabilities_endpoints)
api_endpoints.extend(_content_update_policies_endpoints)
+api_endpoints.extend(_correlation_rules_admin_endpoints)
api_endpoints.extend(_correlation_rules_endpoints)
api_endpoints.extend(_cspm_registration_endpoints)
api_endpoints.extend(_custom_ioa_endpoints)
api_endpoints.extend(_custom_storage_endpoints)
api_endpoints.extend(_d4c_registration_endpoints)
+api_endpoints.extend(_data_protection_configuration_endpoints)
api_endpoints.extend(_delivery_settings_endpoints)
api_endpoints.extend(_detects_endpoints)
api_endpoints.extend(_device_content_endpoints)
@@ -181,6 +206,7 @@
api_endpoints.extend(_falcon_complete_dashboard_endpoints)
api_endpoints.extend(_falcon_container_endpoints)
api_endpoints.extend(_falconx_sandbox_endpoints)
+api_endpoints.extend(_fdr_endpoints)
api_endpoints.extend(_filevantage_endpoints)
api_endpoints.extend(_firewall_management_endpoints)
api_endpoints.extend(_firewall_policies_endpoints)
@@ -220,6 +246,7 @@
api_endpoints.extend(_recon_endpoints)
api_endpoints.extend(_report_executions_endpoints)
api_endpoints.extend(_response_policies_endpoints)
+api_endpoints.extend(_saas_security_endpoints)
api_endpoints.extend(_sample_uploads_endpoints)
api_endpoints.extend(_scheduled_reports_endpoints)
api_endpoints.extend(_sensor_download_endpoints)
@@ -229,6 +256,7 @@
api_endpoints.extend(_serverless_vulnerabilities_endpoints)
api_endpoints.extend(_spotlight_evaluation_logic_endpoints)
api_endpoints.extend(_spotlight_vulnerabilities_endpoints)
+api_endpoints.extend(_spotlight_vulnerability_metadata_endpoints)
api_endpoints.extend(_tailored_intelligence_endpoints)
api_endpoints.extend(_threatgraph_endpoints)
api_endpoints.extend(_unidentified_containers_endpoints)
@@ -238,15 +266,21 @@
# Deprecated endpoints
deprecated_endpoints = []
+deprecated_endpoints.extend(_case_management_deprecated)
deprecated_endpoints.extend(_cloud_aws_registration_deprecated)
deprecated_endpoints.extend(_cloud_azure_registration_deprecated)
+deprecated_endpoints.extend(_cloud_google_cloud_registration_deprecated)
deprecated_endpoints.extend(_cloud_oci_registration_deprecated)
+deprecated_endpoints.extend(_cloud_security_deprecated)
deprecated_endpoints.extend(_cloud_security_assets_deprecated)
+deprecated_endpoints.extend(_cloud_security_compliance_deprecated)
+deprecated_endpoints.extend(_cloud_security_detections_deprecated)
+deprecated_endpoints.extend(_correlation_rules_admin_deprecated)
deprecated_endpoints.extend(_correlation_rules_deprecated)
deprecated_endpoints.extend(_certificate_based_exclusions_deprecated)
deprecated_endpoints.extend(_custom_ioa_deprecated)
deprecated_endpoints.extend(_d4c_registration_deprecated)
-deprecated_endpoints.extend(_datascanner_deprecated)
+deprecated_endpoints.extend(_data_protection_configuration_deprecated)
deprecated_endpoints.extend(_device_content_deprecated)
deprecated_endpoints.extend(_discover_deprecated)
deprecated_endpoints.extend(_fdr_deprecated)
diff --git a/src/falconpy/_endpoint/_cao_hunting.py b/src/falconpy/_endpoint/_cao_hunting.py
index a734615f..b67ae8a4 100644
--- a/src/falconpy/_endpoint/_cao_hunting.py
+++ b/src/falconpy/_endpoint/_cao_hunting.py
@@ -37,6 +37,20 @@
"""
_cao_hunting_endpoints = [
+ [
+ "AggregateHuntingGuides",
+ "POST",
+ "/hunting/aggregates/hunting-guides/v1",
+ "Aggregate Hunting Guides",
+ "cao_hunting",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
[
"AggregateIntelligenceQueries",
"POST",
@@ -60,7 +74,9 @@
[
{
"type": "string",
- "description": "The Query Language. Accepted Values:\n\ncqlsnortsuricatayara",
+ "description": "The Query Language. Accepted "
+ "Values:\n\ncqlsnortsuricatayaraSPL AI translated "
+ "(Beta)__all__ returns a single archive with queries in all the languages ",
"name": "language",
"in": "query",
"required": True
@@ -73,17 +89,38 @@
},
{
"type": "string",
- "description": "The Archive Type can be one of 'zip' and 'gzip'. Defaults to 'zip'.",
+ "default": "zip",
+ "description": "The Archive Type can be one of 'zip' and 'gzip'",
"name": "archive_type",
"in": "query"
}
]
],
+ [
+ "GetHuntingGuides",
+ "GET",
+ "/hunting/entities/hunting-guides/v1",
+ "Retrieves a list of Hunting Guides",
+ "cao_hunting",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Hunting Guides IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
[
"GetIntelligenceQueries",
"GET",
"/hunting/entities/intelligence-queries/v1",
- "Retrieves a list of Intelligence queries",
+ "Retrieves the details of a list of Intelligence queries IDs",
"cao_hunting",
[
{
@@ -96,6 +133,56 @@
"name": "ids",
"in": "query",
"required": True
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The AI translated language that should be returned if it exists
Accepted values "
+ "are: SPL\\_\\_all\\_\\_",
+ "name": "include_translated_content",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "SearchHuntingGuides",
+ "GET",
+ "/hunting/queries/hunting-guides/v1",
+ "Search for Hunting Guides that match the provided conditions",
+ "cao_hunting",
+ [
+ {
+ "type": "string",
+ "description": "Starting index of result set from which to return IDs.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "Number of IDs to return.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Order by fields.",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "FQL query specifying the filter parameters.",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Match phrase_prefix query criteria; included fields: _all (all filter string fields indexed).",
+ "name": "q",
+ "in": "query"
}
]
],
@@ -103,7 +190,7 @@
"SearchIntelligenceQueries",
"GET",
"/hunting/queries/intelligence-queries/v1",
- "Search intelligence queries that match the provided conditions",
+ "Search for a list of intelligence queries IDs that match the provided conditions",
"cao_hunting",
[
{
diff --git a/src/falconpy/_endpoint/_case_management.py b/src/falconpy/_endpoint/_case_management.py
new file mode 100644
index 00000000..d83e8e87
--- /dev/null
+++ b/src/falconpy/_endpoint/_case_management.py
@@ -0,0 +1,1086 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+# pylint: disable=C0302
+
+_case_management_endpoints = [
+ [
+ "aggregates_file_details_post_v1",
+ "POST",
+ "/case-files/aggregates/file-details/v1",
+ "Get file details aggregates as specified via json in the request body.",
+ "case_management",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "combined_file_details_get_v1",
+ "GET",
+ "/case-files/combined/file-details/v1",
+ "Query file details",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 10,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "entities_file_details_get_v1",
+ "GET",
+ "/case-files/entities/file-details/v1",
+ "Get file details by id",
+ "case_management",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_file_details_patch_v1",
+ "PATCH",
+ "/case-files/entities/file-details/v1",
+ "Update file details",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_files_bulk_download_post_v1",
+ "POST",
+ "/case-files/entities/files/bulk-download/v1",
+ "Download multiple existing file from case as a ZIP",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_files_download_get_v1",
+ "GET",
+ "/case-files/entities/files/download/v1",
+ "Download existing file from case",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "Resource ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_files_upload_post_v1",
+ "POST",
+ "/case-files/entities/files/upload/v1",
+ "Upload file for case",
+ "case_management",
+ [
+ {
+ "type": "file",
+ "description": "Local file to Upload",
+ "name": "file",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Description of the file",
+ "name": "description",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "Case ID for the file",
+ "name": "case_id",
+ "in": "formData",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_files_delete_v1",
+ "DELETE",
+ "/case-files/entities/files/v1",
+ "Delete file details by id",
+ "case_management",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_retrieve_rtr_file_post_v1",
+ "POST",
+ "/case-files/entities/retrieve-rtr-file/v1",
+ "retrieves a file from host using RTR and adds it to a case",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "queries_file_details_get_v1",
+ "GET",
+ "/case-files/queries/file-details/v1",
+ "Query for ids of file details",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 10,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "aggregates_notification_groups_post_v1",
+ "POST",
+ "/casemgmt/aggregates/notification-groups/v1",
+ "Get notification groups aggregations",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "aggregates_notification_groups_post_v2",
+ "POST",
+ "/casemgmt/aggregates/notification-groups/v2",
+ "Get notification groups aggregations",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "aggregates_slas_post_v1",
+ "POST",
+ "/casemgmt/aggregates/slas/v1",
+ "Get SLA aggregations",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "aggregates_templates_post_v1",
+ "POST",
+ "/casemgmt/aggregates/templates/v1",
+ "Get templates aggregations",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_fields_get_v1",
+ "GET",
+ "/casemgmt/entities/fields/v1",
+ "Get fields by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_notification_groups_get_v1",
+ "GET",
+ "/casemgmt/entities/notification-groups/v1",
+ "Get notification groups by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_notification_groups_post_v1",
+ "POST",
+ "/casemgmt/entities/notification-groups/v1",
+ "Create notification group",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_notification_groups_patch_v1",
+ "PATCH",
+ "/casemgmt/entities/notification-groups/v1",
+ "Update notification group",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_notification_groups_delete_v1",
+ "DELETE",
+ "/casemgmt/entities/notification-groups/v1",
+ "Delete notification groups by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_notification_groups_get_v2",
+ "GET",
+ "/casemgmt/entities/notification-groups/v2",
+ "Get notification groups by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_notification_groups_post_v2",
+ "POST",
+ "/casemgmt/entities/notification-groups/v2",
+ "Create notification group",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_notification_groups_patch_v2",
+ "PATCH",
+ "/casemgmt/entities/notification-groups/v2",
+ "Update notification group",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_notification_groups_delete_v2",
+ "DELETE",
+ "/casemgmt/entities/notification-groups/v2",
+ "Delete notification groups by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_slas_get_v1",
+ "GET",
+ "/casemgmt/entities/slas/v1",
+ "Get SLAs by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_slas_post_v1",
+ "POST",
+ "/casemgmt/entities/slas/v1",
+ "Create SLA",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_slas_patch_v1",
+ "PATCH",
+ "/casemgmt/entities/slas/v1",
+ "Update SLA",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_slas_delete_v1",
+ "DELETE",
+ "/casemgmt/entities/slas/v1",
+ "Delete SLAs",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_template_snapshots_get_v1",
+ "GET",
+ "/casemgmt/entities/template-snapshots/v1",
+ "Get template snapshots",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Snapshot IDs",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Retrieves the latest snapshot for all Template IDs",
+ "name": "template_ids",
+ "in": "query"
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "integer"
+ },
+ "collectionFormat": "multi",
+ "description": "Retrieve a specific version of the template from the parallel array template_ids. A "
+ "value of zero will return the latest snapshot.",
+ "name": "versions",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "entities_templates_export_get_v1",
+ "GET",
+ "/casemgmt/entities/templates/export/v1",
+ "Export templates to files in a zip archive",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Template IDs",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "enum": [
+ "yaml",
+ "json"
+ ],
+ "type": "string",
+ "default": "yaml",
+ "description": "Export file format",
+ "name": "format",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "entities_templates_import_post_v1",
+ "POST",
+ "/casemgmt/entities/templates/import/v1",
+ "Import a template from a file",
+ "case_management",
+ [
+ {
+ "type": "file",
+ "description": "Local file",
+ "name": "file",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "boolean",
+ "description": "Run validation only",
+ "name": "dry_run",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "entities_templates_get_v1",
+ "GET",
+ "/casemgmt/entities/templates/v1",
+ "Get templates by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_templates_post_v1",
+ "POST",
+ "/casemgmt/entities/templates/v1",
+ "Create template",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_templates_patch_v1",
+ "PATCH",
+ "/casemgmt/entities/templates/v1",
+ "Update template",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_templates_delete_v1",
+ "DELETE",
+ "/casemgmt/entities/templates/v1",
+ "Delete templates",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "queries_fields_get_v1",
+ "GET",
+ "/casemgmt/queries/fields/v1",
+ "Query fields",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_notification_groups_get_v1",
+ "GET",
+ "/casemgmt/queries/notification-groups/v1",
+ "Query notification groups",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort expression",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_notification_groups_get_v2",
+ "GET",
+ "/casemgmt/queries/notification-groups/v2",
+ "Query notification groups",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort expression",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_slas_get_v1",
+ "GET",
+ "/casemgmt/queries/slas/v1",
+ "Query SLAs",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort expression",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_template_snapshots_get_v1",
+ "GET",
+ "/casemgmt/queries/template-snapshots/v1",
+ "Query template snapshots",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_templates_get_v1",
+ "GET",
+ "/casemgmt/queries/templates/v1",
+ "Query templates",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort expression",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "entities_alert_evidence_post_v1",
+ "POST",
+ "/cases/entities/alert-evidence/v1",
+ "Adds the given list of alert evidence to the specified case.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_case_tags_post_v1",
+ "POST",
+ "/cases/entities/case-tags/v1",
+ "Adds the given list of tags to the specified case.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_case_tags_delete_v1",
+ "DELETE",
+ "/cases/entities/case-tags/v1",
+ "Removes the specified tags from the specified case.",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "The ID of the case to remove tags from.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The tag to remove from the case.",
+ "name": "tag",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_cases_put_v2",
+ "PUT",
+ "/cases/entities/cases/v2",
+ "Creates the given Case",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_cases_post_v2",
+ "POST",
+ "/cases/entities/cases/v2",
+ "Retrieves all Cases given their IDs.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_cases_patch_v2",
+ "PATCH",
+ "/cases/entities/cases/v2",
+ "Updates given fields on the specified case.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_event_evidence_post_v1",
+ "POST",
+ "/cases/entities/event-evidence/v1",
+ "Adds the given list of event evidence to the specified case.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "queries_cases_get_v1",
+ "GET",
+ "/cases/queries/cases/v1",
+ "Retrieves all Cases IDs that match a given query.",
+ "case_management",
+ [
+ {
+ "maximum": 10000,
+ "minimum": 0,
+ "type": "integer",
+ "description": "The maximum number of Cases to return in this response (default: 100; max: 10000). Use "
+ "this parameter together with the offset parameter to manage pagination of the results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The first case to return, where 0 is the latest case. Use with the offset parameter to "
+ "manage pagination of results.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort parameter takes the form . Direction can be either asc "
+ "(ascending) or desc (descending) order. For example: status|asc or status|desc.\n\nThe sorting fields can be "
+ "any keyword field that is part of #domain.Case except for the text based fields. Most commonly used fields are "
+ " status, cid, created_timestamp, updated_timestamp, assigned_to_name, assigned_to_userid, assigned_to_uuid, "
+ "tags\nIf the fields are missing from the Cases, the service will fallback to its default ordering ",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Filter Cases using a query in Falcon Query Language (FQL).Filter fields can be any "
+ "keyword field that is part of #domain.Case \nAn asterisk wildcard * includes all results. \nEmpty value means "
+ " to not filter on anything.\nMost commonly used filter fields that supports exact match: cid, id ...\nMost "
+ "commonly used filter fields that supports wildcard (*): assigned_to_name, assigned_to_uuid...\nMost commonly "
+ "filter fields that supports range comparisons (>, <, >=, <=): created_timestamp, updated_timestamp...\nAll "
+ "filter fields and operations support negation (!).\n\n\nThe full list of valid filter options is extensive. "
+ "Review it in our [documentation inside the Falcon "
+ "console](https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql).",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Search all Case metadata for the provided string",
+ "name": "q",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_cloud_aws_registration.py b/src/falconpy/_endpoint/_cloud_aws_registration.py
index 820b4adb..65c81024 100644
--- a/src/falconpy/_endpoint/_cloud_aws_registration.py
+++ b/src/falconpy/_endpoint/_cloud_aws_registration.py
@@ -37,6 +37,37 @@
"""
_cloud_aws_registration_endpoints = [
+ [
+ "cloud_registration_aws_trigger_health_check",
+ "POST",
+ "/cloud-security-registration-aws/entities/account-scans/v1",
+ "Trigger health check scan for AWS accounts",
+ "cloud_aws_registration",
+ [
+ {
+ "maxItems": 50,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "AWS Account IDs.",
+ "name": "account-ids",
+ "in": "query"
+ },
+ {
+ "maxItems": 10,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Organization IDs",
+ "name": "organization-ids",
+ "in": "query"
+ }
+ ]
+ ],
[
"cloud_registration_aws_get_accounts",
"GET",
@@ -113,6 +144,37 @@
}
]
],
+ [
+ "cloud_registration_aws_validate_accounts",
+ "POST",
+ "/cloud-security-registration-aws/entities/account/validate/v1",
+ "Validates the AWS account registration status, and discover organization child accounts if organization is specified",
+ "cloud_aws_registration",
+ [
+ {
+ "pattern": "^\\d{12}$",
+ "type": "string",
+ "description": "AWS Account ID. organization-id shouldn't be specified if this is specified",
+ "name": "account-id",
+ "in": "query"
+ },
+ {
+ "pattern": "^arn:aws:iam::\\d{12}:role/.+",
+ "type": "string",
+ "description": "IAM Role ARN",
+ "name": "iam-role-arn",
+ "in": "query"
+ },
+ {
+ "pattern": "^o-[0-9a-z]{10,32}$",
+ "type": "string",
+ "description": "AWS organization ID to validate master account. account-id shouldn't be specified if "
+ "this is specified",
+ "name": "organization-id",
+ "in": "query"
+ }
+ ]
+ ],
[
"cloud_registration_aws_query_accounts",
"GET",
diff --git a/src/falconpy/_endpoint/_cloud_azure_registration.py b/src/falconpy/_endpoint/_cloud_azure_registration.py
index 8786a7e9..ee1b1e7e 100644
--- a/src/falconpy/_endpoint/_cloud_azure_registration.py
+++ b/src/falconpy/_endpoint/_cloud_azure_registration.py
@@ -37,6 +37,39 @@
"""
_cloud_azure_registration_endpoints = [
+ [
+ "cloud_registration_azure_delete_legacy_subscription",
+ "DELETE",
+ "/cloud-security-registration-azure/entities/accounts/legacy/v1",
+ "Delete existing legacy Azure subscriptions.",
+ "cloud_azure_registration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud_registration_azure_trigger_health_check",
+ "POST",
+ "/cloud-security-registration-azure/entities/registrations/healthcheck/v1",
+ "Trigger health check scan for Azure registrations",
+ "cloud_azure_registration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Azure tenant IDs",
+ "name": "tenant_ids",
+ "in": "query"
+ }
+ ]
+ ],
[
"cloud_registration_azure_get_registration",
"GET",
@@ -101,6 +134,32 @@
}
]
],
+ [
+ "cloud_registration_azure_validate_registration",
+ "POST",
+ "/cloud-security-registration-azure/entities/registrations/validate/v1",
+ "Validate an Azure registration by checking service principal, role assignments and deployment stack (if "
+ "the deployment method is Bicep)",
+ "cloud_azure_registration",
+ [
+ {
+ "maxLength": 36,
+ "minLength": 36,
+ "pattern": "^[0-9a-z-]{36}$",
+ "type": "string",
+ "description": "Azure tenant ID to be validated",
+ "name": "tenant_id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Azure deployment stack name to be validated",
+ "name": "stack_name",
+ "in": "query"
+ }
+ ]
+ ],
[
"download_azure_script",
"GET",
diff --git a/src/falconpy/_endpoint/_cloud_google_cloud_registration.py b/src/falconpy/_endpoint/_cloud_google_cloud_registration.py
new file mode 100644
index 00000000..369b0b83
--- /dev/null
+++ b/src/falconpy/_endpoint/_cloud_google_cloud_registration.py
@@ -0,0 +1,140 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_cloud_google_cloud_registration_endpoints = [
+ [
+ "cloud_registration_gcp_trigger_health_check",
+ "POST",
+ "/cloud-security-registration-google-cloud/entities/registration-scans/v1",
+ "Trigger health check scan for GCP registrations",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "GCP Registration IDs",
+ "name": "ids",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "cloud_registration_gcp_get_registration",
+ "GET",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Retrieve a Google Cloud Registration.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "type": "string",
+ "description": "Google Cloud Registration ID",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud_registration_gcp_put_registration",
+ "PUT",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Creates/Updates a Google Cloud Registration.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud_registration_gcp_create_registration",
+ "POST",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Create a Google Cloud Registration.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud_registration_gcp_update_registration",
+ "PATCH",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Update a Google Cloud Registration.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "type": "string",
+ "description": "Google Cloud Registration ID",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud_registration_gcp_delete_registration",
+ "DELETE",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Deletes a Google Cloud Registration and returns the deleted registration in the response body.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "type": "string",
+ "description": "Google Cloud Registration ID",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_cloud_oci_registration.py b/src/falconpy/_endpoint/_cloud_oci_registration.py
index 1ff8a6f0..48b4679a 100644
--- a/src/falconpy/_endpoint/_cloud_oci_registration.py
+++ b/src/falconpy/_endpoint/_cloud_oci_registration.py
@@ -47,14 +47,14 @@
{
"type": "string",
"description": "FQL (Falcon Query Language) string for filtering results. Allowed filters are "
- "Set{home_region, key_age, overall_status, created_at, updated_at, tenancy_ocid, tenancy_name}",
+ "Set{tenancy_name, home_region, key_age, overall_status, created_at, updated_at, tenancy_ocid}",
"name": "filter",
"in": "query"
},
{
"type": "string",
- "description": "Field and direction for sorting results - allowed sort fields are Set{overall_status, "
- "created_at, updated_at, tenancy_ocid, tenancy_name, home_region, key_age}",
+ "description": "Field and direction for sorting results - allowed sort fields are Set{home_region, "
+ "key_age, overall_status, created_at, updated_at, tenancy_ocid, tenancy_name}",
"name": "sort",
"in": "query"
},
diff --git a/src/falconpy/_endpoint/_cloud_policies.py b/src/falconpy/_endpoint/_cloud_policies.py
new file mode 100644
index 00000000..eca0d94c
--- /dev/null
+++ b/src/falconpy/_endpoint/_cloud_policies.py
@@ -0,0 +1,598 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_cloud_policies_endpoints = [
+ [
+ "GetRuleInputSchema",
+ "GET",
+ "/cloud-policies/combined/rules/input-schema/v1",
+ "Get rule input schema for given resource type",
+ "cloud_policies",
+ [
+ {
+ "type": "string",
+ "description": "domain",
+ "name": "domain",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "subdomain",
+ "name": "subdomain",
+ "in": "query",
+ "required": True
+ },
+ {
+ "enum": [
+ "aws",
+ "azure",
+ "gcp",
+ "oci"
+ ],
+ "type": "string",
+ "description": "Cloud service provider for the resource type",
+ "name": "cloud_provider",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Selects the resource type for which to retrieve the rule input schema",
+ "name": "resource_type",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "ReplaceControlRules",
+ "PUT",
+ "/cloud-policies/entities/compliance/control-rule-assignments/v1",
+ "Assign rules to a compliance control (full replace)",
+ "cloud_policies",
+ [
+ {
+ "type": "string",
+ "description": "The UUID of the compliance control to assign rules to",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "GetComplianceControls",
+ "GET",
+ "/cloud-policies/entities/compliance/controls/v1",
+ "Get compliance controls by ID",
+ "cloud_policies",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The uuids of compliance controls to retrieve",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "CreateComplianceControl",
+ "POST",
+ "/cloud-policies/entities/compliance/controls/v1",
+ "Create a new custom compliance control",
+ "cloud_policies",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "UpdateComplianceControl",
+ "PATCH",
+ "/cloud-policies/entities/compliance/controls/v1",
+ "Update a custom compliance control",
+ "cloud_policies",
+ [
+ {
+ "type": "string",
+ "description": "The uuid of compliance control to update",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "DeleteComplianceControl",
+ "DELETE",
+ "/cloud-policies/entities/compliance/controls/v1",
+ "Delete custom compliance controls",
+ "cloud_policies",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The uuids of compliance control to delete",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "RenameSectionComplianceFramework",
+ "PATCH",
+ "/cloud-policies/entities/compliance/frameworks/section/v1",
+ "Rename a section in a custom compliance framework",
+ "cloud_policies",
+ [
+ {
+ "type": "string",
+ "description": "The uuid of compliance framework containing the section to rename",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "The current name of the section to rename",
+ "name": "sectionName",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "GetComplianceFrameworks",
+ "GET",
+ "/cloud-policies/entities/compliance/frameworks/v1",
+ "Get compliance frameworks by ID",
+ "cloud_policies",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The uuids of compliance frameworks to retrieve",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "CreateComplianceFramework",
+ "POST",
+ "/cloud-policies/entities/compliance/frameworks/v1",
+ "Create a new custom compliance framework",
+ "cloud_policies",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "UpdateComplianceFramework",
+ "PATCH",
+ "/cloud-policies/entities/compliance/frameworks/v1",
+ "Update a custom compliance framework",
+ "cloud_policies",
+ [
+ {
+ "type": "string",
+ "description": "The uuids of compliance framework to update",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "DeleteComplianceFramework",
+ "DELETE",
+ "/cloud-policies/entities/compliance/frameworks/v1",
+ "Delete a custom compliance framework and all associated controls and rule assignments",
+ "cloud_policies",
+ [
+ {
+ "type": "string",
+ "description": "The uuids of compliance framework to delete",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "GetEnrichedAsset",
+ "GET",
+ "/cloud-policies/entities/enriched-resources/v1",
+ "Gets enriched assets that combine a primary resource with all its related resources",
+ "cloud_policies",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "List of asset IDs (maximum 100 IDs allowed).",
+ "name": "ids",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetEvaluationResult",
+ "POST",
+ "/cloud-policies/entities/evaluation/v1",
+ "Gets evaluation results based on the provided rule",
+ "cloud_policies",
+ [
+ {
+ "enum": [
+ "aws",
+ "azure",
+ "gcp",
+ "oci"
+ ],
+ "type": "string",
+ "description": "Cloud Service Provider of the provided IDs",
+ "name": "cloud_provider",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Resource Type of the provided IDs",
+ "name": "resource_type",
+ "in": "query"
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "List of assets to evaluate (maximum 100 IDs allowed).",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "GetRuleOverride",
+ "GET",
+ "/cloud-policies/entities/rule-overrides/v1",
+ "Get a rule override",
+ "cloud_policies",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The uuids of rule overrides to retrieve",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "CreateRuleOverride",
+ "POST",
+ "/cloud-policies/entities/rule-overrides/v1",
+ "Create a new rule override",
+ "cloud_policies",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "UpdateRuleOverride",
+ "PATCH",
+ "/cloud-policies/entities/rule-overrides/v1",
+ "Update a rule override",
+ "cloud_policies",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "DeleteRuleOverride",
+ "DELETE",
+ "/cloud-policies/entities/rule-overrides/v1",
+ "Delete a rule override",
+ "cloud_policies",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The uuids of rule overrides to delete",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "GetRule",
+ "GET",
+ "/cloud-policies/entities/rules/v1",
+ "Get a rule by id",
+ "cloud_policies",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The uuids of rules to retrieve",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "CreateRuleMixin0",
+ "POST",
+ "/cloud-policies/entities/rules/v1",
+ "Create a new rule",
+ "cloud_policies",
+ [
+ {
+ "description": "For Custom Rule, logic is mandatory and parent_rule_id should not be specified.\nFor "
+ "Managed Rule duplication, parent_rule_id is mandatory and logic should be not specified.",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "UpdateRule",
+ "PATCH",
+ "/cloud-policies/entities/rules/v1",
+ "Update a rule",
+ "cloud_policies",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "DeleteRuleMixin0",
+ "DELETE",
+ "/cloud-policies/entities/rules/v1",
+ "Delete a rule",
+ "cloud_policies",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The uuids of rules to delete",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "QueryComplianceControls",
+ "GET",
+ "/cloud-policies/queries/compliance/controls/v1",
+ "Query for compliance controls by various parameters",
+ "cloud_policies",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter, allowed props: \n\t\n*compliance_control_name*\t\n*compliance_control_auth "
+ "ority*\t\n*compliance_control_type*\t\n*compliance_control_section*\t\n*compliance_control_requirement*\t\n*co "
+ "mpliance_control_benchmark_name*\t\n*compliance_control_benchmark_version*\t\n",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The maximum number of resources to return. The maximum allowed is 500.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 0,
+ "description": "The number of results to skip before starting to return results.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Field to sort on. Sortable fields: \n\t\n*compliance_control_name*\t\n*compliance_cont "
+ "rol_authority*\t\n*compliance_control_type*\t\n*compliance_control_section*\t\n*compliance_control_requirement "
+ "*\t\n*compliance_control_benchmark_name*\t\n*compliance_control_benchmark_version*\t\n \n\nUse the |asc or "
+ "|desc suffix to specify sort direction.",
+ "name": "sort",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "QueryComplianceFrameworks",
+ "GET",
+ "/cloud-policies/queries/compliance/frameworks/v1",
+ "Query for compliance frameworks by various parameters",
+ "cloud_policies",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter, allowed properties: "
+ "\n\t\n*compliance_framework_name*\t\n*compliance_framework_version*\t\n*compliance_framework_authority*\t\n",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The maximum number of resources to return. The maximum allowed is 500.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 0,
+ "description": "The number of results to skip before starting to return results.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Field to sort on. Sortable fields: "
+ "\n\t\n*compliance_framework_name*\t\n*compliance_framework_version*\t\n*compliance_framework_authority*\t\n "
+ "\n\nUse the |asc or |desc suffix to specify sort direction.",
+ "name": "sort",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "QueryRule",
+ "GET",
+ "/cloud-policies/queries/rules/v1",
+ "Query for rules by various parameters",
+ "cloud_policies",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter, allowed properties: \n\t\n*rule_origin*\t\n*rule_parent_uuid*\t\n*rule_nam "
+ "e*\t\n*rule_description*\t\n*rule_domain*\t\n*rule_status*\t\n*rule_severity*\t\n*rule_short_code*\t\n*rule_se "
+ "rvice*\t\n*rule_resource_type*\t\n*rule_provider*\t\n*rule_subdomain*\t\n*rule_auto_remediable*\t\n*rule_contr "
+ "ol_requirement*\t\n*rule_control_section*\t\n*rule_compliance_benchmark*\t\n*rule_compliance_framework*\t\n*ru "
+ "le_mitre_tactic*\t\n*rule_mitre_technique*\t\n*rule_created_at*\t\n*rule_updated_at*\t\n*rule_updated_by*\t\n ",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The maximum number of resources to return. The maximum allowed is 500.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 0,
+ "description": "The number of results to skip before starting to return results.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Field to sort on. Sortable fields: \n\t\n*rule_origin*\t\n*rule_parent_uuid*\t\n*rule_"
+ "name*\t\n*rule_description*\t\n*rule_domain*\t\n*rule_status*\t\n*rule_severity*\t\n*rule_short_code*\t\n*rule "
+ "_service*\t\n*rule_resource_type*\t\n*rule_provider*\t\n*rule_subdomain*\t\n*rule_auto_remediable*\t\n*rule_co "
+ "ntrol_requirement*\t\n*rule_control_section*\t\n*rule_compliance_benchmark*\t\n*rule_compliance_framework*\t\n "
+ "*rule_mitre_tactic*\t\n*rule_mitre_technique*\t\n*rule_created_at*\t\n*rule_updated_at*\t\n*rule_updated_by*\t "
+ "\n \n\nUse the |asc or |desc suffix to specify sort direction.",
+ "name": "sort",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_cloud_security.py b/src/falconpy/_endpoint/_cloud_security.py
new file mode 100644
index 00000000..fdc34f33
--- /dev/null
+++ b/src/falconpy/_endpoint/_cloud_security.py
@@ -0,0 +1,230 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_cloud_security_endpoints = [
+ [
+ "combined_cloud_risks",
+ "GET",
+ "/cloud-security-risks/combined/cloud-risks/v1",
+ "Gets cloud risks with full details based on filters and sort criteria",
+ "cloud_security",
+ [
+ {
+ "type": "string",
+ "description": "FQL string to filter results in Falcon Query Language (FQL). Supported fields: "
+ "account_id account_name asset_gcrn asset_id asset_name asset_region asset_type cloud_group "
+ "cloud_provider first_seen last_seen resolved_at risk_factor rule_id rule_name service_category "
+ "severity status suppressed_by suppressed_reason tags",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The field to sort on. Use |asc or |desc suffix to specify sort direction.Supported "
+ "fields: account_id account_name asset_id asset_name asset_region asset_type cloud_provider first_seen "
+ "last_seen resolved_at rule_name service_category severity status",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 1000,
+ "minimum": 0,
+ "type": "integer",
+ "default": 500,
+ "description": "The maximum number of items to return. When not specified or 0, 500 is used. When "
+ "larger than 1000, 1000 is used.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Offset returned risks",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "ListCloudGroupsExternal",
+ "GET",
+ "/cloud-security/combined/cloud-groups/v1",
+ "Query Cloud Groups and returns entities",
+ "cloud_security",
+ [
+ {
+ "type": "string",
+ "description": "A valid FQL filter. Supports filtering groups by:\nGroup properties: name "
+ "description created_at updated_at\n\nSelector properties: cloud_provider account_id region "
+ "cloud_provider_tag image_registry image_repository image_tag\n\nGroup tags: business_unit business_impact "
+ "environment",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "default": "name|asc",
+ "description": "A valid sort string.",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "format": "int64",
+ "default": "0",
+ "description": "The starting position of the list operation.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "format": "int64",
+ "default": "100",
+ "description": "The maximum number of cloud groups to retrieve.",
+ "name": "limit",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "ListCloudGroupsByIDExternal",
+ "GET",
+ "/cloud-security/entities/cloud-groups/v1",
+ "List Cloud Groups By ID",
+ "cloud_security",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "name": "ids",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "CreateCloudGroupExternal",
+ "POST",
+ "/cloud-security/entities/cloud-groups/v1",
+ "Create a Cloud Group. The created_by field will be set to the API client ID.",
+ "cloud_security",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "UpdateCloudGroupExternal",
+ "PATCH",
+ "/cloud-security/entities/cloud-groups/v1",
+ "Update Cloud Group",
+ "cloud_security",
+ [
+ {
+ "name": "group",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "DeleteCloudGroupsExternal",
+ "DELETE",
+ "/cloud-security/entities/cloud-groups/v1",
+ "Delete Cloud Groups in batch",
+ "cloud_security",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Cloud Groups UUIDs to delete",
+ "name": "ids",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "ListCloudGroupIDsExternal",
+ "GET",
+ "/cloud-security/queries/cloud-groups/v1",
+ "Query Cloud Groups and returns IDs",
+ "cloud_security",
+ [
+ {
+ "type": "string",
+ "description": "A valid FQL filter. Supports filtering groups by:\nGroup properties: name "
+ "description created_at updated_at\n\nSelector properties: cloud_provider account_id region "
+ "cloud_provider_tag image_registry image_repository image_tag\n\nGroup tags: business_unit business_impact "
+ "environment",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "default": "name|asc",
+ "description": "A valid sort string.",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "format": "int64",
+ "default": "0",
+ "description": "The starting position of the list operation.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "format": "int64",
+ "default": "100",
+ "description": "The maximum number of cloud groups to retrieve.",
+ "name": "limit",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_cloud_security_assets.py b/src/falconpy/_endpoint/_cloud_security_assets.py
index 9f97304a..7e8ec28b 100644
--- a/src/falconpy/_endpoint/_cloud_security_assets.py
+++ b/src/falconpy/_endpoint/_cloud_security_assets.py
@@ -37,6 +37,52 @@
"""
_cloud_security_assets_endpoints = [
+ [
+ "cloud_security_assets_combined_application_findings",
+ "GET",
+ "/cloud-security-assets/combined/application-findings/v1",
+ "Get findings for an application resource with pagination",
+ "cloud_security_assets",
+ [
+ {
+ "type": "string",
+ "description": "Application CRN",
+ "name": "crn",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Finding type",
+ "name": "type",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "FQL string to filter findings",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "default": 0,
+ "description": "Pagination offset",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "maximum": 1000,
+ "minimum": 1,
+ "type": "integer",
+ "default": 50,
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ }
+ ]
+ ],
[
"cloud_security_assets_combined_compliance_by_account",
"GET",
@@ -48,9 +94,10 @@
"type": "string",
"description": "FQL string to filter on asset contents. Filterable fields include: account_id "
"account_name assessment_id business_impact cloud_group cloud_label cloud_label_id cloud_provider "
- "cloud_scope compliant control.benchmark.name control.benchmark.version control.framework control.name "
- "control.type control.version environment last_evaluated region resource_provider resource_type "
- "resource_type_name service service_category severities tag_key tag_value",
+ "cloud_scope compliant control.benchmark.name control.benchmark.version control.extension.status "
+ "control.framework control.name control.type control.version environment last_evaluated region "
+ "resource_provider resource_type resource_type_name service service_category severities tag_key "
+ "tag_value tags_string",
"name": "filter",
"in": "query"
},
@@ -138,35 +185,37 @@
{
"type": "string",
"description": "FQL string to filter on asset contents. Filterable fields include: account_id "
- "account_name active application_security.business_applications application_security.business_criticality "
- "application_security.service_names azure.vm_id business_impact cloud_group cloud_label cloud_label_id "
- "cloud_provider cloud_scope cluster_id cluster_name compartment_ocid compliant.benchmark_name "
- "compliant.benchmark_version compliant.framework compliant.policy_id compliant.requirement compliant.rule "
- "compliant.section configuration.id creation_time cve_ids data_classifications.found "
- "data_classifications.label data_classifications.label_id data_classifications.scanned "
- "data_classifications.tag data_classifications.tag_id environment exprt_ratings first_seen "
- "highest_severity id insights.boolean_value insights.date_value insights.id insights.integer_value "
- "insights.string_list_value insights.string_value instance_id instance_state ioa_count iom_count "
- "legacy_resource_id legacy_uuid managed_by non_compliant.benchmark_name non_compliant.benchmark_version "
- "non_compliant.framework non_compliant.policy_id non_compliant.requirement non_compliant.rule "
+ "account_name active aspm.deployment_cloud_resource_id aspm.deployment_provider aspm.deployment_type "
+ "aspm.technologies azure.vm_id business_impact cloud_group cloud_label cloud_label_id cloud_provider "
+ "cloud_scope cluster_id cluster_name compartment_ocid compliant.benchmark_name compliant.benchmark_version "
+ " compliant.framework compliant.policy_id compliant.requirement compliant.rule compliant.section "
+ "configuration.id control.benchmark.name control.benchmark.version control.framework control.requirement "
+ "control.type control.version creation_time cve_ids data_classifications.found data_classifications.label "
+ " data_classifications.label_id data_classifications.scanned data_classifications.tag "
+ "data_classifications.tag_id environment exprt_ratings first_seen highest_severity id "
+ "insights.boolean_value insights.date_value insights.id insights.integer_value insights.string_list_value "
+ "insights.string_value instance_id instance_state ioa_count iom_count legacy_resource_id legacy_uuid "
+ "managed_by non_compliant.benchmark_name non_compliant.benchmark_version non_compliant.framework "
+ "non_compliant.policy_id non_compliant.requirement non_compliant.rule non_compliant.rule_name "
"non_compliant.section non_compliant.severity organization_Id os_version platform_name publicly_exposed "
- "region resource_id resource_name resource_type resource_type_name sensor_priority service "
- "service_category severity snapshot_detections ssm_managed status tag_key tag_value tags tenant_id "
- "updated_at vmware.guest_os_id vmware.guest_os_version vmware.host_system_name vmware.host_type "
- "vmware.instance_uuid vmware.vm_host_name vmware.vm_tools_status zone",
+ "region resource_id resource_name resource_parent resource_type resource_type_name sensor_priority "
+ "service service_category severity snapshot_detections ssm_managed status tag_key tag_value tags "
+ "tags_string tenant_id updated_at vmware.guest_os_id vmware.guest_os_version vmware.host_system_name "
+ "vmware.host_type vmware.instance_uuid vmware.vm_host_name vmware.vm_tools_status zone",
"name": "filter",
"in": "query"
},
{
"type": "string",
"description": "The field to sort on. Sortable fields include: account_id account_name active "
+ "aspm.deployment_cloud_resource_id aspm.deployment_provider aspm.deployment_type aspm.technologies "
"cloud_provider cluster_id cluster_name compartment_name compartment_ocid compartment_path creation_time "
" data_classifications.found data_classifications.scanned first_seen id instance_id instance_state "
"ioa_count iom_count managed_by organization_Id os_version platform_name publicly_exposed region "
- "resource_id resource_name resource_type resource_type_name service service_category ssm_managed status "
- " tenancy_name tenancy_ocid tenancy_type tenant_id updated_at vmware.guest_os_id vmware.guest_os_version "
- " vmware.host_system_name vmware.host_type vmware.instance_uuid vmware.vm_host_name vmware.vm_tools_status "
- "zone\n\nUse |asc or |desc suffix to specify sort direction.",
+ "resource_id resource_name resource_parent resource_type resource_type_name service service_category "
+ "ssm_managed status tenancy_name tenancy_ocid tenancy_type tenant_id updated_at vmware.guest_os_id "
+ "vmware.guest_os_version vmware.host_system_name vmware.host_type vmware.instance_uuid vmware.vm_host_name "
+ "vmware.vm_tools_status zone\n\nUse |asc or |desc suffix to specify sort direction.",
"name": "sort",
"in": "query"
},
diff --git a/src/falconpy/_endpoint/_cloud_security_compliance.py b/src/falconpy/_endpoint/_cloud_security_compliance.py
new file mode 100644
index 00000000..2ce260aa
--- /dev/null
+++ b/src/falconpy/_endpoint/_cloud_security_compliance.py
@@ -0,0 +1,98 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_cloud_security_compliance_endpoints = [
+ [
+ "cloud_compliance_framework_posture_summaries",
+ "GET",
+ "/cloud-security-compliance/entities/framework-posture-summaries/v1",
+ "Get sections and requirements with scores for benchmarks.",
+ "cloud_security_compliance",
+ [
+ {
+ "maxItems": 20,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "csv",
+ "description": "The uuids of compliance frameworks to retrieve (maximum 20 IDs allowed).",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "FQL filter, supported properties:\n - account_id account_name business_impact "
+ "cloud_label cloud_label_id cloud_provider environment groups region resource_type resource_type_name "
+ "tag_key tag_value",
+ "name": "filter",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "cloud_compliance_rule_posture_summaries",
+ "GET",
+ "/cloud-security-compliance/entities/rule-posture-summaries/v1",
+ "Get compliance score and counts for rules.",
+ "cloud_security_compliance",
+ [
+ {
+ "maxItems": 350,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "csv",
+ "description": "The uuids of compliance rules to retrieve (maximum 350 IDs allowed).",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "FQL filter, supported properties:\n - account_id account_name business_impact "
+ "cloud_label cloud_label_id cloud_provider environment groups region resource_type resource_type_name "
+ "tag_key tag_value",
+ "name": "filter",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_cloud_security_detections.py b/src/falconpy/_endpoint/_cloud_security_detections.py
new file mode 100644
index 00000000..8c9bb2d8
--- /dev/null
+++ b/src/falconpy/_endpoint/_cloud_security_detections.py
@@ -0,0 +1,119 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_cloud_security_detections_endpoints = [
+ [
+ "cspm_evaluations_iom_entities",
+ "GET",
+ "/cloud-security-evaluations/entities/ioms/v1",
+ "Gets IOMs based on the provided IDs",
+ "cloud_security_detections",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "List of IOMs to return (maximum 100 IDs allowed). Use POST method with same path if "
+ "more entities are required.",
+ "name": "ids",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "cspm_evaluations_iom_queries",
+ "GET",
+ "/cloud-security-evaluations/queries/ioms/v1",
+ "Gets a list of IOM IDs for the given parameters, filters and sort criteria.",
+ "cloud_security_detections",
+ [
+ {
+ "type": "string",
+ "description": "FQL string to filter results in Falcon Query Language (FQL). Supported fields: "
+ "account_id account_name applicable_profile attack_type benchmark_name benchmark_version business_impact "
+ " cid cloud_group cloud_label cloud_label_id cloud_provider cloud_scope created_at environment "
+ "extension_status first_detected framework last_detected policy_id policy_name policy_uuid region "
+ "requirement requirement_name resource_gcrn resource_id resource_parent resource_status resource_type "
+ "resource_type_name rule_group rule_id rule_name rule_origin rule_remediation section service "
+ "service_category severity status suppressed_by suppression_reason tactic_id tactic_name tag_key "
+ "tag_value tags tags_string technique_id technique_name",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The field to sort on. Use |asc or |desc suffix to specify sort direction.Supported "
+ "fields: account_id account_name applicable_profile attack_type benchmark_name benchmark_version "
+ "business_impact cid cloud_group cloud_label cloud_label_id cloud_provider cloud_scope created_at "
+ "environment extension_status first_detected framework last_detected policy_id policy_name policy_uuid "
+ "region requirement requirement_name resource_gcrn resource_id resource_parent resource_status "
+ "resource_type resource_type_name rule_group rule_id rule_name rule_origin rule_remediation section "
+ "service service_category severity status suppressed_by suppression_reason tactic_id tactic_name "
+ "tag_key tag_value tags tags_string technique_id technique_name",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 1000,
+ "minimum": 0,
+ "type": "integer",
+ "default": 500,
+ "description": "The maximum number of items to return. When not specified or 0, 500 is used. When "
+ "larger than 1000, 1000 is used.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Offset returned assets",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "token-based pagination. Use for paginating through an entire result set. Use only one "
+ "of 'offset' and 'after' parameters for paginating",
+ "name": "after",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_cloud_snapshots.py b/src/falconpy/_endpoint/_cloud_snapshots.py
index b4d75be8..eae3a0d0 100644
--- a/src/falconpy/_endpoint/_cloud_snapshots.py
+++ b/src/falconpy/_endpoint/_cloud_snapshots.py
@@ -37,6 +37,43 @@
"""
_cloud_snapshots_endpoints = [
+ [
+ "CombinedDetections",
+ "GET",
+ "/iac/combined/detections/v1",
+ "Search IaC Detections using a query in Falcon Query Language",
+ "cloud_snapshots",
+ [
+ {
+ "type": "string",
+ "description": "Search IaC detections using a query in Falcon Query Language (FQL). Supported filters: "
+ " detection_uuid,file_name,last_detected,platform,project_name,project_owner,project_ref,provider,resource_name "
+ ",rule_category,rule_name,rule_type,rule_uuid,service,severity",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "the upper-bound on the number of records to retrieve",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset from where to begin.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "fields to sort the records on. Supported columns: [detection_uuid file_name "
+ "last_detected platform project_name project_owner project_ref provider resource_name rule_category rule_name "
+ "rule_type rule_uuid service severity]",
+ "name": "sort",
+ "in": "query"
+ }
+ ]
+ ],
[
"GetCredentialsIAC",
"GET",
diff --git a/src/falconpy/_endpoint/_container_alerts.py b/src/falconpy/_endpoint/_container_alerts.py
index 82d64bc3..4772e5ec 100644
--- a/src/falconpy/_endpoint/_container_alerts.py
+++ b/src/falconpy/_endpoint/_container_alerts.py
@@ -86,13 +86,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
},
diff --git a/src/falconpy/_endpoint/_container_detections.py b/src/falconpy/_endpoint/_container_detections.py
index eb68ee36..2d0e78f0 100644
--- a/src/falconpy/_endpoint/_container_detections.py
+++ b/src/falconpy/_endpoint/_container_detections.py
@@ -47,7 +47,7 @@
{
"type": "string",
"description": "Filter images detections using a query in Falcon Query Language (FQL). Supported "
- "filter fields: cid detection_type image_registry image_repository image_tag",
+ "filter fields: cid detection_type image_digest image_registry image_repository image_tag severity",
"name": "filter",
"in": "query"
}
@@ -63,7 +63,7 @@
{
"type": "string",
"description": "Filter images detections using a query in Falcon Query Language (FQL). Supported "
- "filter fields: cid detection_type image_registry image_repository image_tag",
+ "filter fields: cid detection_type image_digest image_registry image_repository image_tag severity",
"name": "filter",
"in": "query"
}
@@ -79,7 +79,7 @@
{
"type": "string",
"description": "Filter images detections using a query in Falcon Query Language (FQL). Supported "
- "filter fields: cid detection_type image_registry image_repository image_tag",
+ "filter fields: cid detection_type image_digest image_registry image_repository image_tag severity",
"name": "filter",
"in": "query"
}
@@ -95,7 +95,7 @@
{
"type": "string",
"description": "Filter images detections using a query in Falcon Query Language (FQL). Supported "
- "filter fields: cid detection_type image_registry image_repository image_tag",
+ "filter fields: cid detection_type image_digest image_registry image_repository image_tag severity",
"name": "filter",
"in": "query"
},
@@ -109,13 +109,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -145,13 +145,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -167,20 +167,20 @@
{
"type": "string",
"description": "Filter images detections using a query in Falcon Query Language (FQL). Supported "
- "filter fields: cid detection_type image_registry image_repository image_tag",
+ "filter fields: cid detection_type image_digest image_registry image_repository image_tag severity",
"name": "filter",
"in": "query"
},
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -196,20 +196,20 @@
{
"type": "string",
"description": "Filter images detections using a query in Falcon Query Language (FQL). Supported "
- "filter fields: cid detection_type image_registry image_repository image_tag",
+ "filter fields: cid detection_type image_digest image_registry image_repository image_tag severity",
"name": "filter",
"in": "query"
},
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
diff --git a/src/falconpy/_endpoint/_container_image_compliance.py b/src/falconpy/_endpoint/_container_image_compliance.py
index e443c824..b59a8a3b 100644
--- a/src/falconpy/_endpoint/_container_image_compliance.py
+++ b/src/falconpy/_endpoint/_container_image_compliance.py
@@ -47,10 +47,10 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\ncompliance_finding.framework: Compliance finding framework (available values: CIS)\ncid: Customer "
- "ID\ncloud_info.cloud_account_id: Cloud account ID\ncloud_info.cloud_provider: Cloud "
- "provider\ncloud_info.cloud_region: Cloud region\ncloud_info.cluster_name: Kubernetes cluster "
- "name\ncloud_info.namespace: Kubernetes namespace\n",
+ "Filters:\ncloud_info.cloud_provider: Cloud provider\ncloud_info.cloud_region: Cloud "
+ "region\ncloud_info.cluster_name: Kubernetes cluster name\ncloud_info.cloud_account_id: Cloud account "
+ "ID\ncloud_info.namespace: Kubernetes namespace\ncompliance_finding.framework: Compliance finding framework "
+ "(available values: CIS)\ncid: Customer ID\n",
"name": "filter",
"in": "query"
}
@@ -66,14 +66,14 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\nimage_digest: Image digest (sha256 digest)\nimage_id: Image ID\ncloud_info.cloud_region: Cloud "
- "region\ncompliance_finding.severity: Compliance finding severity; available values: 4, 3, 2, 1 (4: critical, "
- "3: high, 2: medium, 1:low)\ncompliance_finding.id: Compliance finding ID\ncloud_info.cluster_name: Kubernetes "
- "cluster name\ncloud_info.namespace: Kubernetes namespace\nasset_type: asset type (container, "
- "image)\nimage_registry: Image registry\ncloud_info.cloud_provider: Cloud provider\nimage_tag: Image "
- "tag\ncloud_info.cloud_account_id: Cloud account ID\ncompliance_finding.framework: Compliance finding framework "
- " (available values: CIS)\ncompliance_finding.name: Compliance finding Name\ncid: Customer "
- "ID\nimage_repository: Image repository\n",
+ "Filters:\nimage_tag: Image tag\ncompliance_finding.name: Compliance finding Name\nimage_registry: Image "
+ "registry\nimage_repository: Image repository\nimage_digest: Image digest (sha256 "
+ "digest)\ncloud_info.cloud_account_id: Cloud account ID\ncid: Customer ID\ncompliance_finding.id: Compliance "
+ "finding ID\ncloud_info.namespace: Kubernetes namespace\nasset_type: asset type (container, "
+ "image)\ncloud_info.cloud_provider: Cloud provider\ncloud_info.cluster_name: Kubernetes cluster "
+ "name\ncloud_info.cloud_region: Cloud region\nimage_id: Image ID\ncompliance_finding.framework: Compliance "
+ "finding framework (available values: CIS)\ncompliance_finding.severity: Compliance finding severity; available "
+ "values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\n",
"name": "filter",
"in": "query"
},
@@ -102,13 +102,13 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\ncloud_info.cloud_account_id: Cloud account ID\ncompliance_finding.severity: Compliance finding "
- "severity; available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\ncompliance_finding.name: "
- "Compliance finding Name\nimage_tag: Image tag\ncloud_info.cloud_region: Cloud region\ncid: Customer "
- "ID\nimage_registry: Image registry\nimage_digest: Image digest (sha256 digest)\ncompliance_finding.id: "
- "Compliance finding ID\nimage_repository: Image repository\ncompliance_finding.framework: Compliance finding "
- "framework (available values: CIS)\ncloud_info.cluster_name: Kubernetes cluster "
- "name\ncloud_info.cloud_provider: Cloud provider\nimage_id: Image ID\n",
+ "Filters:\ncompliance_finding.id: Compliance finding ID\ncompliance_finding.severity: Compliance finding "
+ "severity; available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\ncloud_info.cloud_provider: "
+ "Cloud provider\nimage_repository: Image repository\nimage_digest: Image digest (sha256 "
+ "digest)\ncloud_info.cloud_region: Cloud region\ncompliance_finding.framework: Compliance finding framework "
+ "(available values: CIS)\nimage_tag: Image tag\ncloud_info.cluster_name: Kubernetes cluster "
+ "name\ncompliance_finding.name: Compliance finding Name\nimage_registry: Image "
+ "registry\ncloud_info.cloud_account_id: Cloud account ID\ncid: Customer ID\nimage_id: Image ID\n",
"name": "filter",
"in": "query"
}
@@ -124,13 +124,14 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\ncompliance_finding.severity: Compliance finding severity; available values: 4, 3, 2, 1 (4: critical, "
- " 3: high, 2: medium, 1:low)\nimage_digest: Image digest (sha256 digest)\nimage_id: Image ID\nimage_tag: Image "
- "tag\ncloud_info.cloud_region: Cloud region\nimage_registry: Image registry\nimage_repository: Image "
- "repository\ncloud_info.cloud_account_id: Cloud account ID\ncloud_info.cloud_provider: Cloud "
- "provider\ncompliance_finding.id: Compliance finding ID\ncloud_info.cluster_name: Kubernetes cluster "
- "name\ncloud_info.namespace: Kubernetes namespace\ncid: Customer ID\ncompliance_finding.name: Compliance "
- "finding Name\ncompliance_finding.framework: Compliance finding framework (available values: CIS)\n",
+ "Filters:\nimage_id: Image ID\ncloud_info.namespace: Kubernetes namespace\ncid: Customer "
+ "ID\ncloud_info.cluster_name: Kubernetes cluster name\nimage_repository: Image "
+ "repository\ncloud_info.cloud_account_id: Cloud account ID\ncloud_info.cloud_region: Cloud "
+ "region\ncompliance_finding.framework: Compliance finding framework (available values: CIS)\nimage_registry: "
+ "Image registry\nimage_digest: Image digest (sha256 digest)\ncompliance_finding.severity: Compliance finding "
+ "severity; available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\ncompliance_finding.name: "
+ "Compliance finding Name\ncompliance_finding.id: Compliance finding ID\nimage_tag: Image "
+ "tag\ncloud_info.cloud_provider: Cloud provider\n",
"name": "filter",
"in": "query"
}
@@ -146,13 +147,13 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\ncloud_info.cloud_provider: Cloud provider\ncompliance_finding.id: Compliance finding "
- "ID\ncloud_info.cloud_region: Cloud region\nimage_registry: Image registry\nimage_digest: Image digest (sha256 "
- "digest)\ncloud_info.cluster_name: Kubernetes cluster name\ncompliance_finding.severity: Compliance finding "
- "severity; available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\ncompliance_finding.name: "
- "Compliance finding Name\ncloud_info.cloud_account_id: Cloud account ID\nimage_id: Image ID\nimage_repository: "
- "Image repository\nimage_tag: Image tag\ncompliance_finding.framework: Compliance finding framework (available "
- "values: CIS)\ncloud_info.namespace: Kubernetes namespace\ncid: Customer ID\n",
+ "Filters:\nimage_registry: Image registry\ncompliance_finding.id: Compliance finding "
+ "ID\ncloud_info.cloud_region: Cloud region\ncloud_info.cloud_provider: Cloud provider\nimage_repository: Image "
+ "repository\nimage_digest: Image digest (sha256 digest)\ncloud_info.cloud_account_id: Cloud account "
+ "ID\ncloud_info.namespace: Kubernetes namespace\ncompliance_finding.name: Compliance finding Name\nimage_id: "
+ "Image ID\ncid: Customer ID\ncompliance_finding.severity: Compliance finding severity; available values: 4, 3, "
+ "2, 1 (4: critical, 3: high, 2: medium, 1:low)\nimage_tag: Image tag\ncompliance_finding.framework: Compliance "
+ "finding framework (available values: CIS)\ncloud_info.cluster_name: Kubernetes cluster name\n",
"name": "filter",
"in": "query"
}
@@ -167,15 +168,15 @@
[
{
"type": "string",
- "description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\ncloud_info.cloud_account_id: Cloud account ID\nimage_digest: Image digest (sha256 "
- "digest)\ncompliance_finding.name: Compliance finding Name\ncompliance_finding.id: Compliance finding "
- "ID\nimage_repository: Image repository\ncloud_info.cloud_region: Cloud region\ncompliance_finding.framework: "
- "Compliance finding framework (available values: CIS)\ncloud_info.namespace: Kubernetes "
- "namespace\ncloud_info.cloud_provider: Cloud provider\nimage_id: Image ID\nimage_registry: Image "
- "registry\nimage_tag: Image tag\ncloud_info.cluster_name: Kubernetes cluster name\ncompliance_finding.severity: "
- " Compliance finding severity; available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\ncid: "
- "Customer ID\n",
+ "description": "Filter results using a query in Falcon Query Language (FQL). Supported Filters:\ncid: "
+ "Customer ID\ncompliance_finding.name: Compliance finding Name\nimage_repository: Image "
+ "repository\nimage_digest: Image digest (sha256 digest)\ncloud_info.cloud_account_id: Cloud account "
+ "ID\ncompliance_finding.framework: Compliance finding framework (available values: "
+ "CIS)\ncompliance_finding.severity: Compliance finding severity; available values: 4, 3, 2, 1 (4: critical, 3: "
+ "high, 2: medium, 1:low)\nimage_tag: Image tag\nimage_registry: Image registry\ncloud_info.cloud_region: Cloud "
+ "region\ncloud_info.namespace: Kubernetes namespace\ncompliance_finding.id: Compliance finding "
+ "ID\ncloud_info.cloud_provider: Cloud provider\ncloud_info.cluster_name: Kubernetes cluster name\nimage_id: "
+ "Image ID\n",
"name": "filter",
"in": "query"
}
@@ -191,14 +192,14 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\ncloud_info.cluster_name: Kubernetes cluster name\ncloud_info.cloud_region: Cloud "
- "region\ncompliance_finding.name: Compliance finding Name\nimage_tag: Image tag\ncloud_info.cloud_account_id: "
- "Cloud account ID\ncompliance_finding.id: Compliance finding ID\nimage_repository: Image "
- "repository\nimage_digest: Image digest (sha256 digest)\ncloud_info.namespace: Kubernetes namespace\ncid: "
- "Customer ID\nimage_registry: Image registry\ncompliance_finding.severity: Compliance finding severity; "
- "available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\ncloud_info.cloud_provider: Cloud "
- "provider\nimage_id: Image ID\ncompliance_finding.framework: Compliance finding framework (available values: "
- "CIS)\n",
+ "Filters:\ncloud_info.cloud_region: Cloud region\ncloud_info.cloud_provider: Cloud "
+ "provider\ncompliance_finding.name: Compliance finding Name\nimage_id: Image ID\ncompliance_finding.id: "
+ "Compliance finding ID\nimage_digest: Image digest (sha256 digest)\ncompliance_finding.framework: Compliance "
+ "finding framework (available values: CIS)\nimage_tag: Image tag\ncloud_info.namespace: Kubernetes "
+ "namespace\ncid: Customer ID\ncompliance_finding.severity: Compliance finding severity; available values: 4, 3, "
+ " 2, 1 (4: critical, 3: high, 2: medium, 1:low)\ncloud_info.cluster_name: Kubernetes cluster "
+ "name\nimage_registry: Image registry\nimage_repository: Image repository\ncloud_info.cloud_account_id: Cloud "
+ "account ID\n",
"name": "filter",
"in": "query"
}
@@ -214,13 +215,13 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\ncloud_info.cloud_region: Cloud region\nimage_digest: Image digest (sha256 digest)\ncid: Customer "
- "ID\nimage_id: Image ID\ncompliance_finding.severity: Compliance finding severity; available values: 4, 3, 2, 1 "
- " (4: critical, 3: high, 2: medium, 1:low)\ncloud_info.cloud_account_id: Cloud account "
- "ID\ncompliance_finding.id: Compliance finding ID\ncloud_info.cloud_provider: Cloud provider\nimage_registry: "
- "Image registry\ncloud_info.cluster_name: Kubernetes cluster name\nimage_tag: Image tag\nasset_type: asset type "
- " (container, image)\nimage_repository: Image repository\ncompliance_finding.framework: Compliance finding "
- "framework (available values: CIS)\ncompliance_finding.name: Compliance finding Name\n",
+ "Filters:\nimage_digest: Image digest (sha256 digest)\ncid: Customer ID\ncloud_info.cloud_provider: Cloud "
+ "provider\ncloud_info.cluster_name: Kubernetes cluster name\nimage_id: Image ID\nimage_repository: Image "
+ "repository\ncloud_info.cloud_account_id: Cloud account ID\ncompliance_finding.severity: Compliance finding "
+ "severity; available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\nasset_type: asset type "
+ "(container, image)\nimage_tag: Image tag\nimage_registry: Image registry\ncompliance_finding.id: Compliance "
+ "finding ID\ncloud_info.cloud_region: Cloud region\ncompliance_finding.framework: Compliance finding framework "
+ "(available values: CIS)\ncompliance_finding.name: Compliance finding Name\n",
"name": "filter",
"in": "query"
}
@@ -236,14 +237,14 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\nimage_registry: Image registry\ncloud_info.cloud_region: Cloud region\ncompliance_finding.framework: "
- " Compliance finding framework (available values: CIS)\ncompliance_finding.severity: Compliance finding "
- "severity; available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\ncompliance_finding.name: "
- "Compliance finding Name\nimage_id: Image ID\ncloud_info.cloud_provider: Cloud "
- "provider\ncloud_info.cluster_name: Kubernetes cluster name\ncid: Customer ID\nasset_type: asset type "
- "(container, image)\ncompliance_finding.id: Compliance finding ID\ncloud_info.cloud_account_id: Cloud account "
- "ID\nimage_digest: Image digest (sha256 digest)\ncloud_info.namespace: Kubernetes namespace\nimage_repository: "
- "Image repository\nimage_tag: Image tag\n",
+ "Filters:\nimage_digest: Image digest (sha256 digest)\ncompliance_finding.severity: Compliance finding "
+ "severity; available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\nimage_registry: Image "
+ "registry\ncompliance_finding.framework: Compliance finding framework (available values: "
+ "CIS)\nimage_repository: Image repository\ncompliance_finding.id: Compliance finding "
+ "ID\ncloud_info.cloud_account_id: Cloud account ID\ncloud_info.namespace: Kubernetes "
+ "namespace\ncloud_info.cloud_provider: Cloud provider\ncloud_info.cluster_name: Kubernetes cluster "
+ "name\ncloud_info.cloud_region: Cloud region\ncid: Customer ID\nasset_type: asset type (container, "
+ "image)\nimage_tag: Image tag\ncompliance_finding.name: Compliance finding Name\nimage_id: Image ID\n",
"name": "filter",
"in": "query"
}
@@ -259,13 +260,14 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\ncloud_info.cloud_region: Cloud region\ncompliance_finding.name: Compliance finding "
- "Name\nimage_repository: Image repository\nimage_digest: Image digest (sha256 digest)\ncloud_info.cluster_name: "
- " Kubernetes cluster name\ncompliance_finding.framework: Compliance finding framework (available values: "
- "CIS)\nasset_type: asset type (container, image)\nimage_id: Image ID\ncloud_info.cloud_account_id: Cloud "
- "account ID\ncompliance_finding.id: Compliance finding ID\ncompliance_finding.severity: Compliance finding "
- "severity; available values: 4, 3, 2, 1 (4: critical, 3: high, 2: medium, 1:low)\ncid: Customer "
- "ID\nimage_registry: Image registry\nimage_tag: Image tag\ncloud_info.cloud_provider: Cloud provider\n",
+ "Filters:\nimage_digest: Image digest (sha256 digest)\ncloud_info.cloud_account_id: Cloud account "
+ "ID\ncloud_info.cloud_region: Cloud region\nimage_tag: Image tag\nimage_id: Image ID\ncid: Customer "
+ "ID\ncompliance_finding.severity: Compliance finding severity; available values: 4, 3, 2, 1 (4: critical, 3: "
+ "high, 2: medium, 1:low)\nimage_registry: Image registry\nimage_repository: Image "
+ "repository\ncompliance_finding.framework: Compliance finding framework (available values: CIS)\nasset_type: "
+ "asset type (container, image)\ncloud_info.cloud_provider: Cloud provider\ncloud_info.cluster_name: Kubernetes "
+ "cluster name\ncompliance_finding.name: Compliance finding Name\ncompliance_finding.id: Compliance finding "
+ "ID\n",
"name": "filter",
"in": "query"
}
@@ -281,14 +283,14 @@
{
"type": "string",
"description": "Filter results using a query in Falcon Query Language (FQL). Supported "
- "Filters:\nimage_registry: Image registry\nimage_repository: Image repository\nimage_tag: Image "
- "tag\ncloud_info.cloud_provider: Cloud provider\ncompliance_finding.id: Compliance finding ID\nimage_id: Image "
- "ID\ncid: Customer ID\ncompliance_finding.framework: Compliance finding framework (available values: "
+ "Filters:\nasset_type: asset type (container, image)\nimage_tag: Image tag\ncontainer_name: Container "
+ "name\ncompliance_finding.name: Compliance finding Name\nimage_id: Image ID\nimage_repository: Image "
+ "repository\ncompliance_finding.framework: Compliance finding framework (available values: "
"CIS)\ncompliance_finding.severity: Compliance finding severity; available values: 4, 3, 2, 1 (4: critical, 3: "
- "high, 2: medium, 1:low)\ncontainer_id: Container ID\ncloud_info.cloud_account_id: Cloud account "
- "ID\ncompliance_finding.name: Compliance finding Name\ncloud_info.cloud_region: Cloud "
- "region\ncloud_info.cluster_name: Kubernetes cluster name\nimage_digest: Image digest (sha256 "
- "digest)\ncontainer_name: Container name\nasset_type: asset type (container, image)\n",
+ "high, 2: medium, 1:low)\ncloud_info.cluster_name: Kubernetes cluster name\nimage_digest: Image digest (sha256 "
+ "digest)\ncontainer_id: Container ID\ncloud_info.cloud_account_id: Cloud account ID\ncid: Customer "
+ "ID\ncloud_info.cloud_provider: Cloud provider\nimage_registry: Image registry\ncompliance_finding.id: "
+ "Compliance finding ID\ncloud_info.cloud_region: Cloud region\n",
"name": "filter",
"in": "query"
}
diff --git a/src/falconpy/_endpoint/_container_images.py b/src/falconpy/_endpoint/_container_images.py
index 7a80b93b..5095fbae 100644
--- a/src/falconpy/_endpoint/_container_images.py
+++ b/src/falconpy/_endpoint/_container_images.py
@@ -146,13 +146,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -215,13 +215,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -231,7 +231,8 @@
"ReadCombinedImagesExport",
"GET",
"/container-security/combined/images/export/v1",
- "Retrieve images with an option to expand aggregated vulnerabilities/detections",
+ "Retrieves a paginated list of images, with an option to expand aggregated vulnerabilities/detections. "
+ "Maximum page size: 100. Maximum available images: 10,000",
"container_images",
[
{
@@ -261,13 +262,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
},
diff --git a/src/falconpy/_endpoint/_container_packages.py b/src/falconpy/_endpoint/_container_packages.py
index 962336eb..a4033959 100644
--- a/src/falconpy/_endpoint/_container_packages.py
+++ b/src/falconpy/_endpoint/_container_packages.py
@@ -95,13 +95,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -125,13 +125,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -141,7 +141,8 @@
"ReadPackagesCombinedExport",
"GET",
"/container-security/combined/packages/export/v1",
- "Retrieve packages identified by the provided filter criteria for the purpose of export",
+ "Retrieves a paginated list of packages identified by the provided filter criteria,used for export.Maximum"
+ "page size: 100. Maximum available packages: 10,000",
"container_packages",
[
{
@@ -169,13 +170,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -213,13 +214,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -229,7 +230,7 @@
"ReadPackagesCombinedV2",
"GET",
"/container-security/combined/packages/v2",
- "Retrieve packages identified by the provided filter criteria.",
+ "Retrieve packages identified by the provided filter criteria",
"container_packages",
[
{
@@ -257,13 +258,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
diff --git a/src/falconpy/_endpoint/_container_vulnerabilities.py b/src/falconpy/_endpoint/_container_vulnerabilities.py
index e501b8c2..5fb76043 100644
--- a/src/falconpy/_endpoint/_container_vulnerabilities.py
+++ b/src/falconpy/_endpoint/_container_vulnerabilities.py
@@ -57,13 +57,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -89,13 +89,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -105,7 +105,7 @@
"ReadVulnerabilityCountByCVSSScore",
"GET",
"/container-security/aggregates/vulnerabilities/count-by-cvss-score/v1",
- "Aggregate count of vulnerabilities grouped by cvss score",
+ "Aggregate count of vulnerabilities grouped by CVSS score",
"container_vulnerabilities",
[
{
@@ -121,13 +121,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -153,13 +153,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -185,13 +185,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -214,13 +214,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -243,13 +243,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -280,13 +280,13 @@
{
"type": "integer",
"default": 5000,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 5000.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -309,13 +309,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -325,7 +325,8 @@
"ReadCombinedVulnerabilities",
"GET",
"/container-security/combined/vulnerabilities/v1",
- "Retrieve vulnerability and aggregate data filtered by the provided FQL",
+ "Retrieves a paginated list of vulnerabilities filtered by the provided FQL. Maximum page size: 100. "
+ "Maximum available vulnerabilities: 10,000",
"container_vulnerabilities",
[
{
@@ -341,13 +342,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
},
diff --git a/src/falconpy/_endpoint/_correlation_rules_admin.py b/src/falconpy/_endpoint/_correlation_rules_admin.py
new file mode 100644
index 00000000..be1c388b
--- /dev/null
+++ b/src/falconpy/_endpoint/_correlation_rules_admin.py
@@ -0,0 +1,54 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_correlation_rules_admin_endpoints = [
+ [
+ "entities_rules_ownership_put_v1",
+ "PUT",
+ "/correlation-rules/entities/rules/ownership/v1",
+ "Change the owner of an existing Correlation Rule",
+ "correlation_rules_admin",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_d4c_registration.py b/src/falconpy/_endpoint/_d4c_registration.py
index 0b3a99d8..665202c5 100644
--- a/src/falconpy/_endpoint/_d4c_registration.py
+++ b/src/falconpy/_endpoint/_d4c_registration.py
@@ -241,11 +241,70 @@
"name": "dspm_regions",
"in": "query"
},
+ {
+ "pattern": "\\d{12}",
+ "type": "string",
+ "name": "dspm_host_account_id",
+ "in": "query"
+ },
+ {
+ "pattern": "^[a-zA-Z0-9+=,.@_-]{1,64}$",
+ "type": "string",
+ "name": "dspm_host_integration_role_name",
+ "in": "query"
+ },
+ {
+ "pattern": "^[a-zA-Z0-9+=,.@_-]{1,64}$",
+ "type": "string",
+ "name": "dspm_host_scanner_role_name",
+ "in": "query"
+ },
{
"type": "string",
"name": "dspm_role",
"in": "query"
},
+ {
+ "enum": [
+ "true",
+ "false"
+ ],
+ "type": "string",
+ "name": "vulnerability_scanning_enabled",
+ "in": "query"
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "csv",
+ "name": "vulnerability_scanning_regions",
+ "in": "query"
+ },
+ {
+ "pattern": "\\d{12}",
+ "type": "string",
+ "name": "vulnerability_scanning_host_account_id",
+ "in": "query"
+ },
+ {
+ "pattern": "^[a-zA-Z0-9+=,.@_-]{1,64}$",
+ "type": "string",
+ "name": "vulnerability_scanning_host_integration_role_name",
+ "in": "query"
+ },
+ {
+ "pattern": "^[a-zA-Z0-9+=,.@_-]{1,64}$",
+ "type": "string",
+ "name": "vulnerability_scanning_host_scanner_role_name",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "name": "vulnerability_scanning_role",
+ "in": "query"
+ },
{
"enum": [
"true",
diff --git a/src/falconpy/_endpoint/_data_protection_configuration.py b/src/falconpy/_endpoint/_data_protection_configuration.py
new file mode 100644
index 00000000..7cfa1dd5
--- /dev/null
+++ b/src/falconpy/_endpoint/_data_protection_configuration.py
@@ -0,0 +1,918 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_data_protection_configuration_endpoints = [
+ [
+ "entities_classification_get_v2",
+ "GET",
+ "/data-protection/entities/classifications/v2",
+ "Gets the classifications that match the provided ids",
+ "data_protection_configuration",
+ [
+ {
+ "maxItems": 100,
+ "minItems": 1,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "IDs of the classifications to get",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_classification_post_v2",
+ "POST",
+ "/data-protection/entities/classifications/v2",
+ "Create classifications",
+ "data_protection_configuration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_classification_patch_v2",
+ "PATCH",
+ "/data-protection/entities/classifications/v2",
+ "Update classifications",
+ "data_protection_configuration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_classification_delete_v2",
+ "DELETE",
+ "/data-protection/entities/classifications/v2",
+ "Deletes classifications that match the provided ids",
+ "data_protection_configuration",
+ [
+ {
+ "maxItems": 100,
+ "minItems": 1,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "IDs of the classifications to delete",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_cloud_application_get",
+ "GET",
+ "/data-protection/entities/cloud-applications/v1",
+ "Get a particular cloud-application",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The cloud application id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_cloud_application_create",
+ "POST",
+ "/data-protection/entities/cloud-applications/v1",
+ "Persist the given cloud application for the provided entity instance",
+ "data_protection_configuration",
+ [
+ {
+ "description": "The cloud-application definition to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_cloud_application_patch",
+ "PATCH",
+ "/data-protection/entities/cloud-applications/v1",
+ "Update a cloud application",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The cloud app id to update.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "description": "The new cloud-application definition",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_cloud_application_delete",
+ "DELETE",
+ "/data-protection/entities/cloud-applications/v1",
+ "Delete cloud application",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The id of the cloud application to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_content_pattern_get",
+ "GET",
+ "/data-protection/entities/content-patterns/v1",
+ "Get a particular content-pattern(s)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The content-pattern id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_content_pattern_create",
+ "POST",
+ "/data-protection/entities/content-patterns/v1",
+ "Persist the given content pattern for the provided entity instance",
+ "data_protection_configuration",
+ [
+ {
+ "description": "Definition of content-pattern to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_content_pattern_patch",
+ "PATCH",
+ "/data-protection/entities/content-patterns/v1",
+ "Update a content pattern",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The id of the content pattern to patch.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "description": "Definition of content-pattern to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_content_pattern_delete",
+ "DELETE",
+ "/data-protection/entities/content-patterns/v1",
+ "Delete content pattern",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The id(s) of the content pattern to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_enterprise_account_get",
+ "GET",
+ "/data-protection/entities/enterprise-accounts/v1",
+ "Get a particular enterprise-account(s)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The enterprise-account id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_enterprise_account_create",
+ "POST",
+ "/data-protection/entities/enterprise-accounts/v1",
+ "Persist the given enterprise account for the provided entity instance",
+ "data_protection_configuration",
+ [
+ {
+ "description": "Definition of enterprise-account to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_enterprise_account_patch",
+ "PATCH",
+ "/data-protection/entities/enterprise-accounts/v1",
+ "Update a enterprise account",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The id of the enterprise account to update.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "description": "Definition of enterprise-account to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_enterprise_account_delete",
+ "DELETE",
+ "/data-protection/entities/enterprise-accounts/v1",
+ "Delete enterprise account",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The id of the enterprise account to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_file_type_get",
+ "GET",
+ "/data-protection/entities/file-types/v1",
+ "Get a particular file-type",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The file-type id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_sensitivity_label_get_v2",
+ "GET",
+ "/data-protection/entities/labels/v2",
+ "Get sensitivity label matching the IDs (V2)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The sensitivity label entity id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_sensitivity_label_create_v2",
+ "POST",
+ "/data-protection/entities/labels/v2",
+ "Create new sensitivity label (V2)",
+ "data_protection_configuration",
+ [
+ {
+ "description": "Definition of sensitivity label to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_sensitivity_label_delete_v2",
+ "DELETE",
+ "/data-protection/entities/labels/v2",
+ "Delete sensitivity labels matching the IDs (V2)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The sensitivity label entity id(s) to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_policy_get_v2",
+ "GET",
+ "/data-protection/entities/policies/v2",
+ "Gets policies that match the provided ids",
+ "data_protection_configuration",
+ [
+ {
+ "maxItems": 100,
+ "minItems": 1,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "IDs of the policies to get",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_policy_post_v2",
+ "POST",
+ "/data-protection/entities/policies/v2",
+ "Create policies",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "platform name of the policies to update, either 'win' or 'mac'",
+ "name": "platform_name",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_policy_patch_v2",
+ "PATCH",
+ "/data-protection/entities/policies/v2",
+ "Update policies",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "platform name of the policies to update, either 'win' or 'mac'",
+ "name": "platform_name",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_policy_delete_v2",
+ "DELETE",
+ "/data-protection/entities/policies/v2",
+ "Deletes policies that match the provided ids",
+ "data_protection_configuration",
+ [
+ {
+ "maxItems": 100,
+ "minItems": 1,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "IDs of the policies to delete",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "platform name of the policies to update, either 'win' or 'mac'",
+ "name": "platform_name",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_web_location_get_v2",
+ "GET",
+ "/data-protection/entities/web-locations/v2",
+ "Get web-location entities matching the provided ID(s)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The web-location entity id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_web_location_create_v2",
+ "POST",
+ "/data-protection/entities/web-locations/v2",
+ "Persist the given web-locations",
+ "data_protection_configuration",
+ [
+ {
+ "description": "Definition of web-locations to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_web_location_patch_v2",
+ "PATCH",
+ "/data-protection/entities/web-locations/v2",
+ "Update a web-location",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The web-location entity id to update.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "description": "Definition of updated web-location",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities_web_location_delete_v2",
+ "DELETE",
+ "/data-protection/entities/web-locations/v2",
+ "Delete web-location",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "csv",
+ "description": "The ids of the web-location to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "queries_classification_get_v2",
+ "GET",
+ "/data-protection/queries/classifications/v2",
+ "Search for classifications that match the provided criteria",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "Filter results by specific attributes , allowed attributes are "
+ "[properties.protection_mode properties.web_sources created_by modified_at properties.file_types "
+ "properties.sensitivity_labels name created_at modified_by properties.content_patterns "
+ "properties.evidence_duplication_enabled]",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 10000,
+ "minimum": 0,
+ "type": "integer",
+ "description": "The offset to start retrieving records from",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "maximum": 500,
+ "minimum": 0,
+ "type": "integer",
+ "default": 100,
+ "description": "The maximum records to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The property to sort by, allowed fields are :[name created_at modified_at]",
+ "name": "sort",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_cloud_application_get_v2",
+ "GET",
+ "/data-protection/queries/cloud-applications/v2",
+ "Get all cloud-application IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "Optional filter for searching cloud applications. Allowed filters are 'name' (string), "
+ " 'type' (array of strings representing the tier, accepted values are: integrated, predefined, custom), "
+ "'deleted' (boolean), supports_network_inspection (boolean) and 'application_group_id' (string)",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name' (string), 'type' "
+ "(array of strings representing the tier, accepted values are: integrated, predefined, custom), 'deleted' "
+ "(boolean) and 'application_group_id' (string)",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_content_pattern_get_v2",
+ "GET",
+ "/data-protection/queries/content-patterns/v2",
+ "Get all content-pattern IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding content patterns. Allowed filters are 'name', 'type', "
+ "'category', 'region', 'example', 'created_at', 'updated_at' and 'deleted'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name', 'type', 'category', "
+ "'region', 'created_at', 'updated_at', 'example' and 'deleted'",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_enterprise_account_get_v2",
+ "GET",
+ "/data-protection/queries/enterprise-accounts/v2",
+ "Get all enterprise-account IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding enterprise accounts. Allowed filters are 'name', "
+ "'application_group_id', 'deleted', 'created_at' and 'updated_at'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name', "
+ "'application_group_id', 'deleted', 'created_at' and 'updated_at'",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_file_type_get_v2",
+ "GET",
+ "/data-protection/queries/file-types/v2",
+ "Get all file-type IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding file types. Allowed filter is 'name', 'created_at' and 'updated_at'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name', 'created_at' and 'updated_at'",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_sensitivity_label_get_v2",
+ "GET",
+ "/data-protection/queries/labels/v2",
+ "Get all sensitivity label IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding sensitivity labels. The only allowed filters are "
+ "'name', 'display_name', 'external_id' and 'deleted'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name', 'display_name', "
+ "'deleted', 'created_at' and 'updated_at'",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_policy_get_v2",
+ "GET",
+ "/data-protection/queries/policies/v2",
+ "Search for policies that match the provided criteria",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "platform name of the policies to search, either 'win' or 'mac'",
+ "name": "platform_name",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Filter results by specific attributes , allowed attributes are "
+ "[properties.network_inspection_files_exceeding_size_limit properties.be_paste_timeout_duration_milliseconds "
+ "properties.max_file_size_to_inspect created_at modified_by properties.min_confidence_level "
+ "properties.max_file_size_to_inspect_unit properties.custom_block_notification "
+ "properties.evidence_download_enabled properties.classifications properties.be_paste_timeout_response "
+ "description properties.besplash_custom_message properties.be_paste_clipboard_min_size "
+ "properties.be_paste_clipboard_max_size properties.evidence_storage_free_disk_perc is_enabled "
+ "properties.similarity_detection properties.be_exclude_domains properties.evidence_storage_max_size "
+ "properties.browsers_without_active_extension properties.unsupported_browsers_action "
+ "properties.besplash_message_source properties.be_paste_clipboard_min_size_unit "
+ "properties.be_paste_clipboard_max_size_unit precedence properties.block_all_data_access "
+ "properties.enable_clipboard_inspection properties.allow_notifications properties.block_notifications "
+ "properties.be_upload_timeout_duration_seconds properties.be_paste_clipboard_over_size_behaviour_block "
+ "properties.enable_context_inspection properties.custom_allow_notification properties.besplash_enabled "
+ "properties.be_upload_timeout_response created_by modified_at properties.enable_content_inspection "
+ "properties.inspection_depth properties.similarity_threshold "
+ "properties.enable_end_user_notifications_unsupported_browser properties.evidence_duplication_enabled_default "
+ "properties.evidence_encrypted_enabled name is_default properties.enable_network_inspection]",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 10000,
+ "minimum": 0,
+ "type": "integer",
+ "description": "The offset to start retrieving records from",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "maximum": 500,
+ "minimum": 0,
+ "type": "integer",
+ "default": 100,
+ "description": "The maximum records to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The property to sort by, allowed fields are :[name precedence created_at modified_at]",
+ "name": "sort",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries_web_location_get_v2",
+ "GET",
+ "/data-protection/queries/web-locations/v2",
+ "Get web-location IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding web locations. Allowed filters are 'name', 'type', "
+ "'deleted', 'application_id', 'provider_location_id' and 'enterprise_account_id'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The type of entity to query. Allowed values are 'predefined' and 'custom'",
+ "name": "type",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_detects.py b/src/falconpy/_endpoint/_detects.py
index aa3a0e68..0215f268 100644
--- a/src/falconpy/_endpoint/_detects.py
+++ b/src/falconpy/_endpoint/_detects.py
@@ -41,7 +41,8 @@
"GetAggregateDetects",
"POST",
"/detects/aggregates/detects/GET/v1",
- "Get detect aggregates as specified via json in request body.",
+ "Deprecated: This endpoint will be decommissioned on September 30, 2025. Please check the Notes section "
+ "below for migration guidance.",
"detects",
[
{
@@ -56,7 +57,8 @@
"UpdateDetectsByIdsV2",
"PATCH",
"/detects/entities/detects/v2",
- "Modify the state, assignee, and visibility of detections",
+ "Deprecated: This endpoint will be decommissioned on September 30, 2025. Please check the Notes section "
+ "below for migration guidance.",
"detects",
[
{
@@ -80,7 +82,8 @@
"GetDetectSummaries",
"POST",
"/detects/entities/summaries/GET/v1",
- "View information about detections",
+ "Deprecated: This endpoint will be decommissioned on September 30, 2025. Please check the Notes section "
+ "below for migration guidance.",
"detects",
[
{
@@ -99,7 +102,8 @@
"QueryDetects",
"GET",
"/detects/queries/detects/v1",
- "Search for detection IDs that match a given query",
+ "Deprecated: This endpoint will be decommissioned on September 30, 2025. Please check the Notes section "
+ "below for migration guidance.",
"detects",
[
{
diff --git a/src/falconpy/_endpoint/_discover.py b/src/falconpy/_endpoint/_discover.py
index e241b16c..820dda35 100644
--- a/src/falconpy/_endpoint/_discover.py
+++ b/src/falconpy/_endpoint/_discover.py
@@ -97,8 +97,9 @@
"type": "string"
},
"collectionFormat": "multi",
- "description": "Select various details blocks to be returned for each application entity. Supported "
- "values:\n\n- browser_extension
- host_info
- install_usage
",
+ "description": "Select various details blocks to be returned for each application entity. Supported va "
+ "lues:\n\n- browser_extension
- host_info
- install_usage
- package
- ide_extensi "
+ "on
",
"name": "facet",
"in": "query"
}
@@ -162,15 +163,15 @@
"mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, "
"managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, "
"account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, "
- "discovering_by\n\t\t\tAvailable filter fields that supports wildcard (*): id, aid, entity_type, country, city, "
- " platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, "
- "system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, "
- "machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, "
- " network_interfaces.interface_alias, network_interfaces.interface_description, "
- "network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, "
- "discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, "
- "data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, "
- "cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, "
+ "discovering_by, scan_details.scan_id, scan_details.schedule_id\n\t\t\tAvailable filter fields that supports "
+ "wildcard (*): id, aid, entity_type, country, city, platform_name, os_version, kernel_version, "
+ "product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, "
+ "system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, "
+ "network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, "
+ "network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, "
+ "discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, "
+ "internet_exposure, os_is_eol, data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, "
+ "disk_sizes.disk_name, cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, "
"os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, "
"os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, "
"os_security.iommu_protection_status, os_security.secure_boot_enabled_status, "
@@ -178,14 +179,15 @@
"os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, "
"bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, "
"department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, "
- " cpu_manufacturer, discovering_by\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, "
- "<=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, "
- "number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, "
- " total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, "
- "total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, "
- "max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, "
- "available_disk_space, available_disk_space_pct, mount_storage_info.used_space, "
- "mount_storage_info.available_space, ad_user_account_control, creation_timestamp\n\t\t\tAll filter fields and "
+ " cpu_manufacturer, discovering_by, scan_details.scan_id, scan_details.schedule_id\n\t\t\tAvailable filter "
+ "fields that supports range comparisons (>, <, >=, <=): first_seen_timestamp, last_seen_timestamp, "
+ "local_ips_count, discoverer_count, confidence, number_of_disk_drives, processor_package_count, "
+ "physical_core_count, data_providers_count, logical_core_count, total_disk_space, disk_sizes.disk_space, "
+ "total_memory, encrypted_drives_count, unencrypted_drives_count, total_bios_files, average_processor_usage, "
+ "average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, "
+ "used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, "
+ "mount_storage_info.used_space, mount_storage_info.available_space, ad_user_account_control, "
+ "creation_timestamp, scan_details.scan_date, vulnerability_assessment_date\n\t\t\tAll filter fields and "
"operations supports negation (!).",
"name": "filter",
"in": "query",
@@ -472,15 +474,15 @@
"mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, "
"managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, "
"account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, "
- "discovering_by\n\t\t\tAvailable filter fields that supports wildcard (*): id, aid, entity_type, country, city, "
- " platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, "
- "system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, "
- "machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, "
- " network_interfaces.interface_alias, network_interfaces.interface_description, "
- "network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, "
- "discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, "
- "data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, "
- "cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, "
+ "discovering_by, scan_details.scan_id, scan_details.schedule_id\n\t\t\tAvailable filter fields that supports "
+ "wildcard (*): id, aid, entity_type, country, city, platform_name, os_version, kernel_version, "
+ "product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, "
+ "system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, "
+ "network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, "
+ "network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, "
+ "discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, "
+ "internet_exposure, os_is_eol, data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, "
+ "disk_sizes.disk_name, cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, "
"os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, "
"os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, "
"os_security.iommu_protection_status, os_security.secure_boot_enabled_status, "
@@ -488,14 +490,15 @@
"os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, "
"bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, "
"department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, "
- " cpu_manufacturer, discovering_by\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, "
- "<=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, "
- "number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, "
- " total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, "
- "total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, "
- "max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, "
- "available_disk_space, available_disk_space_pct, mount_storage_info.used_space, "
- "mount_storage_info.available_space, ad_user_account_control, creation_timestamp\n\t\t\tAll filter fields and "
+ " cpu_manufacturer, discovering_by, scan_details.scan_id, scan_details.schedule_id\n\t\t\tAvailable filter "
+ "fields that supports range comparisons (>, <, >=, <=): first_seen_timestamp, last_seen_timestamp, "
+ "local_ips_count, discoverer_count, confidence, number_of_disk_drives, processor_package_count, "
+ "physical_core_count, data_providers_count, logical_core_count, total_disk_space, disk_sizes.disk_space, "
+ "total_memory, encrypted_drives_count, unencrypted_drives_count, total_bios_files, average_processor_usage, "
+ "average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, "
+ "used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, "
+ "mount_storage_info.used_space, mount_storage_info.available_space, ad_user_account_control, "
+ "creation_timestamp, scan_details.scan_date, vulnerability_assessment_date\n\t\t\tAll filter fields and "
"operations supports negation (!).",
"name": "filter",
"in": "query"
diff --git a/src/falconpy/_endpoint/_downloads.py b/src/falconpy/_endpoint/_downloads.py
index ce059ae2..e66f6987 100644
--- a/src/falconpy/_endpoint/_downloads.py
+++ b/src/falconpy/_endpoint/_downloads.py
@@ -37,6 +37,62 @@
"""
_downloads_endpoints = [
+ [
+ "FetchFilesDownloadInfo",
+ "GET",
+ "/csdownloads/combined/files-download/v1",
+ "Get files info and pre-signed download URLs",
+ "downloads",
+ [
+ {
+ "type": "string",
+ "description": "Search files using various filters using query in Falcon Query Language (FQL). "
+ "Supported filters: arch,category,file_name,file_version,os",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The fields to sort records on. Supported columns: arch category file_name file_version os",
+ "name": "sort",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "FetchFilesDownloadInfoV2",
+ "GET",
+ "/csdownloads/combined/files-download/v2",
+ "Get cloud security tools info and pre-signed download URLs",
+ "downloads",
+ [
+ {
+ "type": "string",
+ "description": "Search files using various filters. Supported filters: arch,category,file_name,file_version,os",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The fields to sort records on. Supported columns: arch category file_name file_version os",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset from where to begin. Maximum offset = 1000 - limit.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
[
"DownloadFile",
"GET",
diff --git a/src/falconpy/_endpoint/_drift_indicators.py b/src/falconpy/_endpoint/_drift_indicators.py
index 3c7684cd..72a2a6db 100644
--- a/src/falconpy/_endpoint/_drift_indicators.py
+++ b/src/falconpy/_endpoint/_drift_indicators.py
@@ -101,13 +101,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -156,13 +156,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
diff --git a/src/falconpy/_endpoint/_falcon_container.py b/src/falconpy/_endpoint/_falcon_container.py
index db9a6ad8..1edbd18c 100644
--- a/src/falconpy/_endpoint/_falcon_container.py
+++ b/src/falconpy/_endpoint/_falcon_container.py
@@ -86,7 +86,7 @@
"images.images-assessment-expanded images.images-assessment-vulnerabilities-expanded images.images-assessment "
" images.images-detections images.packages images.vulnerabilities investigate.container-alerts "
"investigate.drift-indicators investigate.kubernetes-ioms investigate.runtime-detections "
- "investigate.unidentified-containers network.events policies.exclusions",
+ "investigate.unidentified-containers policies.exclusions",
"name": "body",
"in": "body",
"required": True
@@ -358,5 +358,103 @@
"Get headers for POST request for image scan inventory",
"falcon_container",
[]
+ ],
+ [
+ "PolicyChecks",
+ "GET",
+ "/image-assessment/entities/policy-checks/v2",
+ "Check image prevention policies",
+ "falcon_container",
+ [
+ {
+ "type": "string",
+ "description": "Registry",
+ "name": "registry",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Repository",
+ "name": "repository",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Tag",
+ "name": "tag",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "GetReportByReference",
+ "GET",
+ "/image-assessment/entities/reports/v2",
+ "Get image assessment scan report by image reference (v2)",
+ "falcon_container",
+ [
+ {
+ "type": "string",
+ "description": "Registry",
+ "name": "registry",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Repository",
+ "name": "repository",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Tag",
+ "name": "tag",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Image ID",
+ "name": "image_id",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Digest",
+ "name": "digest",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "default": "json",
+ "description": "Specify image-assessment scan report format. Supported formats: cyclonedx-json json sarif",
+ "name": "report_format",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetReportByScanID",
+ "GET",
+ "/image-assessment/entities/reports/v2/{uuid}",
+ "Get image assessment scan report by scan UUID (v2)",
+ "falcon_container",
+ [
+ {
+ "type": "string",
+ "description": "Scan UUID",
+ "name": "uuid",
+ "in": "path",
+ "required": True
+ },
+ {
+ "type": "string",
+ "default": "json",
+ "description": "Specify image-assessment scan report format. Supported formats: cyclonedx-json json sarif",
+ "name": "report_format",
+ "in": "query"
+ }
+ ]
]
]
diff --git a/src/falconpy/_endpoint/_host_migration.py b/src/falconpy/_endpoint/_host_migration.py
index 6d5dc32f..42d3badd 100644
--- a/src/falconpy/_endpoint/_host_migration.py
+++ b/src/falconpy/_endpoint/_host_migration.py
@@ -215,39 +215,39 @@
},
{
"enum": [
- "target_cid|asc",
- "target_cid|desc",
- "target_cid",
- "source_cid|asc",
- "source_cid|desc",
- "source_cid",
- "host_migration_id|asc",
- "host_migration_id|desc",
- "host_migration_id",
"groups|asc",
"groups|desc",
"groups",
- "static_host_groups|asc",
- "static_host_groups|desc",
- "static_host_groups",
"hostname|asc",
"hostname|desc",
"hostname",
"status|asc",
"status|desc",
"status",
- "migration_id|asc",
- "migration_id|desc",
- "migration_id",
- "id|asc",
- "id|desc",
- "id",
"created_time|asc",
"created_time|desc",
"created_time",
+ "host_migration_id|asc",
+ "host_migration_id|desc",
+ "host_migration_id",
"hostgroups|asc",
"hostgroups|desc",
- "hostgroups"
+ "hostgroups",
+ "static_host_groups|asc",
+ "static_host_groups|desc",
+ "static_host_groups",
+ "target_cid|asc",
+ "target_cid|desc",
+ "target_cid",
+ "source_cid|asc",
+ "source_cid|desc",
+ "source_cid",
+ "migration_id|asc",
+ "migration_id|desc",
+ "migration_id",
+ "id|asc",
+ "id|desc",
+ "id"
],
"type": "string",
"description": "The property to sort by.",
@@ -257,8 +257,8 @@
{
"type": "string",
"description": "The filter expression that should be used to limit the results. Valid fields: "
- "migration_id, id, created_time, hostgroups, static_host_groups, hostname, status, groups, target_cid, "
- "source_cid, host_migration_id",
+ "created_time, host_migration_id, hostgroups, static_host_groups, target_cid, source_cid, migration_id, id, "
+ "groups, hostname, status",
"name": "filter",
"in": "query"
}
@@ -317,8 +317,8 @@
},
{
"type": "string",
- "description": "The filter expression that should be used to limit the results. Valid fields: "
- "migration_status, created_by, created_time, name, id, migration_id, target_cid, status",
+ "description": "The filter expression that should be used to limit the results. Valid fields: name, "
+ "id, migration_id, target_cid, status, migration_status, created_by, created_time",
"name": "filter",
"in": "query"
}
diff --git a/src/falconpy/_endpoint/_hosts.py b/src/falconpy/_endpoint/_hosts.py
index 052a72b9..207768e8 100644
--- a/src/falconpy/_endpoint/_hosts.py
+++ b/src/falconpy/_endpoint/_hosts.py
@@ -60,175 +60,187 @@
},
{
"enum": [
- "device_policies.jumpcloud.policy_id",
- "group_hash",
- "k8s_cluster_id",
- "linux_sensor_mode",
- "host_utc_offset",
- "first_seen",
- "platform_id",
- "pod_annotations",
- "internet_exposure",
- "filesystem_containment_status",
- "device_policies.browser-extension.policy_id",
- "agent_load_flags",
- "os_version",
- "device_policies.system-tray.applied",
- "device_policies.fim.policy_type",
- "device_policies.automox.applied",
- "device_policies.consumer-subscription.applied",
- "device_policies.sca.applied",
- "device_policies.firewall.applied",
- "bios_version",
- "migration_completed_time",
- "default_gateway_ip",
- "device_policies.fim.applied",
- "device_policies.vulnerability-management.policy_type",
- "device_policies.vulnerability-management.applied",
+ "os_build",
+ "product_type_desc",
+ "device_policies.prevention.policy_type",
+ "device_policies.kubernetes-admission-control.policy_type",
+ "device_policies.kubernetes-admission-control.applied",
"instance_id",
- "service_provider_account_id",
- "device_policies.firewall.policy_type",
- "connection_ip",
- "local_ip",
- "device_policies.consumer-subscription.policy_type",
- "device_policies.host-retention.policy_type",
- "device_policies.mobile.applied",
- "chassis_type",
- "device_policies.network-scan-content.policy_type",
- "groups",
- "last_seen",
+ "email",
+ "detection_suppression_status",
+ "config_id_build",
+ "minor_version",
"device_policies.sensor_update.policy_id",
- "device_policies.sensor_update.uninstall_protection",
- "device_policies.kubernetes-admission-control.applied",
- "device_policies.system-tray.policy_type",
- "device_policies.content-update.applied",
- "device_policies.it-automation.policy_id",
- "managed_apps.jumpcloud.version",
- "device_policies.remote_response.applied",
- "device_policies.browser-extension.policy_type",
- "external_ip",
+ "device_policies.jumpcloud.policy_id",
+ "device_policies.system-tray.applied",
+ "device_policies.consumer-subscription.policy_id",
+ "device_policies.data-protection.policy_type",
+ "group_hash",
+ "machine_domain",
+ "system_product_name",
"policies.policy_type",
"device_policies.ztl.policy_type",
+ "device_policies.sca.policy_id",
+ "device_policies.data-protection.policy_id",
"device_policies.aws-verified-access.policy_id",
- "kernel_version",
- "product_type",
- "device_policies.content-update.policy_id",
- "ou",
- "device_policies.prevention.policy_type",
- "service_provider",
- "cpu_vendor",
- "site_name",
- "device_policies.jumpcloud.policy_type",
- "local_ip.raw",
- "managed_apps.airlock.version",
- "pod_namespace",
- "cid",
- "device_policies.airlock.applied",
- "device_policies.kubernetes-admission-control.policy_type",
- "device_policies.vulnerability-management.policy_id",
- "device_policies.data-protection.policy_type",
- "device_policies.mobile.policy_type",
- "pod_host_ip4",
- "connection_mac_address",
- "device_id",
- "major_version",
- "device_policies.consumer-subscription.policy_id",
- "mac_address",
- "managed_apps.identity-protection.version",
- "device_policies.remote_response.policy_type",
- "pod_hostname",
- "first_login_timestamp",
- "device_policies.device_control.policy_type",
- "device_policies.identity-protection.applied",
- "managed_apps.aws-verified-access.version",
- "pod_id",
- "release_group",
- "device_policies.ztl.applied",
- "license_activation_state",
- "os_product_name",
- "first_login_user",
- "device_policies.identity-protection.policy_type",
- "device_policies.jumpcloud.applied",
- "device_policies.host-retention.applied",
- "last_login_timestamp",
- "policies.applied",
+ "device_policies.browser-extension.applied",
+ "os_version",
"device_policies.sensor_update.policy_type",
- "device_policies.airlock.policy_type",
- "device_policies.kubernetes-admission-control.policy_id",
- "product_type_desc",
- "device_policies.device_control.applied",
+ "device_policies.netskope.policy_type",
"device_policies.it-automation.applied",
- "device_policies.firewall.rule_set_id",
- "device_policies.mobile.policy_id",
- "serial_number",
- "detection_suppression_status",
+ "_all",
+ "device_policies.browser-extension.policy_id",
+ "device_policies.device_control.applied",
+ "device_policies.airlock.policy_type",
+ "managed_apps.aws-verified-access.version",
+ "device_policies.network-scan-content.policy_type",
+ "device_policies.exposure-management.policy_type",
+ "managed_apps.jumpcloud.version",
+ "connection_ip",
+ "agent_version",
+ "platform_id",
+ "device_policies.automox.policy_type",
+ "k8s_cluster_id",
+ "host_utc_offset",
"last_login_uid",
- "last_login_user_sid",
- "modified_timestamp",
- "device_policies.data-protection.applied",
+ "device_policies.jumpcloud.policy_type",
+ "device_policies.fim.policy_id",
+ "service_provider_account_id",
+ "device_policies.mobile.policy_id",
+ "zone_group",
+ "deployment_type",
+ "device_policies.logscale-collector.applied",
+ "status",
+ "device_policies.prevention.applied",
+ "device_policies.identity-protection.policy_type",
+ "device_policies.kubernetes-admission-control.policy_id",
+ "pod_service_account_name",
+ "first_login_user",
+ "local_ip",
+ "device_policies.remote_response.policy_id",
+ "rtr_state",
+ "pod_host_ip6",
+ "connection_mac_address",
+ "k8s_cluster_version",
"device_policies.automox.policy_id",
"device_policies.netskope.applied",
- "device_policies.data-protection.policy_id",
- "machine_domain",
- "minor_version",
- "platform_name",
- "status",
+ "device_policies.fim.applied",
+ "device_policies.vulnerability-management.policy_id",
+ "managed_apps.automox.version",
+ "managed_apps.netskope.version",
+ "external_ip",
"device_policies.system-tray.policy_id",
- "device_policies.firewall.policy_id",
- "os_build",
- "device_policies.prevention.policy_id",
- "device_policies.netskope.policy_type",
- "pod_ip4",
- "device_policies.browser-extension.applied",
+ "cpu_signature",
+ "first_login_timestamp",
+ "device_policies.system-tray.policy_type",
+ "device_policies.firewall.applied",
+ "device_policies.airlock.policy_id",
+ "device_policies.host-retention.applied",
+ "service_provider",
+ "pod_id",
+ "internet_exposure",
+ "k8s_cluster_git_version",
"config_id_base",
- "last_login_user",
- "system_product_name",
+ "device_policies.sca.applied",
+ "managed_apps.airlock.version",
+ "pod_labels",
"policy_id",
"policies.policy_id",
- "device_policies.remote_response.policy_id",
- "config_id_platform",
- "hostname",
- "device_policies.device_control.policy_id",
- "device_policies.fim.policy_id",
- "_all",
- "managed_apps.automox.version",
- "deployment_type",
- "chassis_type_desc",
- "device_policies.sca.policy_type",
- "device_policies.sca.policy_id",
+ "local_ip.raw",
+ "device_policies.mobile.policy_type",
+ "managed_apps.identity-protection.version",
+ "chassis_type",
+ "first_seen",
+ "major_version",
+ "license_activation_state",
+ "linux_sensor_mode",
+ "device_id",
+ "last_login_user_sid",
+ "product_type",
+ "policies.applied",
+ "device_policies.content-update.policy_id",
"device_policies.it-automation.policy_type",
- "email",
- "k8s_cluster_git_version",
+ "tags",
+ "pod_hostname",
+ "device_policies.sensor_update.uninstall_protection",
+ "device_policies.ztl.applied",
+ "device_policies.cloud-ml.applied",
+ "mac_address",
+ "default_gateway_ip",
"last_reboot",
- "pod_ip6",
- "agent_version",
- "config_id_build",
- "device_policies.airlock.policy_id",
- "device_policies.netskope.policy_id",
- "reduced_functionality_mode",
- "rtr_state",
- "cpu_signature",
- "pod_service_account_name",
- "k8s_cluster_version",
"device_policies.network-scan-content.applied",
- "device_policies.automox.policy_type",
+ "device_policies.exposure-management.policy_id",
+ "device_policies.prevention.policy_id",
+ "device_policies.sca.policy_type",
+ "device_policies.host-retention.policy_id",
+ "device_policies.firewall.rule_set_id",
+ "device_policies.cloud-ml.policy_type",
+ "device_policies.firewall.policy_id",
+ "pod_host_ip4",
+ "chassis_type_desc",
+ "agent_load_flags",
+ "config_id_platform",
+ "device_policies.aws-verified-access.applied",
+ "groups",
+ "device_policies.firewall.policy_type",
+ "reduced_functionality_mode",
+ "kernel_version",
+ "device_policies.fem-browser-extension-control.applied",
+ "cid",
+ "device_policies.it-automation.policy_id",
+ "last_login_timestamp",
+ "last_login_user",
+ "last_seen",
+ "device_policies.sensor_update.applied",
+ "device_policies.jumpcloud.applied",
+ "device_policies.data-protection.applied",
+ "device_policies.mobile.applied",
+ "cpu_vendor",
"device_policies.content-update.policy_type",
+ "device_policies.remote_response.policy_type",
+ "serial_number",
+ "pod_annotations",
+ "device_policies.browser-extension.policy_type",
+ "bios_manufacturer",
+ "ou",
+ "site_name",
+ "system_manufacturer",
+ "device_policies.device_control.policy_id",
+ "device_policies.identity-protection.applied",
+ "device_policies.ztl.policy_id",
"device_policies.aws-verified-access.policy_type",
- "zone_group",
- "pod_host_ip6",
+ "bios_version",
+ "device_policies.device_control.policy_type",
+ "device_policies.vulnerability-management.policy_type",
+ "device_policies.content-update.applied",
+ "device_policies.host-retention.policy_type",
+ "pod_ip6",
"pod_name",
- "device_policies.prevention.applied",
- "device_policies.sensor_update.applied",
- "device_policies.ztl.policy_id",
- "device_policies.aws-verified-access.applied",
- "pod_labels",
- "bios_manufacturer",
- "managed_apps.netskope.version",
- "tags",
+ "filesystem_containment_status",
+ "release_group",
+ "device_policies.automox.applied",
+ "device_policies.logscale-collector.policy_type",
+ "device_policies.logscale-collector.policy_id",
+ "hostname",
+ "platform_name",
"device_policies.network-scan-content.policy_id",
- "system_manufacturer",
+ "device_policies.exposure-management.applied",
+ "device_policies.fem-browser-extension-control.policy_type",
"device_policies.identity-protection.policy_id",
- "device_policies.host-retention.policy_id"
+ "device_policies.fim.policy_type",
+ "device_policies.consumer-subscription.applied",
+ "device_policies.remote_response.applied",
+ "modified_timestamp",
+ "device_policies.airlock.applied",
+ "device_policies.netskope.policy_id",
+ "device_policies.vulnerability-management.applied",
+ "device_policies.cloud-ml.policy_id",
+ "pod_ip4",
+ "os_product_name",
+ "migration_completed_time",
+ "device_policies.consumer-subscription.policy_type",
+ "pod_namespace",
+ "device_policies.fem-browser-extension-control.policy_id"
],
"type": "string",
"description": "The property to sort by (e.g. status.desc or hostname.asc). If not specified, the "
@@ -274,6 +286,27 @@
"Timeline. A max of 10 device ids can be specified",
"hosts",
[
+ {
+ "type": "integer",
+ "default": 10,
+ "description": "The maximum number of results to return [1-100].",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "default": "now-7d",
+ "description": "The inclusive beginning of the time window to search.",
+ "name": "from",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "default": "now",
+ "description": "The inclusive end of the time window to search.",
+ "name": "to",
+ "in": "query"
+ },
{
"name": "body",
"in": "body",
@@ -317,176 +350,188 @@
"in": "query"
},
{
- "enum": [
- "device_policies.jumpcloud.policy_id",
- "group_hash",
- "k8s_cluster_id",
- "linux_sensor_mode",
- "host_utc_offset",
- "first_seen",
- "platform_id",
- "pod_annotations",
- "internet_exposure",
- "filesystem_containment_status",
- "device_policies.browser-extension.policy_id",
- "agent_load_flags",
- "os_version",
- "device_policies.system-tray.applied",
- "device_policies.fim.policy_type",
- "device_policies.automox.applied",
- "device_policies.consumer-subscription.applied",
- "device_policies.sca.applied",
- "device_policies.firewall.applied",
- "bios_version",
- "migration_completed_time",
- "default_gateway_ip",
- "device_policies.fim.applied",
- "device_policies.vulnerability-management.policy_type",
- "device_policies.vulnerability-management.applied",
- "instance_id",
- "service_provider_account_id",
- "device_policies.firewall.policy_type",
- "connection_ip",
- "local_ip",
- "device_policies.consumer-subscription.policy_type",
- "device_policies.host-retention.policy_type",
- "device_policies.mobile.applied",
- "chassis_type",
- "device_policies.network-scan-content.policy_type",
- "groups",
- "last_seen",
- "device_policies.sensor_update.policy_id",
- "device_policies.sensor_update.uninstall_protection",
+ "enum": [
+ "os_build",
+ "product_type_desc",
+ "device_policies.prevention.policy_type",
+ "device_policies.kubernetes-admission-control.policy_type",
"device_policies.kubernetes-admission-control.applied",
- "device_policies.system-tray.policy_type",
- "device_policies.content-update.applied",
- "device_policies.it-automation.policy_id",
- "managed_apps.jumpcloud.version",
- "device_policies.remote_response.applied",
- "device_policies.browser-extension.policy_type",
- "external_ip",
+ "instance_id",
+ "email",
+ "detection_suppression_status",
+ "config_id_build",
+ "minor_version",
+ "device_policies.sensor_update.policy_id",
+ "device_policies.jumpcloud.policy_id",
+ "device_policies.system-tray.applied",
+ "device_policies.consumer-subscription.policy_id",
+ "device_policies.data-protection.policy_type",
+ "group_hash",
+ "machine_domain",
+ "system_product_name",
"policies.policy_type",
"device_policies.ztl.policy_type",
+ "device_policies.sca.policy_id",
+ "device_policies.data-protection.policy_id",
"device_policies.aws-verified-access.policy_id",
- "kernel_version",
- "product_type",
- "device_policies.content-update.policy_id",
- "ou",
- "device_policies.prevention.policy_type",
- "service_provider",
- "cpu_vendor",
- "site_name",
- "device_policies.jumpcloud.policy_type",
- "local_ip.raw",
- "managed_apps.airlock.version",
- "pod_namespace",
- "cid",
- "device_policies.airlock.applied",
- "device_policies.kubernetes-admission-control.policy_type",
- "device_policies.vulnerability-management.policy_id",
- "device_policies.data-protection.policy_type",
- "device_policies.mobile.policy_type",
- "pod_host_ip4",
- "connection_mac_address",
- "device_id",
- "major_version",
- "device_policies.consumer-subscription.policy_id",
- "mac_address",
- "managed_apps.identity-protection.version",
- "device_policies.remote_response.policy_type",
- "pod_hostname",
- "first_login_timestamp",
- "device_policies.device_control.policy_type",
- "device_policies.identity-protection.applied",
- "managed_apps.aws-verified-access.version",
- "pod_id",
- "release_group",
- "device_policies.ztl.applied",
- "license_activation_state",
- "os_product_name",
- "first_login_user",
- "device_policies.identity-protection.policy_type",
- "device_policies.jumpcloud.applied",
- "device_policies.host-retention.applied",
- "last_login_timestamp",
- "policies.applied",
+ "device_policies.browser-extension.applied",
+ "os_version",
"device_policies.sensor_update.policy_type",
- "device_policies.airlock.policy_type",
- "device_policies.kubernetes-admission-control.policy_id",
- "product_type_desc",
- "device_policies.device_control.applied",
+ "device_policies.netskope.policy_type",
"device_policies.it-automation.applied",
- "device_policies.firewall.rule_set_id",
- "device_policies.mobile.policy_id",
- "serial_number",
- "detection_suppression_status",
+ "_all",
+ "device_policies.browser-extension.policy_id",
+ "device_policies.device_control.applied",
+ "device_policies.airlock.policy_type",
+ "managed_apps.aws-verified-access.version",
+ "device_policies.network-scan-content.policy_type",
+ "device_policies.exposure-management.policy_type",
+ "managed_apps.jumpcloud.version",
+ "connection_ip",
+ "agent_version",
+ "platform_id",
+ "device_policies.automox.policy_type",
+ "k8s_cluster_id",
+ "host_utc_offset",
"last_login_uid",
- "last_login_user_sid",
- "modified_timestamp",
- "device_policies.data-protection.applied",
+ "device_policies.jumpcloud.policy_type",
+ "device_policies.fim.policy_id",
+ "service_provider_account_id",
+ "device_policies.mobile.policy_id",
+ "zone_group",
+ "deployment_type",
+ "device_policies.logscale-collector.applied",
+ "status",
+ "device_policies.prevention.applied",
+ "device_policies.identity-protection.policy_type",
+ "device_policies.kubernetes-admission-control.policy_id",
+ "pod_service_account_name",
+ "first_login_user",
+ "local_ip",
+ "device_policies.remote_response.policy_id",
+ "rtr_state",
+ "pod_host_ip6",
+ "connection_mac_address",
+ "k8s_cluster_version",
"device_policies.automox.policy_id",
"device_policies.netskope.applied",
- "device_policies.data-protection.policy_id",
- "machine_domain",
- "minor_version",
- "platform_name",
- "status",
+ "device_policies.fim.applied",
+ "device_policies.vulnerability-management.policy_id",
+ "managed_apps.automox.version",
+ "managed_apps.netskope.version",
+ "external_ip",
"device_policies.system-tray.policy_id",
- "device_policies.firewall.policy_id",
- "os_build",
- "device_policies.prevention.policy_id",
- "device_policies.netskope.policy_type",
- "pod_ip4",
- "device_policies.browser-extension.applied",
+ "cpu_signature",
+ "first_login_timestamp",
+ "device_policies.system-tray.policy_type",
+ "device_policies.firewall.applied",
+ "device_policies.airlock.policy_id",
+ "device_policies.host-retention.applied",
+ "service_provider",
+ "pod_id",
+ "internet_exposure",
+ "k8s_cluster_git_version",
"config_id_base",
- "last_login_user",
- "system_product_name",
+ "device_policies.sca.applied",
+ "managed_apps.airlock.version",
+ "pod_labels",
"policy_id",
"policies.policy_id",
- "device_policies.remote_response.policy_id",
- "config_id_platform",
- "hostname",
- "device_policies.device_control.policy_id",
- "device_policies.fim.policy_id",
- "_all",
- "managed_apps.automox.version",
- "deployment_type",
- "chassis_type_desc",
- "device_policies.sca.policy_type",
- "device_policies.sca.policy_id",
+ "local_ip.raw",
+ "device_policies.mobile.policy_type",
+ "managed_apps.identity-protection.version",
+ "chassis_type",
+ "first_seen",
+ "major_version",
+ "license_activation_state",
+ "linux_sensor_mode",
+ "device_id",
+ "last_login_user_sid",
+ "product_type",
+ "policies.applied",
+ "device_policies.content-update.policy_id",
"device_policies.it-automation.policy_type",
- "email",
- "k8s_cluster_git_version",
+ "tags",
+ "pod_hostname",
+ "device_policies.sensor_update.uninstall_protection",
+ "device_policies.ztl.applied",
+ "device_policies.cloud-ml.applied",
+ "mac_address",
+ "default_gateway_ip",
"last_reboot",
- "pod_ip6",
- "agent_version",
- "config_id_build",
- "device_policies.airlock.policy_id",
- "device_policies.netskope.policy_id",
- "reduced_functionality_mode",
- "rtr_state",
- "cpu_signature",
- "pod_service_account_name",
- "k8s_cluster_version",
"device_policies.network-scan-content.applied",
- "device_policies.automox.policy_type",
+ "device_policies.exposure-management.policy_id",
+ "device_policies.prevention.policy_id",
+ "device_policies.sca.policy_type",
+ "device_policies.host-retention.policy_id",
+ "device_policies.firewall.rule_set_id",
+ "device_policies.cloud-ml.policy_type",
+ "device_policies.firewall.policy_id",
+ "pod_host_ip4",
+ "chassis_type_desc",
+ "agent_load_flags",
+ "config_id_platform",
+ "device_policies.aws-verified-access.applied",
+ "groups",
+ "device_policies.firewall.policy_type",
+ "reduced_functionality_mode",
+ "kernel_version",
+ "device_policies.fem-browser-extension-control.applied",
+ "cid",
+ "device_policies.it-automation.policy_id",
+ "last_login_timestamp",
+ "last_login_user",
+ "last_seen",
+ "device_policies.sensor_update.applied",
+ "device_policies.jumpcloud.applied",
+ "device_policies.data-protection.applied",
+ "device_policies.mobile.applied",
+ "cpu_vendor",
"device_policies.content-update.policy_type",
+ "device_policies.remote_response.policy_type",
+ "serial_number",
+ "pod_annotations",
+ "device_policies.browser-extension.policy_type",
+ "bios_manufacturer",
+ "ou",
+ "site_name",
+ "system_manufacturer",
+ "device_policies.device_control.policy_id",
+ "device_policies.identity-protection.applied",
+ "device_policies.ztl.policy_id",
"device_policies.aws-verified-access.policy_type",
- "zone_group",
- "pod_host_ip6",
+ "bios_version",
+ "device_policies.device_control.policy_type",
+ "device_policies.vulnerability-management.policy_type",
+ "device_policies.content-update.applied",
+ "device_policies.host-retention.policy_type",
+ "pod_ip6",
"pod_name",
- "device_policies.prevention.applied",
- "device_policies.sensor_update.applied",
- "device_policies.ztl.policy_id",
- "device_policies.aws-verified-access.applied",
- "pod_labels",
- "bios_manufacturer",
- "managed_apps.netskope.version",
- "tags",
+ "filesystem_containment_status",
+ "release_group",
+ "device_policies.automox.applied",
+ "device_policies.logscale-collector.policy_type",
+ "device_policies.logscale-collector.policy_id",
+ "hostname",
+ "platform_name",
"device_policies.network-scan-content.policy_id",
- "system_manufacturer",
+ "device_policies.exposure-management.applied",
+ "device_policies.fem-browser-extension-control.policy_type",
"device_policies.identity-protection.policy_id",
- "device_policies.host-retention.policy_id"
+ "device_policies.fim.policy_type",
+ "device_policies.consumer-subscription.applied",
+ "device_policies.remote_response.applied",
+ "modified_timestamp",
+ "device_policies.airlock.applied",
+ "device_policies.netskope.policy_id",
+ "device_policies.vulnerability-management.applied",
+ "device_policies.cloud-ml.policy_id",
+ "pod_ip4",
+ "os_product_name",
+ "migration_completed_time",
+ "device_policies.consumer-subscription.policy_type",
+ "pod_namespace",
+ "device_policies.fem-browser-extension-control.policy_id"
],
"type": "string",
"description": "The property to sort by (e.g. status.desc or hostname.asc). If not specified, the "
diff --git a/src/falconpy/_endpoint/_identity_protection.py b/src/falconpy/_endpoint/_identity_protection.py
index 4aa6c23a..910e5b32 100644
--- a/src/falconpy/_endpoint/_identity_protection.py
+++ b/src/falconpy/_endpoint/_identity_protection.py
@@ -60,10 +60,8 @@
"identity_protection",
[
{
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
+ "name": "body",
+ "in": "body",
"required": True
}
]
@@ -89,13 +87,6 @@
"Get policy rules",
"identity_protection",
[
- {
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
- "required": True
- },
{
"maxItems": 100,
"minItems": 1,
@@ -119,13 +110,6 @@
"Create policy rule",
"identity_protection",
[
- {
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
- "required": True
- },
{
"name": "body",
"in": "body",
@@ -140,13 +124,6 @@
"Delete policy rules",
"identity_protection",
[
- {
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
- "required": True
- },
{
"maxItems": 100,
"minItems": 1,
@@ -203,13 +180,6 @@
"Query policy rule IDs",
"identity_protection",
[
- {
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
- "required": True
- },
{
"type": "boolean",
"description": "Whether the rule is enabled",
diff --git a/src/falconpy/_endpoint/_intel.py b/src/falconpy/_endpoint/_intel.py
index 74e138e7..1bee83ac 100644
--- a/src/falconpy/_endpoint/_intel.py
+++ b/src/falconpy/_endpoint/_intel.py
@@ -131,7 +131,7 @@
"description": "Filter your query by specifying FQL filter parameters. Filter parameters "
"include:\n\n_marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, "
"labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, "
- "published_date, reports, scope, targets, threat_types, type, vulnerabilities.",
+ "published_date, reports, reports.slug, scope, targets, threat_types, type, vulnerabilities.",
"name": "filter",
"in": "query"
},
@@ -235,8 +235,8 @@
"include:\n\nactors, actors.animal_classifier, actors.id, actors.name, actors.slug, actors.url, created_date, "
"description, id, last_modified_date, malware, malware.community_identifiers, malware.family_name, "
"malware.slug, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, "
- "short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, "
- "tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, "
+ "short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, summary, tags, tags.id, "
+ "tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, "
"target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, "
"type.name, type.slug, url.",
"name": "filter",
@@ -629,7 +629,7 @@
"description": "Filter your query by specifying FQL filter parameters. Filter parameters "
"include:\n\n_marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, "
"labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, "
- "published_date, reports, scope, targets, threat_types, type, vulnerabilities.",
+ "published_date, reports, reports.slug, scope, targets, threat_types, type, vulnerabilities.",
"name": "filter",
"in": "query"
},
@@ -771,8 +771,8 @@
"include:\n\nactors, actors.animal_classifier, actors.id, actors.name, actors.slug, actors.url, created_date, "
"description, id, last_modified_date, malware, malware.community_identifiers, malware.family_name, "
"malware.slug, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, "
- "short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, "
- "tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, "
+ "short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, summary, tags, tags.id, "
+ "tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, "
"target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, "
"type.name, type.slug, url.",
"name": "filter",
diff --git a/src/falconpy/_endpoint/_intelligence_feeds.py b/src/falconpy/_endpoint/_intelligence_feeds.py
index 50f53441..108675f3 100644
--- a/src/falconpy/_endpoint/_intelligence_feeds.py
+++ b/src/falconpy/_endpoint/_intelligence_feeds.py
@@ -77,10 +77,12 @@
},
{
"type": "string",
- "description": "Feed interval must be one of: dump|daily|hourly|minutely",
+ "description": "Feed interval must be one of: dump: Complete historical data snapshot daily: Daily "
+ "aggregated updates hourly: Hourly incremental updates minutely: Minute-by-minute updates any: Automatically "
+ " combines the appropriate intervals to provide complete, up-to-date data with minimal overlap\n\nDefaults to "
+ "'any' if not specified.",
"name": "feed_interval",
- "in": "query",
- "required": True
+ "in": "query"
},
{
"type": "string",
diff --git a/src/falconpy/_endpoint/_intelligence_indicator_graph.py b/src/falconpy/_endpoint/_intelligence_indicator_graph.py
index 8d30702e..98f44f76 100644
--- a/src/falconpy/_endpoint/_intelligence_indicator_graph.py
+++ b/src/falconpy/_endpoint/_intelligence_indicator_graph.py
@@ -53,7 +53,11 @@
},
{
"type": "string",
- "description": "FQL query specifying the filter parameters.",
+ "description": "\nFQL query specifying the filter parameters.\n\t\t\t\t\t\t\n**Filter parameters "
+ "include:** Type, LastUpdated, KillChain, MaliciousConfidence, MaliciousConfidenceValidatedTime, FirstSeen, "
+ "LastSeen, \nAdversaries.Name, Adversaries.Slug, Reports.Title, Reports.Slug, Threats.FamilyName, "
+ "Vulnerabilities.CVE, Sectors.Name, FileDetails.SHA256, \nFileDetails.SHA1, FileDetails.MD5, "
+ "DomainDetails.Detail, IPv4Details.IPv4, IPv6Details.IPv6, URLDetails.URL and others",
"name": "filter",
"in": "query"
},
diff --git a/src/falconpy/_endpoint/_it_automation.py b/src/falconpy/_endpoint/_it_automation.py
index b582346e..38faecd8 100644
--- a/src/falconpy/_endpoint/_it_automation.py
+++ b/src/falconpy/_endpoint/_it_automation.py
@@ -257,6 +257,81 @@
}
]
],
+ [
+ "ITAutomationGetUserGroup",
+ "GET",
+ "/it-automation/entities/it-user-groups/v1",
+ "Returns user groups for each provided id",
+ "it_automation",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Comma separated values of user group ids to fetch",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "ITAutomationCreateUserGroup",
+ "POST",
+ "/it-automation/entities/it-user-groups/v1",
+ "Creates a user group from the given request",
+ "it_automation",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "ITAutomationUpdateUserGroup",
+ "PATCH",
+ "/it-automation/entities/it-user-groups/v1",
+ "Update a user group for a given id",
+ "it_automation",
+ [
+ {
+ "type": "string",
+ "description": "The id of the user groups to update",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "ITAutomationDeleteUserGroup",
+ "DELETE",
+ "/it-automation/entities/it-user-groups/v1",
+ "Deletes user groups for each provided ids",
+ "it_automation",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Comma separated values of user group ids to delete",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
[
"ITAutomationRunLiveQuery",
"POST",
@@ -584,8 +659,9 @@
"ITAutomationStartExecutionResultsSearch",
"POST",
"/it-automation/entities/task-execution-results-search/v1",
- "Starts an async task execution results search. Poll `ITAutomationGetExecutionResultsSearchStatus` to "
- "determine when the search is complete.",
+ "Starts an async task execution results search. Poll ITAutomationGetExecutionResultsSearchStatus to check "
+ "if the search is complete. You must retrieve the results using ITAutomationGetExecutionResults within 30 "
+ "seconds of completion, or the job will be deleted.",
"it_automation",
[
{
@@ -599,8 +675,9 @@
"ITAutomationGetExecutionResults",
"GET",
"/it-automation/entities/task-execution-results/v1",
- "Get the task execution results from an async search. \n\nUse `ITAutomationStartExecutionResultsSearch` "
- "to begin the async search.",
+ "Get the task execution results from an async search. \n\nUse the ITAutomationStartExecutionResultsSearch "
+ " command to start the async search. You can retrieve the results again for up to 24 hours, after which they "
+ "will be deleted.",
"it_automation",
[
{
@@ -818,6 +895,49 @@
}
]
],
+ [
+ "ITAutomationSearchUserGroup",
+ "GET",
+ "/it-automation/queries/it-user-groups/v1",
+ "Returns the list of user group ids matching the filter query parameter. It can be used together with the "
+ "entities endpoint to retrieve full information on user groups",
+ "it_automation",
+ [
+ {
+ "type": "string",
+ "description": "The filter expression that should be used to limit the results. Allowed filter fields: "
+ " [created_by, created_time, description, modified_by, modified_time, name] Example: "
+ "example_string_field:'example@example.com'+example_date_field:>='2024-08-27T03:21:32Z'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort expression that should be used to sort the results. Allowed sort fields: "
+ "[created_by, created_time, modified_by, modified_time, name]. Sort either asc (ascending) or desc "
+ "(descending). Example: example_field|asc",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "default": 0,
+ "description": "Starting index for record retrieval. Example: 100",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "maximum": 1000,
+ "minimum": 1,
+ "type": "integer",
+ "default": 100,
+ "description": "The maximum records to return. Example: 50",
+ "name": "limit",
+ "in": "query"
+ }
+ ]
+ ],
[
"ITAutomationQueryPolicies",
"GET",
diff --git a/src/falconpy/_endpoint/_kubernetes_protection.py b/src/falconpy/_endpoint/_kubernetes_protection.py
index 7a8536f6..5fba4838 100644
--- a/src/falconpy/_endpoint/_kubernetes_protection.py
+++ b/src/falconpy/_endpoint/_kubernetes_protection.py
@@ -58,7 +58,8 @@
"description": "Retrieve count of Kubernetes clusters that match a query in Falcon Query Language "
"(FQL). Supported filter fields: access agent_id agent_status agent_type cid cloud_account_id cloud_name"
" cloud_region cloud_service cluster_id cluster_name cluster_status container_count iar_coverage "
- "kac_agent_id kubernetes_version last_seen management_status node_count pod_count tags",
+ "kac_agent_id kubernetes_version last_seen management_status namespace node_count pod_count pod_name "
+ "tags",
"name": "filter",
"in": "query"
}
@@ -76,7 +77,8 @@
"description": "Retrieve count of Kubernetes clusters that match a query in Falcon Query Language "
"(FQL). Supported filter fields: access agent_id agent_status agent_type cid cloud_account_id cloud_name"
" cloud_region cloud_service cluster_id cluster_name cluster_status container_count iar_coverage "
- "kac_agent_id kubernetes_version last_seen management_status node_count pod_count tags",
+ "kac_agent_id kubernetes_version last_seen management_status namespace node_count pod_count pod_name "
+ "tags",
"name": "filter",
"in": "query"
}
@@ -94,7 +96,8 @@
"description": "Retrieve count of Kubernetes clusters that match a query in Falcon Query Language "
"(FQL). Supported filter fields: access agent_id agent_status agent_type cid cloud_account_id cloud_name"
" cloud_region cloud_service cluster_id cluster_name cluster_status container_count iar_coverage "
- "kac_agent_id kubernetes_version last_seen management_status node_count pod_count tags",
+ "kac_agent_id kubernetes_version last_seen management_status namespace node_count pod_count pod_name "
+ "tags",
"name": "filter",
"in": "query"
}
@@ -223,13 +226,13 @@
{
"type": "integer",
"default": 200,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 200.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
},
@@ -733,7 +736,7 @@
"description": "Search Kubernetes clusters using a query in Falcon Query Language (FQL). Supported "
"filter fields: access agent_id agent_status agent_type cid cloud_account_id cloud_name cloud_region "
"cloud_service cluster_id cluster_name cluster_status container_count iar_coverage kac_agent_id "
- "kubernetes_version last_seen management_status node_count pod_count tags",
+ "kubernetes_version last_seen management_status namespace node_count pod_count pod_name tags",
"name": "filter",
"in": "query"
},
@@ -746,13 +749,13 @@
{
"type": "integer",
"default": 200,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 200.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -762,7 +765,7 @@
"ReadClusterCombinedV2",
"GET",
"/container-security/combined/clusters/v2",
- "Retrieve kubernetes clusters identified by the provided filter criteria",
+ "Retrieve Kubernetes cluster data",
"kubernetes_protection",
[
{
@@ -770,7 +773,7 @@
"description": "Search Kubernetes clusters using a query in Falcon Query Language (FQL). Supported "
"filter fields: access agent_id agent_status agent_type cid cloud_account_id cloud_name cloud_region "
"cloud_service cluster_id cluster_name cluster_status container_count iar_coverage kac_agent_id "
- "kubernetes_version last_seen management_status node_count pod_count tags",
+ "kubernetes_version last_seen management_status namespace node_count pod_count pod_name tags",
"name": "filter",
"in": "query"
},
@@ -789,13 +792,13 @@
{
"type": "integer",
"default": 200,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 200.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -825,13 +828,13 @@
{
"type": "integer",
"default": 200,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 200.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -841,7 +844,8 @@
"ReadContainerCombined",
"GET",
"/container-security/combined/containers/v1",
- "Retrieve containers identified by the provided filter criteria",
+ "Retrieves a paginated list of containers identified by the provided filter criteria. Maximum page size: "
+ "200. Maximum available containers: 10,000",
"kubernetes_protection",
[
{
@@ -866,13 +870,13 @@
{
"type": "integer",
"default": 200,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 200.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -903,23 +907,61 @@
{
"type": "integer",
"default": 200,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 200.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
]
],
+ [
+ "PostSearchKubernetesIOMEntities",
+ "POST",
+ "/container-security/combined/kubernetes-ioms/search/v1",
+ "Search for Kubernetes IOMs with filtering options.Pagination is supported via Elasticsearch's "
+ "search_after search param and point in time. Assets are sorted by unique ID in ascending direction.",
+ "kubernetes_protection",
+ [
+ {
+ "type": "string",
+ "description": "Search Kubernetes IOMs using a query in Falcon Query Language (FQL). Supported filter "
+ "fields: cid cis_id cluster_id cluster_name containers_impacted_ai_related containers_impacted_count "
+ "containers_impacted_ids detection_type name namespace prevented resource_id resource_name resource_type"
+ "severity",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The fields to sort the records on.",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "Maximum number of records to return (default: 100, max: 500)",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
[
"SearchAndReadKubernetesIomEntities",
"GET",
"/container-security/combined/kubernetes-ioms/v1",
- "Search Kubernetes IOM by the provided search criteria",
+ "Retrieves a list of Kubernetes IOMs identified by the provided search criteria. Maximum page size: 100. "
+ "Maximum available Kubernetes IOMs: 10,000",
"kubernetes_protection",
[
{
@@ -940,13 +982,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -977,13 +1019,13 @@
{
"type": "integer",
"default": 200,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 200.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -1015,13 +1057,13 @@
{
"type": "integer",
"default": 200,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 200.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
@@ -1072,13 +1114,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
diff --git a/src/falconpy/_endpoint/_message_center.py b/src/falconpy/_endpoint/_message_center.py
index 397590d5..1cdf58b6 100644
--- a/src/falconpy/_endpoint/_message_center.py
+++ b/src/falconpy/_endpoint/_message_center.py
@@ -187,7 +187,7 @@
"in": "query"
},
{
- "type": "string",
+ "type": "integer",
"description": "Starting index of overall result set from which to return ids.",
"name": "offset",
"in": "query"
@@ -244,7 +244,7 @@
"in": "query"
},
{
- "type": "string",
+ "type": "integer",
"description": "Starting index of overall result set from which to return ids.",
"name": "offset",
"in": "query"
diff --git a/src/falconpy/_endpoint/_ngsiem.py b/src/falconpy/_endpoint/_ngsiem.py
index f3e1a368..85495fa0 100644
--- a/src/falconpy/_endpoint/_ngsiem.py
+++ b/src/falconpy/_endpoint/_ngsiem.py
@@ -217,5 +217,563 @@
"required": True
}
]
+ ],
+ [
+ "GetDashboardTemplate",
+ "GET",
+ "/ngsiem-content/entities/dashboards-template/v1",
+ "Retrieve Dashboard in NGSIEM as LogScale YAML Template",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "dashboard ID value",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party, dashboards",
+ "name": "search_domain",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "CreateDashboardFromTemplate",
+ "POST",
+ "/ngsiem-content/entities/dashboards-template/v1",
+ "Create Dashboard from LogScale YAML Template in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party",
+ "name": "search_domain",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "name of the dashboard",
+ "name": "name",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "LogScale dashboard YAML template content, see schema at https://schemas.humio.com/",
+ "name": "yaml_template",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "UpdateDashboardFromTemplate",
+ "PATCH",
+ "/ngsiem-content/entities/dashboards-template/v1",
+ "Update Dashboard from LogScale YAML Template in NGSIEM. Please note a successful update will result in a "
+ "new ID value being returned.",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party",
+ "name": "search_domain",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "id of the dashboard",
+ "name": "ids",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "LogScale dashboard YAML template content, see schema at https://schemas.humio.com/",
+ "name": "yaml_template",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "DeleteDashboard",
+ "DELETE",
+ "/ngsiem-content/entities/dashboards/v1",
+ "Delete Dashboard in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "dashboard ID value",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party",
+ "name": "search_domain",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetLookupFile",
+ "GET",
+ "/ngsiem-content/entities/lookupfiles/v1",
+ "Retrieve Lookup File in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "lookup file filename",
+ "name": "filename",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party, dashboards, "
+ "parsers-repository",
+ "name": "search_domain",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "CreateLookupFile",
+ "POST",
+ "/ngsiem-content/entities/lookupfiles/v1",
+ "Create Lookup File in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party, parsers-repository",
+ "name": "search_domain",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "Filename of the lookup file to create",
+ "name": "filename",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "file content to upload",
+ "name": "file",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "UpdateLookupFile",
+ "PATCH",
+ "/ngsiem-content/entities/lookupfiles/v1",
+ "Update Lookup File in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party, parsers-repository",
+ "name": "search_domain",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "Filename of the lookup file to update",
+ "name": "filename",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "file content to upload",
+ "name": "file",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "DeleteLookupFile",
+ "DELETE",
+ "/ngsiem-content/entities/lookupfiles/v1",
+ "Delete Lookup File in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "lookup file filename",
+ "name": "filename",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party, parsers-repository",
+ "name": "search_domain",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetParserTemplate",
+ "GET",
+ "/ngsiem-content/entities/parsers-template/v1",
+ "Retrieve Parser in NGSIEM as LogScale YAML Template",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "parser ID value",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of repository, options; parsers-repository",
+ "name": "repository",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "CreateParserFromTemplate",
+ "POST",
+ "/ngsiem-content/entities/parsers-template/v1",
+ "Create Parser from LogScale YAML Template in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "name of repository, options; parsers-repository",
+ "name": "repository",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "name of the parser",
+ "name": "name",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "LogScale Parser YAML template content, see schema at https://schemas.humio.com/",
+ "name": "yaml_template",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "GetParser",
+ "GET",
+ "/ngsiem-content/entities/parsers/v1",
+ "Retrieve Parser in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "parser ID value",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of repository, options; parsers-repository",
+ "name": "repository",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "CreateParser",
+ "POST",
+ "/ngsiem-content/entities/parsers/v1",
+ "Create Parser in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "description": "create parser request",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "UpdateParser",
+ "PATCH",
+ "/ngsiem-content/entities/parsers/v1",
+ "Update Parser in NGSIEM. Please note that name changes are not supported, but rather should be created as a new parser.",
+ "ngsiem",
+ [
+ {
+ "description": "update parser request",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "DeleteParser",
+ "DELETE",
+ "/ngsiem-content/entities/parsers/v1",
+ "Delete Parser in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "parser ID value",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of repository, options; parsers-repository",
+ "name": "repository",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetSavedQueryTemplate",
+ "GET",
+ "/ngsiem-content/entities/savedqueries-template/v1",
+ "Retrieve Saved Query in NGSIEM as LogScale YAML Template",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "saved query ID value",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party, dashboards",
+ "name": "search_domain",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "CreateSavedQuery",
+ "POST",
+ "/ngsiem-content/entities/savedqueries-template/v1",
+ "Create Saved Query from LogScale YAML Template in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party",
+ "name": "search_domain",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "LogScale Saved Query YAML template content, see schema at https://schemas.humio.com/",
+ "name": "yaml_template",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "UpdateSavedQueryFromTemplate",
+ "PATCH",
+ "/ngsiem-content/entities/savedqueries-template/v1",
+ "Update Saved Query from LogScale YAML Template in NGSIEM. Please note a successful update will result in "
+ "a new ID value being returned.",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party",
+ "name": "search_domain",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "id of the dashboard",
+ "name": "ids",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "LogScale Saved Query YAML template content, see schema at https://schemas.humio.com/",
+ "name": "yaml_template",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "DeleteSavedQuery",
+ "DELETE",
+ "/ngsiem-content/entities/savedqueries/v1",
+ "Delete Saved Query in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "type": "string",
+ "description": "saved query ID value",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party",
+ "name": "search_domain",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "ListDashboards",
+ "GET",
+ "/ngsiem-content/queries/dashboards/v1",
+ "List Dashboards in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "pattern": "^\\d{1,4}$",
+ "type": "string",
+ "default": "50",
+ "description": "maximum number of results to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "pattern": "^\\d{1,4}$",
+ "type": "string",
+ "default": "0",
+ "description": "number of results to offset the returned results by",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "FQL filter to apply to the name of the content, only currently support text match on "
+ "name field: name:~'value'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party, dashboards",
+ "name": "search_domain",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "ListLookupFiles",
+ "GET",
+ "/ngsiem-content/queries/lookupfiles/v1",
+ "List Lookup Files in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "pattern": "^\\d{1,4}$",
+ "type": "string",
+ "default": "50",
+ "description": "maximum number of results to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "pattern": "^\\d{1,4}$",
+ "type": "string",
+ "default": "0",
+ "description": "number of results to offset the returned results by",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "FQL filter to apply to the name of the content, only currently support text match on "
+ "name field: name:~'value'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party, dashboards, "
+ "parsers-repository",
+ "name": "search_domain",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "ListParsers",
+ "GET",
+ "/ngsiem-content/queries/parsers/v1",
+ "List Parsers in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "pattern": "^\\d{1,4}$",
+ "type": "string",
+ "default": "50",
+ "description": "maximum number of results to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "pattern": "^\\d{1,4}$",
+ "type": "string",
+ "default": "0",
+ "description": "number of results to offset the returned results by",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "FQL filter to apply to the name of the content, only currently support text match on "
+ "name field: name:~'value'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of repository, options; parsers-repository",
+ "name": "repository",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "ListSavedQueries",
+ "GET",
+ "/ngsiem-content/queries/savedqueries/v1",
+ "Get Saved Queries in NGSIEM",
+ "ngsiem",
+ [
+ {
+ "pattern": "^\\d{1,4}$",
+ "type": "string",
+ "default": "50",
+ "description": "maximum number of results to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "pattern": "^\\d{1,4}$",
+ "type": "string",
+ "default": "0",
+ "description": "number of results to offset the returned results by",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "FQL filter to apply to the name of the content, only currently support text match on "
+ "name field: name:~'value'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "name of search domain (view or repo), options; all, falcon, third-party, dashboards",
+ "name": "search_domain",
+ "in": "query"
+ }
+ ]
]
]
diff --git a/src/falconpy/_endpoint/_ods.py b/src/falconpy/_endpoint/_ods.py
index 297d324c..ffe01386 100644
--- a/src/falconpy/_endpoint/_ods.py
+++ b/src/falconpy/_endpoint/_ods.py
@@ -383,7 +383,7 @@
[
{
"type": "string",
- "description": "A FQL compatible query string. Terms: [id profile_id description.keyword "
+ "description": "A FQL compatible query string. Terms: [id profile_id description.keyword description "
"initiated_from filecount.scanned filecount.malicious filecount.quarantined filecount.skipped "
"affected_hosts_count status severity scan_started_on scan_completed_on created_on created_by last_updated "
"targeted_host_count missing_host_count]",
@@ -413,6 +413,8 @@
"initiated_from|desc",
"description.keyword|asc",
"description.keyword|desc",
+ "description|asc",
+ "description|desc",
"filecount.scanned|asc",
"filecount.scanned|desc",
"filecount.malicious|asc",
@@ -460,8 +462,8 @@
[
{
"type": "string",
- "description": "A FQL compatible query string. Terms: [id description initiated_from status "
- "schedule.start_timestamp schedule.Interval created_on created_by last_updated deleted]",
+ "description": "A FQL compatible query string. Terms: [id description.keyword description "
+ "initiated_from status schedule.start_timestamp schedule.Interval created_on created_by last_updated deleted]",
"name": "filter",
"in": "query",
"allowEmptyValue": True
@@ -486,6 +488,8 @@
"id|desc",
"description.keyword|asc",
"description.keyword|desc",
+ "description|asc",
+ "description|desc",
"status|asc",
"status|desc",
"schedule.start_timestamp|asc",
diff --git a/src/falconpy/_endpoint/_quick_scan_pro.py b/src/falconpy/_endpoint/_quick_scan_pro.py
index 7d3a2e17..0125f7c0 100644
--- a/src/falconpy/_endpoint/_quick_scan_pro.py
+++ b/src/falconpy/_endpoint/_quick_scan_pro.py
@@ -41,16 +41,25 @@
"UploadFileQuickScanPro",
"POST",
"/quickscanpro/entities/files/v1",
- "Uploads a file to be further analyzed with QuickScan Pro. The samples expire according to the Retention Policies set.",
+ "Uploads a file to be further analyzed with QuickScan Pro. Supports both multipart/form-data and "
+ "application/octet-stream uploads. The samples expire according to the Retention Policies set. See parameter "
+ "descriptions for usage per content type.",
"quick_scan_pro",
[
{
"type": "file",
- "description": "Binary file to be uploaded. Max file size: 256 MB.",
+ "description": "Binary file to be uploaded. Max file size: 256 MB. Use --data-binary @$FILE_PATH for "
+ "octet-stream/cURL uploads",
"name": "file",
"in": "formData",
"required": True
},
+ {
+ "type": "string",
+ "description": "OCTET-STREAM ONLY - Name of the file (required for octet-stream uploads).",
+ "name": "file_name",
+ "in": "query"
+ },
{
"type": "boolean",
"default": False,
diff --git a/src/falconpy/_endpoint/_real_time_response_admin.py b/src/falconpy/_endpoint/_real_time_response_admin.py
index eadce965..588f15b1 100644
--- a/src/falconpy/_endpoint/_real_time_response_admin.py
+++ b/src/falconpy/_endpoint/_real_time_response_admin.py
@@ -262,6 +262,43 @@
}
]
],
+ [
+ "RTR_CreatePut_FilesV2",
+ "POST",
+ "/real-time-response/entities/put-files/v2",
+ "Upload a new put-file to use for the RTR `put` command.",
+ "real_time_response_admin",
+ [
+ {
+ "type": "file",
+ "description": "put-file to upload",
+ "name": "file",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "File description",
+ "name": "description",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "maxLength": 32766,
+ "type": "string",
+ "description": "File name (if different than actual file name)",
+ "name": "name",
+ "in": "formData"
+ },
+ {
+ "maxLength": 4096,
+ "type": "string",
+ "description": "The audit log comment",
+ "name": "comments_for_audit_log",
+ "in": "formData"
+ }
+ ]
+ ],
[
"RTR_GetScripts",
"GET",
@@ -448,6 +485,136 @@
}
]
],
+ [
+ "RTR_CreateScriptsV2",
+ "POST",
+ "/real-time-response/entities/scripts/v2",
+ "Upload a new custom-script to use for the RTR `runscript` command.",
+ "real_time_response_admin",
+ [
+ {
+ "type": "file",
+ "description": "custom-script file to upload. These should be powershell scripts.",
+ "name": "file",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "File description",
+ "name": "description",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "maxLength": 32766,
+ "type": "string",
+ "description": "File name (if different than actual file name)",
+ "name": "name",
+ "in": "formData"
+ },
+ {
+ "maxLength": 4096,
+ "type": "string",
+ "description": "The audit log comment",
+ "name": "comments_for_audit_log",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "default": "none",
+ "description": "Permission for the custom-script. Valid permission values: \n - private, usable by "
+ "only the user who uploaded it \n - group, usable by all RTR Admins \n - public, usable by all active-"
+ "responders and RTR admins",
+ "name": "permission_type",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "The script text that you want to use to upload",
+ "name": "content",
+ "in": "formData"
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Platforms for the file. Currently supports: windows, mac, linux, . If no platform is "
+ "provided, it will default to 'windows'",
+ "name": "platform",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "RTR_UpdateScriptsV2",
+ "PATCH",
+ "/real-time-response/entities/scripts/v2",
+ "Upload a new scripts to replace an existing one.",
+ "real_time_response_admin",
+ [
+ {
+ "type": "string",
+ "description": "ID to update",
+ "name": "id",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "file",
+ "description": "custom-script file to upload. These should be powershell scripts.",
+ "name": "file",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "File description",
+ "name": "description",
+ "in": "formData"
+ },
+ {
+ "maxLength": 32766,
+ "type": "string",
+ "description": "File name (if different than actual file name)",
+ "name": "name",
+ "in": "formData"
+ },
+ {
+ "maxLength": 4096,
+ "type": "string",
+ "description": "The audit log comment",
+ "name": "comments_for_audit_log",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "default": "none",
+ "description": "Permission for the custom-script. Valid permission values: \n - private, usable by "
+ "only the user who uploaded it \n - group, usable by all RTR Admins \n - public, usable by all active-"
+ "responders and RTR admins",
+ "name": "permission_type",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "The script text that you want to use to upload",
+ "name": "content",
+ "in": "formData"
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Platforms for the file. Currently supports: windows, mac, linux, ",
+ "name": "platform",
+ "in": "formData"
+ }
+ ]
+ ],
[
"RTR_ListFalconScripts",
"GET",
diff --git a/src/falconpy/_endpoint/_recon.py b/src/falconpy/_endpoint/_recon.py
index f736455a..13be34c4 100644
--- a/src/falconpy/_endpoint/_recon.py
+++ b/src/falconpy/_endpoint/_recon.py
@@ -601,7 +601,8 @@
},
{
"type": "string",
- "description": "Possible order by fields: created_timestamp, last_updated_timestamp. Ex: "
+ "description": "Possible order by fields: "
+ "created_timestamp,last_updated_timestamp,permissions,priority,template_priority,topic. Ex: "
"last_updated_timestamp|desc.",
"name": "sort",
"in": "query"
@@ -622,7 +623,8 @@
},
{
"type": "string",
- "description": "Possible order by fields: created_timestamp, last_updated_timestamp. Ex: "
+ "description": "Possible order by fields: "
+ "created_timestamp,last_updated_timestamp,permissions,priority,template_priority,topic. Ex: "
"last_updated_timestamp|desc.",
"name": "secondarySort",
"in": "query"
diff --git a/src/falconpy/_endpoint/_saas_security.py b/src/falconpy/_endpoint/_saas_security.py
new file mode 100644
index 00000000..500de92f
--- /dev/null
+++ b/src/falconpy/_endpoint/_saas_security.py
@@ -0,0 +1,820 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_saas_security_endpoints = [
+ [
+ "GetMetricsV3",
+ "GET",
+ "/saas-security/aggregates/check-metrics/v3",
+ "GET Metrics",
+ "saas_security",
+ [
+ {
+ "enum": [
+ "Passed",
+ "Failed",
+ "Dismissed",
+ "Pending",
+ "Can't Run",
+ "Stale"
+ ],
+ "type": "string",
+ "description": "Exposure status",
+ "name": "status",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The maximum number of objects to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The starting index of the results",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of integration IDs",
+ "name": "integration_id",
+ "in": "query"
+ },
+ {
+ "enum": [
+ 1,
+ 2,
+ 3
+ ],
+ "type": "string",
+ "description": "Impact",
+ "name": "impact",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "description": "Compliance",
+ "name": "compliance",
+ "in": "query"
+ },
+ {
+ "enum": [
+ "apps",
+ "devices",
+ "users",
+ "assets",
+ "permissions",
+ "Falcon Shield Security Check",
+ "custom"
+ ],
+ "type": "string",
+ "description": "Check Type",
+ "name": "check_type",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetAlertsV3",
+ "GET",
+ "/saas-security/entities/alerts/v3",
+ "GET Alert by ID or GET Alerts",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Alert ID",
+ "name": "id",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The maximum number of objects to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The starting index of the results",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The last id of the alert you want to get",
+ "name": "last_id",
+ "in": "query"
+ },
+ {
+ "enum": [
+ "configuration_drift",
+ "check_degraded",
+ "integration_failure",
+ "Threat"
+ ],
+ "type": "string",
+ "description": "The type of alert you want to get",
+ "name": "type",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of integration ID's of the alert you want to get",
+ "name": "integration_id",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "format": "date-time",
+ "description": "The start date of the alert you want to get (in YYYY-MM-DD format)",
+ "name": "from_date",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "format": "date-time",
+ "description": "The end date of the alert you want to get (in YYYY-MM-DD format)",
+ "name": "to_date",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "name": "ascending",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetAppInventoryUsers",
+ "GET",
+ "/saas-security/entities/app-users/v3",
+ "GET Application Users",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Item ID in format: 'integration_id|||app_id' (item_id)",
+ "name": "item_id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "GetAppInventory",
+ "GET",
+ "/saas-security/entities/apps/v3",
+ "GET Applications Inventory",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Comma separated list of app types",
+ "name": "type",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The maximum number of objects to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The starting index of the results",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "enum": [
+ "approved",
+ "in review",
+ "rejected",
+ "unclassified"
+ ],
+ "type": "string",
+ "description": "Comma separated list of application statuses (approved, in review, rejected, unclassified)",
+ "name": "status",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of access levels",
+ "name": "access_level",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of scopes",
+ "name": "scopes",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Users. Format: 'is equal value' or 'contains value' or 'value' (implies 'is equal value')",
+ "name": "users",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of groups",
+ "name": "groups",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Last activity was within or was not within the last 'value' days. Format: 'was value' "
+ "or 'was not value' or 'value' (implies 'was value'). 'value' is an integer",
+ "name": "last_activity",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of integration IDs",
+ "name": "integration_id",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetSecurityCheckAffectedV3",
+ "GET",
+ "/saas-security/entities/check-affected/v3",
+ "GET Security Check Affected",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Security Check ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "integer",
+ "description": "The maximum number of objects to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The starting index of the results",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "DismissAffectedEntityV3",
+ "POST",
+ "/saas-security/entities/check-dismiss-affected/v3",
+ "POST Dismiss Affected Entity",
+ "saas_security",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Security Check ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "DismissSecurityCheckV3",
+ "POST",
+ "/saas-security/entities/check-dismiss/v3",
+ "POST Dismiss Security Check by ID",
+ "saas_security",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Security Check ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "GetSecurityChecksV3",
+ "GET",
+ "/saas-security/entities/checks/v3",
+ "GET Security Check by ID or GET List Security Checks",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Security Check ID",
+ "name": "id",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The maximum number of objects to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The starting index of the results",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "enum": [
+ "Passed",
+ "Failed",
+ "Dismissed",
+ "Pending",
+ "Can't Run",
+ "Stale"
+ ],
+ "type": "string",
+ "description": "Exposure status",
+ "name": "status",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of integration IDs",
+ "name": "integration_id",
+ "in": "query"
+ },
+ {
+ "enum": [
+ "Low",
+ "Medium",
+ "High"
+ ],
+ "type": "string",
+ "description": "Impact",
+ "name": "impact",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "description": "Compliance",
+ "name": "compliance",
+ "in": "query"
+ },
+ {
+ "enum": [
+ "apps",
+ "devices",
+ "users",
+ "assets",
+ "permissions",
+ "Falcon Shield Security Check",
+ "custom"
+ ],
+ "type": "string",
+ "description": "Check Type",
+ "name": "check_type",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of check tags names or ids",
+ "name": "check_tags",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetSecurityCheckComplianceV3",
+ "GET",
+ "/saas-security/entities/compliance/v3",
+ "GET Compliance",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Security Check ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "IntegrationBuilderEndTransactionV3",
+ "POST",
+ "/saas-security/entities/custom-integration-close/v3",
+ "POST Data Upload Transaction Completion",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Integration ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "IntegrationBuilderResetV3",
+ "POST",
+ "/saas-security/entities/custom-integration-reset/v3",
+ "Reset",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Integration ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "IntegrationBuilderGetStatusV3",
+ "GET",
+ "/saas-security/entities/custom-integration-status/v3",
+ "GET Status",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Integration ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "IntegrationBuilderUploadV3",
+ "POST",
+ "/saas-security/entities/custom-integration-upload/v3",
+ "POST Upload",
+ "saas_security",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Integration ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Source ID",
+ "name": "source_id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "GetAssetInventoryV3",
+ "GET",
+ "/saas-security/entities/data/v3",
+ "GET Data Inventory",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Comma separated list of integration IDs",
+ "name": "integration_id",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The maximum number of objects to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The starting index of the results",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of resource types",
+ "name": "resource_type",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of access levels",
+ "name": "access_level",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Last accessed date was within or was not within the last 'value' days. Format: 'was "
+ "value' or 'was not value' or 'value' (implies 'was value'). 'value' is an integer",
+ "name": "last_accessed",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Last modified date was within or was not within the last 'value' days. Format: 'was "
+ "value' or 'was not value' or 'value' (implies 'was value'). 'value' is an integer",
+ "name": "last_modified",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Resource name contains 'value' (case insensitive)",
+ "name": "resource_name",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "description": "Password protected",
+ "name": "password_protected",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Resource owner contains 'value' (case insensitive)",
+ "name": "resource_owner",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "description": "Resource owner enabled",
+ "name": "resource_owner_enabled",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of unmanaged domains",
+ "name": "unmanaged_domain",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetDeviceInventoryV3",
+ "GET",
+ "/saas-security/entities/devices/v3",
+ "GET Device Inventory",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Comma separated integration ID's",
+ "name": "integration_id",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The maximum number of objects to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The starting index of the results",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Email",
+ "name": "email",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "description": "Privileged Only",
+ "name": "privileged_only",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "description": "Unassociated Devices",
+ "name": "unassociated_devices",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetIntegrationsV3",
+ "GET",
+ "/saas-security/entities/integrations/v3",
+ "GET Integrations",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Comma separated SaaS ID's",
+ "name": "saas_id",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetActivityMonitorV3",
+ "GET",
+ "/saas-security/entities/monitor/v3",
+ "GET Activity Monitor",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Integration ID",
+ "name": "integration_id",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Actor",
+ "name": "actor",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of categories",
+ "name": "category",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Comma separated list of projections",
+ "name": "projection",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "format": "date-time",
+ "description": "From Date",
+ "name": "from_date",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "format": "date-time",
+ "description": "To Date",
+ "name": "to_date",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "Max number of logs to fetch",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "Number of logs to skip",
+ "name": "skip",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetSupportedSaasV3",
+ "GET",
+ "/saas-security/entities/supported-saas/v3",
+ "GET Supported SaaS",
+ "saas_security",
+ []
+ ],
+ [
+ "GetSystemLogsV3",
+ "GET",
+ "/saas-security/entities/system-logs/v3",
+ "GET System Logs",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "format": "date-time",
+ "description": "From Date (in YYYY-MM-DD format)",
+ "name": "from_date",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The maximum number of objects to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The starting index of the results",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "format": "date-time",
+ "description": "To Date (in YYYY-MM-DD format)",
+ "name": "to_date",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "description": "Fetch Total Count?",
+ "name": "total_count",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "GetSystemUsersV3",
+ "GET",
+ "/saas-security/entities/system-users/v3",
+ "GET System Users",
+ "saas_security",
+ []
+ ],
+ [
+ "GetUserInventoryV3",
+ "GET",
+ "/saas-security/entities/users/v3",
+ "GET User Inventory",
+ "saas_security",
+ [
+ {
+ "type": "string",
+ "description": "Comma separated integration ID's",
+ "name": "integration_id",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The maximum number of objects to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The starting index of the results",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Email",
+ "name": "email",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "description": "Privileged Only",
+ "name": "privileged_only",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_sensor_usage.py b/src/falconpy/_endpoint/_sensor_usage.py
index e8c35a0c..0beb1557 100644
--- a/src/falconpy/_endpoint/_sensor_usage.py
+++ b/src/falconpy/_endpoint/_sensor_usage.py
@@ -37,6 +37,28 @@
"""
_sensor_usage_endpoints = [
+ [
+ "GetSensorUsageHourly",
+ "GET",
+ "/billing-dashboards-usage/aggregates/hourly-average/v1",
+ "Fetches hourly average. Each data point represents the average of how many unique AIDs were seen per hour "
+ "for the previous 28 days.",
+ "sensor_usage",
+ [
+ {
+ "type": "string",
+ "description": "The FQL search filter. Allowed fields:\n\"event_date\" : A specified date that will be "
+ " final date of the results returned. Specified date cannot be after the default.\n\tFormat: "
+ "'2024-06-11'\n\tDefault: the current date, minus 2 days, in UTC\n\"period\" : An integer surrounded by single "
+ "quotes representing the number of days to return.\n\tFormat: '30'\n\tDefault: '28'\n\tMinimum: '1'\n\tMaximum: "
+ " '395'\n\"selected_cids\" : A comma separated list of CIDs to return data for. Caller must be a parent CID or "
+ "have special access enabled.\n\tFormat: 'cid_1,cid_2,cid_3'\n\tDefault: for parent CIDs the default is the "
+ "parent and all children, otherwise the current CID",
+ "name": "filter",
+ "in": "query"
+ }
+ ]
+ ],
[
"GetSensorUsageWeekly",
"GET",
diff --git a/src/falconpy/_endpoint/_spotlight_vulnerability_metadata.py b/src/falconpy/_endpoint/_spotlight_vulnerability_metadata.py
new file mode 100644
index 00000000..6254e43d
--- /dev/null
+++ b/src/falconpy/_endpoint/_spotlight_vulnerability_metadata.py
@@ -0,0 +1,98 @@
+"""Internal API endpoint constant library.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_spotlight_vulnerability_metadata_endpoints = [
+ [
+ "combineVulnMetadataExt",
+ "GET",
+ "/spotlight/combined/vulnerability-metadata-external/v1",
+ "This endpoint allows getting CVEs(vulnerability metadata) entities by specifying their ids",
+ "spotlight_vulnerability_metadata",
+ [
+ {
+ "type": "string",
+ "description": "A pagination token used with the limit parameter to manage pagination of results. On "
+ "your first request, don't provide an after token. On subsequent requests, provide the after token from the "
+ "previous response to continue from that place in the results.",
+ "name": "after",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "string",
+ "description": "Starting index of overall result set from which to return ids.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "maximum": 10000,
+ "minimum": 1,
+ "type": "integer",
+ "description": "The number of items to return in this response (default: 100, max: 10000). Use with "
+ "the after parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort vulnerabilities by their properties. Available sort options: "
+ "- created_timestamp|asc/desc
- updated_timestamp|asc/desc
. Can be used in a format "
+ "|asc for ascending order or |desc for descending order.",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Filter items using a query in Falcon Query Language (FQL). Wildcards * and empty "
+ "filter values are unsupported.\n\t\t\t\tAvailable filter fields that supports match (~): "
+ "N/A\n\t\t\t\tAvailable filter fields that supports exact match: id, provider, cve_ids, cwe_ids, "
+ "impact.cvss_v2.base_metrics.vector, "
+ "impact.cvss_v2.temporal_metrics.vector,\n\t\t\t\t\timpact.cvss_v3.base_metrics.integrity_impact, "
+ "impact.cvss_v3.base_metrics.vector, impact.cvss_v3.temporal_metrics.vector\n\t\t\t\tAvailable filter fields "
+ "that supports wildcard (*): N/A\n\t\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, "
+ "<=): created_timestamp, impact.cvss_v2.base_metrics.base_score, "
+ "impact.cvss_v3.base_metrics.base_score,\n\t\t\t\t\timpact.cvss_v2.temporal_metrics.temporal_score, "
+ "impact.cvss_v3.temporal_metrics.temporal_score, source_created_timestamp, source_updated_timestamp, "
+ "updated_timestamp\n\t\t\t\t",
+ "name": "filter",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/_unidentified_containers.py b/src/falconpy/_endpoint/_unidentified_containers.py
index 7d582197..89b9e6f4 100644
--- a/src/falconpy/_endpoint/_unidentified_containers.py
+++ b/src/falconpy/_endpoint/_unidentified_containers.py
@@ -98,13 +98,13 @@
{
"type": "integer",
"default": 100,
- "description": "The upper-bound on the number of records to retrieve.",
+ "description": "The upper-bound on the number of records to retrieve. Maximum limit: 100.",
"name": "limit",
"in": "query"
},
{
"type": "integer",
- "description": "The offset from where to begin.",
+ "description": "The offset from where to begin. Maximum offset = 10000 - limit.",
"name": "offset",
"in": "query"
}
diff --git a/src/falconpy/_endpoint/_user_management.py b/src/falconpy/_endpoint/_user_management.py
index 9bb9188d..40358d73 100644
--- a/src/falconpy/_endpoint/_user_management.py
+++ b/src/falconpy/_endpoint/_user_management.py
@@ -200,6 +200,27 @@
}
]
],
+ [
+ "entitiesRolesGETV2",
+ "POST",
+ "/user-management/entities/roles/GET/v2",
+ "Get info about a role",
+ "user_management",
+ [
+ {
+ "type": "string",
+ "description": "Customer ID to get available roles for. Empty CID would result in Role IDs for current CID in view.",
+ "name": "cid",
+ "in": "query"
+ },
+ {
+ "description": "Maximum of 5000 Role IDs can be specified per request.",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
[
"entitiesRolesV1",
"GET",
@@ -382,7 +403,7 @@
"type": "string",
"description": "Filter using a query in Falcon Query Language (FQL). Supported filters: assigned_cids, "
" cid, direct_assigned_cids, factors, first_name, has_temporary_roles, last_name, name, status, "
- "temporarily_assigned_cids, uid",
+ "temporarily_assigned_cids, uid, uuid",
"name": "filter",
"in": "query"
},
diff --git a/src/falconpy/_endpoint/_workflows.py b/src/falconpy/_endpoint/_workflows.py
index 184c5eeb..009db5a8 100644
--- a/src/falconpy/_endpoint/_workflows.py
+++ b/src/falconpy/_endpoint/_workflows.py
@@ -113,7 +113,8 @@
"WorkflowDefinitionsCombined",
"GET",
"/workflows/combined/definitions/v1",
- "Search workflow definitions based on the provided filter",
+ "Search workflow definitions based on the provided filter. NOTE: this API has a large response payload. "
+ "Click on `Wait` if the page is unresponsive during loading",
"workflows",
[
{
@@ -198,6 +199,30 @@
}
]
],
+ [
+ "WorkflowDefinitionsAction",
+ "POST",
+ "/workflows/entities/definition-actions/v1",
+ "Enable or disable a workflow definition, or stop all executions for a definition. When a definition is "
+ "disabled it will not execute against any new trigger events.",
+ "workflows",
+ [
+ {
+ "type": "string",
+ "description": "Specify one of these actions:\n enable: enable the workflow(s) specified in ids. "
+ "disable: disable the workflow(s) specified in ids. cancel: cancel all in-flight executions for the workflow "
+ "specified in ids",
+ "name": "action_name",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
[
"WorkflowDefinitionsExport",
"GET",
@@ -405,15 +430,17 @@
"WorkflowExecutionsAction",
"POST",
"/workflows/entities/execution-actions/v1",
- "Allows a user to resume/retry a failed workflow execution.",
+ "Allows a user to resume/retry a failed workflow execution, or cancel/stop a currently running workflow execution",
"workflows",
[
{
"enum": [
- "resume"
+ "resume",
+ "cancel"
],
"type": "string",
- "description": "Specify one of these actions:\n resume: resume/retry the workflow execution(s) specified in ids",
+ "description": "Specify one of these actions:\n resume: resume/retry the workflow execution(s) "
+ "specified in ids\n cancel: cancel/stop the workflow execution specified in ids",
"name": "action_name",
"in": "query",
"required": True
@@ -545,10 +572,28 @@
{
"type": "boolean",
"default": False,
- "description": "When enabled, prevents execution after validating mocks against definition",
+ "description": "When enabled, prevents execution after validating mocks from the request body against "
+ "the mocked entity's output schema. Mocks provided in the definition by reference are not validated in any "
+ "case.",
"name": "validate_only",
"in": "query"
},
+ {
+ "type": "boolean",
+ "default": False,
+ "description": "When enabled, skips validating mocks from the request body against the mocked entity's "
+ "output schema. Mocks provided in the definition by reference are not validated in any case.",
+ "name": "skip_validation",
+ "in": "query"
+ },
+ {
+ "type": "boolean",
+ "default": False,
+ "description": "When enabled, treats all activity mocks in the definition as disabled for this mock "
+ "execution. Mocks provided in the request body are treated normally.",
+ "name": "ignore_activity_mock_references",
+ "in": "query"
+ },
{
"name": "body",
"in": "body",
diff --git a/src/falconpy/_endpoint/deprecated/__init__.py b/src/falconpy/_endpoint/deprecated/__init__.py
index 1645b49d..8aaefd45 100644
--- a/src/falconpy/_endpoint/deprecated/__init__.py
+++ b/src/falconpy/_endpoint/deprecated/__init__.py
@@ -31,14 +31,20 @@
# These operation IDs are maintained for backwards compatibility purposes only, Move all code
# references to use the new operations IDs defined above that align with the IDs defined in
# the service classes.
+from ._case_management import _case_management_endpoints
from ._cloud_aws_registration import _cloud_aws_registration_endpoints
from ._cloud_azure_registration import _cloud_azure_registration_endpoints
+from ._cloud_google_cloud_registration import _cloud_google_cloud_registration_endpoints
from ._cloud_oci_registration import _cloud_oci_registration_endpoints
+from ._cloud_security import _cloud_security_endpoints
from ._cloud_security_assets import _cloud_security_assets_endpoints
+from ._cloud_security_compliance import _cloud_security_compliance_endpoints
+from ._cloud_security_detections import _cloud_security_detections_endpoints
from ._custom_ioa import _custom_ioa_endpoints
from ._correlation_rules import _correlation_rules_endpoints
+from ._correlation_rules_admin import _correlation_rules_admin_endpoints
from ._d4c_registration import _d4c_registration_endpoints
-from ._datascanner import _datascanner_endpoints
+from ._data_protection_configuration import _data_protection_configuration_endpoints
from ._device_content import _device_content_endpoints
from ._discover import _discover_endpoints
from ._exposure_management import _exposure_management_endpoints
@@ -58,14 +64,20 @@
from ._mapping import _deprecated_op_mapping, _deprecated_cls_mapping
from ._certificate_based_exclusions import _certificate_based_exclusions_endpoints
+_case_management_deprecated = _case_management_endpoints
_cloud_aws_registration_deprecated = _cloud_aws_registration_endpoints
_cloud_azure_registration_deprecated = _cloud_azure_registration_endpoints
+_cloud_google_cloud_registration_deprecated = _cloud_google_cloud_registration_endpoints
_cloud_oci_registration_deprecated = _cloud_oci_registration_endpoints
+_cloud_security_deprecated = _cloud_security_endpoints
_cloud_security_assets_deprecated = _cloud_security_assets_endpoints
+_cloud_security_compliance_deprecated = _cloud_security_compliance_endpoints
+_cloud_security_detections_deprecated = _cloud_security_detections_endpoints
+_correlation_rules_admin_deprecated = _correlation_rules_admin_endpoints
_correlation_rules_deprecated = _correlation_rules_endpoints
_custom_ioa_deprecated = _custom_ioa_endpoints
_d4c_registration_deprecated = _d4c_registration_endpoints
-_datascanner_deprecated = _datascanner_endpoints
+_data_protection_configuration_deprecated = _data_protection_configuration_endpoints
_device_content_deprecated = _device_content_endpoints
_discover_deprecated = _discover_endpoints
_exposure_management_deprecated = _exposure_management_endpoints
diff --git a/src/falconpy/_endpoint/deprecated/_case_management.py b/src/falconpy/_endpoint/deprecated/_case_management.py
new file mode 100644
index 00000000..02724241
--- /dev/null
+++ b/src/falconpy/_endpoint/deprecated/_case_management.py
@@ -0,0 +1,1100 @@
+"""Internal API endpoint constant library (deprecated operations).
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+# pylint: disable=C0302
+
+_case_management_endpoints = [
+ [
+ "aggregates.file-details.post.v1",
+ "POST",
+ "/case-files/aggregates/file-details/v1",
+ "Get file details aggregates as specified via json in the request body.",
+ "case_management",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "combined.file-details.get.v1",
+ "GET",
+ "/case-files/combined/file-details/v1",
+ "Query file details",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 10,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "entities.file-details.get.v1",
+ "GET",
+ "/case-files/entities/file-details/v1",
+ "Get file details by id",
+ "case_management",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.file-details.patch.v1",
+ "PATCH",
+ "/case-files/entities/file-details/v1",
+ "Update file details",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.files_bulk-download.post.v1",
+ "POST",
+ "/case-files/entities/files/bulk-download/v1",
+ "Download multiple existing file from case as a ZIP",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.files_download.get.v1",
+ "GET",
+ "/case-files/entities/files/download/v1",
+ "Download existing file from case",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "Resource ID",
+ "name": "id",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.files_download.post.v1",
+ "POST",
+ "/case-files/entities/files/download/v1",
+ "Download existing files from case",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.files_upload.post.v1",
+ "POST",
+ "/case-files/entities/files/upload/v1",
+ "Upload file for case",
+ "case_management",
+ [
+ {
+ "type": "file",
+ "description": "Local file to Upload",
+ "name": "file",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Description of the file",
+ "name": "description",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "Case ID for the file",
+ "name": "case_id",
+ "in": "formData",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.files.delete.v1",
+ "DELETE",
+ "/case-files/entities/files/v1",
+ "Delete file details by id",
+ "case_management",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.retrieve-rtr-file.post.v1",
+ "POST",
+ "/case-files/entities/retrieve-rtr-file/v1",
+ "retrieves a file from host using RTR and adds it to a case",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "queries.file-details.get.v1",
+ "GET",
+ "/case-files/queries/file-details/v1",
+ "Query for ids of file details",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 10,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "aggregates.notification-groups.post.v1",
+ "POST",
+ "/casemgmt/aggregates/notification-groups/v1",
+ "Get notification groups aggregations",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "aggregates.notification-groups.post.v2",
+ "POST",
+ "/casemgmt/aggregates/notification-groups/v2",
+ "Get notification groups aggregations",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "aggregates.slas.post.v1",
+ "POST",
+ "/casemgmt/aggregates/slas/v1",
+ "Get SLA aggregations",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "aggregates.templates.post.v1",
+ "POST",
+ "/casemgmt/aggregates/templates/v1",
+ "Get templates aggregations",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.fields.get.v1",
+ "GET",
+ "/casemgmt/entities/fields/v1",
+ "Get fields by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.notification-groups.get.v1",
+ "GET",
+ "/casemgmt/entities/notification-groups/v1",
+ "Get notification groups by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.notification-groups.post.v1",
+ "POST",
+ "/casemgmt/entities/notification-groups/v1",
+ "Create notification group",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.notification-groups.patch.v1",
+ "PATCH",
+ "/casemgmt/entities/notification-groups/v1",
+ "Update notification group",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.notification-groups.delete.v1",
+ "DELETE",
+ "/casemgmt/entities/notification-groups/v1",
+ "Delete notification groups by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.notification-groups.get.v2",
+ "GET",
+ "/casemgmt/entities/notification-groups/v2",
+ "Get notification groups by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.notification-groups.post.v2",
+ "POST",
+ "/casemgmt/entities/notification-groups/v2",
+ "Create notification group",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.notification-groups.patch.v2",
+ "PATCH",
+ "/casemgmt/entities/notification-groups/v2",
+ "Update notification group",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.notification-groups.delete.v2",
+ "DELETE",
+ "/casemgmt/entities/notification-groups/v2",
+ "Delete notification groups by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.slas.get.v1",
+ "GET",
+ "/casemgmt/entities/slas/v1",
+ "Get SLAs by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.slas.post.v1",
+ "POST",
+ "/casemgmt/entities/slas/v1",
+ "Create SLA",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.slas.patch.v1",
+ "PATCH",
+ "/casemgmt/entities/slas/v1",
+ "Update SLA",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.slas.delete.v1",
+ "DELETE",
+ "/casemgmt/entities/slas/v1",
+ "Delete SLAs",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.template-snapshots.get.v1",
+ "GET",
+ "/casemgmt/entities/template-snapshots/v1",
+ "Get template snapshots",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Snapshot IDs",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Retrieves the latest snapshot for all Template IDs",
+ "name": "template_ids",
+ "in": "query"
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "integer"
+ },
+ "collectionFormat": "multi",
+ "description": "Retrieve a specific version of the template from the parallel array template_ids. A "
+ "value of zero will return the latest snapshot.",
+ "name": "versions",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "entities.templates_export.get.v1",
+ "GET",
+ "/casemgmt/entities/templates/export/v1",
+ "Export templates to files in a zip archive",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Template IDs",
+ "name": "ids",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "enum": [
+ "yaml",
+ "json"
+ ],
+ "type": "string",
+ "default": "yaml",
+ "description": "Export file format",
+ "name": "format",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "entities.templates_import.post.v1",
+ "POST",
+ "/casemgmt/entities/templates/import/v1",
+ "Import a template from a file",
+ "case_management",
+ [
+ {
+ "type": "file",
+ "description": "Local file",
+ "name": "file",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "boolean",
+ "description": "Run validation only",
+ "name": "dry_run",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "entities.templates.get.v1",
+ "GET",
+ "/casemgmt/entities/templates/v1",
+ "Get templates by ID",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.templates.post.v1",
+ "POST",
+ "/casemgmt/entities/templates/v1",
+ "Create template",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.templates.patch.v1",
+ "PATCH",
+ "/casemgmt/entities/templates/v1",
+ "Update template",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.templates.delete.v1",
+ "DELETE",
+ "/casemgmt/entities/templates/v1",
+ "Delete templates",
+ "case_management",
+ [
+ {
+ "uniqueItems": True,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Resource IDs",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "queries.fields.get.v1",
+ "GET",
+ "/casemgmt/queries/fields/v1",
+ "Query fields",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.notification-groups.get.v1",
+ "GET",
+ "/casemgmt/queries/notification-groups/v1",
+ "Query notification groups",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort expression",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.notification-groups.get.v2",
+ "GET",
+ "/casemgmt/queries/notification-groups/v2",
+ "Query notification groups",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort expression",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.slas.get.v1",
+ "GET",
+ "/casemgmt/queries/slas/v1",
+ "Query SLAs",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort expression",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.template-snapshots.get.v1",
+ "GET",
+ "/casemgmt/queries/template-snapshots/v1",
+ "Query template snapshots",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.templates.get.v1",
+ "GET",
+ "/casemgmt/queries/templates/v1",
+ "Query templates",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "FQL filter expression",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort expression",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 200,
+ "minimum": 1,
+ "type": "integer",
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Page offset",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "entities.alert-evidence.post.v1",
+ "POST",
+ "/cases/entities/alert-evidence/v1",
+ "Adds the given list of alert evidence to the specified case.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.case-tags.post.v1",
+ "POST",
+ "/cases/entities/case-tags/v1",
+ "Adds the given list of tags to the specified case.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.case-tags.delete.v1",
+ "DELETE",
+ "/cases/entities/case-tags/v1",
+ "Removes the specified tags from the specified case.",
+ "case_management",
+ [
+ {
+ "type": "string",
+ "description": "The ID of the case to remove tags from.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The tag to remove from the case.",
+ "name": "tag",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.cases.put.v2",
+ "PUT",
+ "/cases/entities/cases/v2",
+ "Creates the given Case",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.cases.post.v2",
+ "POST",
+ "/cases/entities/cases/v2",
+ "Retrieves all Cases given their IDs.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.cases.patch.v2",
+ "PATCH",
+ "/cases/entities/cases/v2",
+ "Updates given fields on the specified case.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.event-evidence.post.v1",
+ "POST",
+ "/cases/entities/event-evidence/v1",
+ "Adds the given list of event evidence to the specified case.",
+ "case_management",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "queries.cases.get.v1",
+ "GET",
+ "/cases/queries/cases/v1",
+ "Retrieves all Cases IDs that match a given query.",
+ "case_management",
+ [
+ {
+ "maximum": 10000,
+ "minimum": 0,
+ "type": "integer",
+ "description": "The maximum number of Cases to return in this response (default: 100; max: 10000). Use "
+ "this parameter together with the offset parameter to manage pagination of the results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The first case to return, where 0 is the latest case. Use with the offset parameter to "
+ "manage pagination of results.",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Sort parameter takes the form . Direction can be either asc "
+ "(ascending) or desc (descending) order. For example: status|asc or status|desc.\n\nThe sorting fields can be "
+ "any keyword field that is part of #domain.Case except for the text based fields. Most commonly used fields are "
+ " status, cid, created_timestamp, updated_timestamp, assigned_to_name, assigned_to_userid, assigned_to_uuid, "
+ "tags\nIf the fields are missing from the Cases, the service will fallback to its default ordering ",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Filter Cases using a query in Falcon Query Language (FQL).Filter fields can be any "
+ "keyword field that is part of #domain.Case \nAn asterisk wildcard * includes all results. \nEmpty value means "
+ " to not filter on anything.\nMost commonly used filter fields that supports exact match: cid, id ...\nMost "
+ "commonly used filter fields that supports wildcard (*): assigned_to_name, assigned_to_uuid...\nMost commonly "
+ "filter fields that supports range comparisons (>, <, >=, <=): created_timestamp, updated_timestamp...\nAll "
+ "filter fields and operations support negation (!).\n\n\nThe full list of valid filter options is extensive. "
+ "Review it in our [documentation inside the Falcon "
+ "console](https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql).",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "Search all Case metadata for the provided string",
+ "name": "q",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/deprecated/_cloud_aws_registration.py b/src/falconpy/_endpoint/deprecated/_cloud_aws_registration.py
index abfdaf8a..3a0144eb 100644
--- a/src/falconpy/_endpoint/deprecated/_cloud_aws_registration.py
+++ b/src/falconpy/_endpoint/deprecated/_cloud_aws_registration.py
@@ -37,6 +37,37 @@
"""
_cloud_aws_registration_endpoints = [
+ [
+ "cloud-registration-aws-trigger-health-check",
+ "POST",
+ "/cloud-security-registration-aws/entities/account-scans/v1",
+ "Trigger health check scan for AWS accounts",
+ "cloud_aws_registration",
+ [
+ {
+ "maxItems": 50,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "AWS Account IDs.",
+ "name": "account-ids",
+ "in": "query"
+ },
+ {
+ "maxItems": 10,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Organization IDs",
+ "name": "organization-ids",
+ "in": "query"
+ }
+ ]
+ ],
[
"cloud-registration-aws-get-accounts",
"GET",
@@ -113,6 +144,37 @@
}
]
],
+ [
+ "cloud-registration-aws-validate-accounts",
+ "POST",
+ "/cloud-security-registration-aws/entities/account/validate/v1",
+ "Validates the AWS account registration status, and discover organization child accounts if organization is specified",
+ "cloud_aws_registration",
+ [
+ {
+ "pattern": "^\\d{12}$",
+ "type": "string",
+ "description": "AWS Account ID. organization-id shouldn't be specified if this is specified",
+ "name": "account-id",
+ "in": "query"
+ },
+ {
+ "pattern": "^arn:aws:iam::\\d{12}:role/.+",
+ "type": "string",
+ "description": "IAM Role ARN",
+ "name": "iam-role-arn",
+ "in": "query"
+ },
+ {
+ "pattern": "^o-[0-9a-z]{10,32}$",
+ "type": "string",
+ "description": "AWS organization ID to validate master account. account-id shouldn't be specified if "
+ "this is specified",
+ "name": "organization-id",
+ "in": "query"
+ }
+ ]
+ ],
[
"cloud-registration-aws-query-accounts",
"GET",
diff --git a/src/falconpy/_endpoint/deprecated/_cloud_azure_registration.py b/src/falconpy/_endpoint/deprecated/_cloud_azure_registration.py
index 69fca805..c5e809fb 100644
--- a/src/falconpy/_endpoint/deprecated/_cloud_azure_registration.py
+++ b/src/falconpy/_endpoint/deprecated/_cloud_azure_registration.py
@@ -37,6 +37,39 @@
"""
_cloud_azure_registration_endpoints = [
+ [
+ "cloud-registration-azure-delete-legacy-subscription",
+ "DELETE",
+ "/cloud-security-registration-azure/entities/accounts/legacy/v1",
+ "Delete existing legacy Azure subscriptions.",
+ "cloud_azure_registration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud-registration-azure-trigger-health-check",
+ "POST",
+ "/cloud-security-registration-azure/entities/registrations/healthcheck/v1",
+ "Trigger health check scan for Azure registrations",
+ "cloud_azure_registration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Azure tenant IDs",
+ "name": "tenant_ids",
+ "in": "query"
+ }
+ ]
+ ],
[
"cloud-registration-azure-get-registration",
"GET",
@@ -101,6 +134,32 @@
}
]
],
+ [
+ "cloud-registration-azure-validate-registration",
+ "POST",
+ "/cloud-security-registration-azure/entities/registrations/validate/v1",
+ "Validate an Azure registration by checking service principal, role assignments and deployment stack (if "
+ "the deployment method is Bicep)",
+ "cloud_azure_registration",
+ [
+ {
+ "maxLength": 36,
+ "minLength": 36,
+ "pattern": "^[0-9a-z-]{36}$",
+ "type": "string",
+ "description": "Azure tenant ID to be validated",
+ "name": "tenant_id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Azure deployment stack name to be validated",
+ "name": "stack_name",
+ "in": "query"
+ }
+ ]
+ ],
[
"cloud-registration-azure-download-script",
"POST",
diff --git a/src/falconpy/_endpoint/deprecated/_cloud_google_cloud_registration.py b/src/falconpy/_endpoint/deprecated/_cloud_google_cloud_registration.py
new file mode 100644
index 00000000..5ca20f14
--- /dev/null
+++ b/src/falconpy/_endpoint/deprecated/_cloud_google_cloud_registration.py
@@ -0,0 +1,140 @@
+"""Internal API endpoint constant library (deprecated operations).
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_cloud_google_cloud_registration_endpoints = [
+ [
+ "cloud-registration-gcp-trigger-health-check",
+ "POST",
+ "/cloud-security-registration-google-cloud/entities/registration-scans/v1",
+ "Trigger health check scan for GCP registrations",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "GCP Registration IDs",
+ "name": "ids",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "cloud-registration-gcp-get-registration",
+ "GET",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Retrieve a Google Cloud Registration.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "type": "string",
+ "description": "Google Cloud Registration ID",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud-registration-gcp-put-registration",
+ "PUT",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Creates/Updates a Google Cloud Registration.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud-registration-gcp-create-registration",
+ "POST",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Create a Google Cloud Registration.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud-registration-gcp-update-registration",
+ "PATCH",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Update a Google Cloud Registration.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "type": "string",
+ "description": "Google Cloud Registration ID",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "cloud-registration-gcp-delete-registration",
+ "DELETE",
+ "/cloud-security-registration-google-cloud/entities/registrations/v1",
+ "Deletes a Google Cloud Registration and returns the deleted registration in the response body.",
+ "cloud_google_cloud_registration",
+ [
+ {
+ "type": "string",
+ "description": "Google Cloud Registration ID",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/deprecated/_cloud_oci_registration.py b/src/falconpy/_endpoint/deprecated/_cloud_oci_registration.py
index dc515398..cfaf1414 100644
--- a/src/falconpy/_endpoint/deprecated/_cloud_oci_registration.py
+++ b/src/falconpy/_endpoint/deprecated/_cloud_oci_registration.py
@@ -47,14 +47,14 @@
{
"type": "string",
"description": "FQL (Falcon Query Language) string for filtering results. Allowed filters are "
- "Set{home_region, key_age, overall_status, created_at, updated_at, tenancy_ocid, tenancy_name}",
+ "Set{tenancy_name, home_region, key_age, overall_status, created_at, updated_at, tenancy_ocid}",
"name": "filter",
"in": "query"
},
{
"type": "string",
- "description": "Field and direction for sorting results - allowed sort fields are Set{overall_status, "
- "created_at, updated_at, tenancy_ocid, tenancy_name, home_region, key_age}",
+ "description": "Field and direction for sorting results - allowed sort fields are Set{home_region, "
+ "key_age, overall_status, created_at, updated_at, tenancy_ocid, tenancy_name}",
"name": "sort",
"in": "query"
},
diff --git a/src/falconpy/_endpoint/deprecated/_cloud_security.py b/src/falconpy/_endpoint/deprecated/_cloud_security.py
new file mode 100644
index 00000000..8c096318
--- /dev/null
+++ b/src/falconpy/_endpoint/deprecated/_cloud_security.py
@@ -0,0 +1,83 @@
+"""Internal API endpoint constant library (deprecated operations).
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_cloud_security_endpoints = [
+ [
+ "combined-cloud-risks",
+ "GET",
+ "/cloud-security-risks/combined/cloud-risks/v1",
+ "Gets cloud risks with full details based on filters and sort criteria",
+ "cloud_security",
+ [
+ {
+ "type": "string",
+ "description": "FQL string to filter results in Falcon Query Language (FQL). Supported fields: "
+ "account_id account_name asset_gcrn asset_id asset_name asset_region asset_type cloud_group "
+ "cloud_provider first_seen last_seen resolved_at risk_factor rule_id rule_name service_category "
+ "severity status suppressed_by suppressed_reason tags",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The field to sort on. Use |asc or |desc suffix to specify sort direction.Supported "
+ "fields: account_id account_name asset_id asset_name asset_region asset_type cloud_provider first_seen "
+ "last_seen resolved_at rule_name service_category severity status",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 1000,
+ "minimum": 0,
+ "type": "integer",
+ "default": 500,
+ "description": "The maximum number of items to return. When not specified or 0, 500 is used. When "
+ "larger than 1000, 1000 is used.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Offset returned risks",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/deprecated/_cloud_security_assets.py b/src/falconpy/_endpoint/deprecated/_cloud_security_assets.py
index 99361b95..e3171499 100644
--- a/src/falconpy/_endpoint/deprecated/_cloud_security_assets.py
+++ b/src/falconpy/_endpoint/deprecated/_cloud_security_assets.py
@@ -37,6 +37,52 @@
"""
_cloud_security_assets_endpoints = [
+ [
+ "cloud-security-assets-combined-application-findings",
+ "GET",
+ "/cloud-security-assets/combined/application-findings/v1",
+ "Get findings for an application resource with pagination",
+ "cloud_security_assets",
+ [
+ {
+ "type": "string",
+ "description": "Application CRN",
+ "name": "crn",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Finding type",
+ "name": "type",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "FQL string to filter findings",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "default": 0,
+ "description": "Pagination offset",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "maximum": 1000,
+ "minimum": 1,
+ "type": "integer",
+ "default": 50,
+ "description": "Page size",
+ "name": "limit",
+ "in": "query"
+ }
+ ]
+ ],
[
"cloud-security-assets-combined-compliance-by-account",
"GET",
@@ -48,9 +94,10 @@
"type": "string",
"description": "FQL string to filter on asset contents. Filterable fields include: account_id "
"account_name assessment_id business_impact cloud_group cloud_label cloud_label_id cloud_provider "
- "cloud_scope compliant control.benchmark.name control.benchmark.version control.framework control.name "
- "control.type control.version environment last_evaluated region resource_provider resource_type "
- "resource_type_name service service_category severities tag_key tag_value",
+ "cloud_scope compliant control.benchmark.name control.benchmark.version control.extension.status "
+ "control.framework control.name control.type control.version environment last_evaluated region "
+ "resource_provider resource_type resource_type_name service service_category severities tag_key "
+ "tag_value tags_string",
"name": "filter",
"in": "query"
},
@@ -138,35 +185,37 @@
{
"type": "string",
"description": "FQL string to filter on asset contents. Filterable fields include: account_id "
- "account_name active application_security.business_applications application_security.business_criticality "
- "application_security.service_names azure.vm_id business_impact cloud_group cloud_label cloud_label_id "
- "cloud_provider cloud_scope cluster_id cluster_name compartment_ocid compliant.benchmark_name "
- "compliant.benchmark_version compliant.framework compliant.policy_id compliant.requirement compliant.rule "
- "compliant.section configuration.id creation_time cve_ids data_classifications.found "
- "data_classifications.label data_classifications.label_id data_classifications.scanned "
- "data_classifications.tag data_classifications.tag_id environment exprt_ratings first_seen "
- "highest_severity id insights.boolean_value insights.date_value insights.id insights.integer_value "
- "insights.string_list_value insights.string_value instance_id instance_state ioa_count iom_count "
- "legacy_resource_id legacy_uuid managed_by non_compliant.benchmark_name non_compliant.benchmark_version "
- "non_compliant.framework non_compliant.policy_id non_compliant.requirement non_compliant.rule "
+ "account_name active aspm.deployment_cloud_resource_id aspm.deployment_provider aspm.deployment_type "
+ "aspm.technologies azure.vm_id business_impact cloud_group cloud_label cloud_label_id cloud_provider "
+ "cloud_scope cluster_id cluster_name compartment_ocid compliant.benchmark_name compliant.benchmark_version "
+ " compliant.framework compliant.policy_id compliant.requirement compliant.rule compliant.section "
+ "configuration.id control.benchmark.name control.benchmark.version control.framework control.requirement "
+ "control.type control.version creation_time cve_ids data_classifications.found data_classifications.label "
+ " data_classifications.label_id data_classifications.scanned data_classifications.tag "
+ "data_classifications.tag_id environment exprt_ratings first_seen highest_severity id "
+ "insights.boolean_value insights.date_value insights.id insights.integer_value insights.string_list_value "
+ "insights.string_value instance_id instance_state ioa_count iom_count legacy_resource_id legacy_uuid "
+ "managed_by non_compliant.benchmark_name non_compliant.benchmark_version non_compliant.framework "
+ "non_compliant.policy_id non_compliant.requirement non_compliant.rule non_compliant.rule_name "
"non_compliant.section non_compliant.severity organization_Id os_version platform_name publicly_exposed "
- "region resource_id resource_name resource_type resource_type_name sensor_priority service "
- "service_category severity snapshot_detections ssm_managed status tag_key tag_value tags tenant_id "
- "updated_at vmware.guest_os_id vmware.guest_os_version vmware.host_system_name vmware.host_type "
- "vmware.instance_uuid vmware.vm_host_name vmware.vm_tools_status zone",
+ "region resource_id resource_name resource_parent resource_type resource_type_name sensor_priority "
+ "service service_category severity snapshot_detections ssm_managed status tag_key tag_value tags "
+ "tags_string tenant_id updated_at vmware.guest_os_id vmware.guest_os_version vmware.host_system_name "
+ "vmware.host_type vmware.instance_uuid vmware.vm_host_name vmware.vm_tools_status zone",
"name": "filter",
"in": "query"
},
{
"type": "string",
"description": "The field to sort on. Sortable fields include: account_id account_name active "
+ "aspm.deployment_cloud_resource_id aspm.deployment_provider aspm.deployment_type aspm.technologies "
"cloud_provider cluster_id cluster_name compartment_name compartment_ocid compartment_path creation_time "
" data_classifications.found data_classifications.scanned first_seen id instance_id instance_state "
"ioa_count iom_count managed_by organization_Id os_version platform_name publicly_exposed region "
- "resource_id resource_name resource_type resource_type_name service service_category ssm_managed status "
- " tenancy_name tenancy_ocid tenancy_type tenant_id updated_at vmware.guest_os_id vmware.guest_os_version "
- " vmware.host_system_name vmware.host_type vmware.instance_uuid vmware.vm_host_name vmware.vm_tools_status "
- "zone\n\nUse |asc or |desc suffix to specify sort direction.",
+ "resource_id resource_name resource_parent resource_type resource_type_name service service_category "
+ "ssm_managed status tenancy_name tenancy_ocid tenancy_type tenant_id updated_at vmware.guest_os_id "
+ "vmware.guest_os_version vmware.host_system_name vmware.host_type vmware.instance_uuid vmware.vm_host_name "
+ "vmware.vm_tools_status zone\n\nUse |asc or |desc suffix to specify sort direction.",
"name": "sort",
"in": "query"
},
diff --git a/src/falconpy/_endpoint/deprecated/_cloud_security_compliance.py b/src/falconpy/_endpoint/deprecated/_cloud_security_compliance.py
new file mode 100644
index 00000000..cb046bb4
--- /dev/null
+++ b/src/falconpy/_endpoint/deprecated/_cloud_security_compliance.py
@@ -0,0 +1,98 @@
+"""Internal API endpoint constant library (deprecated operations).
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_cloud_security_compliance_endpoints = [
+ [
+ "cloud-compliance-framework-posture-summaries",
+ "GET",
+ "/cloud-security-compliance/entities/framework-posture-summaries/v1",
+ "Get sections and requirements with scores for benchmarks.",
+ "cloud_security_compliance",
+ [
+ {
+ "maxItems": 20,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "csv",
+ "description": "The uuids of compliance frameworks to retrieve (maximum 20 IDs allowed).",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "FQL filter, supported properties:\n - account_id account_name business_impact "
+ "cloud_label cloud_label_id cloud_provider environment groups region resource_type resource_type_name "
+ "tag_key tag_value",
+ "name": "filter",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "cloud-compliance-rule-posture-summaries",
+ "GET",
+ "/cloud-security-compliance/entities/rule-posture-summaries/v1",
+ "Get compliance score and counts for rules.",
+ "cloud_security_compliance",
+ [
+ {
+ "maxItems": 350,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "csv",
+ "description": "The uuids of compliance rules to retrieve (maximum 350 IDs allowed).",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "FQL filter, supported properties:\n - account_id account_name business_impact "
+ "cloud_label cloud_label_id cloud_provider environment groups region resource_type resource_type_name "
+ "tag_key tag_value",
+ "name": "filter",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/deprecated/_cloud_security_detections.py b/src/falconpy/_endpoint/deprecated/_cloud_security_detections.py
new file mode 100644
index 00000000..fa11f1e7
--- /dev/null
+++ b/src/falconpy/_endpoint/deprecated/_cloud_security_detections.py
@@ -0,0 +1,119 @@
+"""Internal API endpoint constant library (deprecated operations).
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_cloud_security_detections_endpoints = [
+ [
+ "cspm-evaluations-iom-entities",
+ "GET",
+ "/cloud-security-evaluations/entities/ioms/v1",
+ "Gets IOMs based on the provided IDs",
+ "cloud_security_detections",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "List of IOMs to return (maximum 100 IDs allowed). Use POST method with same path if "
+ "more entities are required.",
+ "name": "ids",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "cspm-evaluations-iom-queries",
+ "GET",
+ "/cloud-security-evaluations/queries/ioms/v1",
+ "Gets a list of IOM IDs for the given parameters, filters and sort criteria.",
+ "cloud_security_detections",
+ [
+ {
+ "type": "string",
+ "description": "FQL string to filter results in Falcon Query Language (FQL). Supported fields: "
+ "account_id account_name applicable_profile attack_type benchmark_name benchmark_version business_impact "
+ " cid cloud_group cloud_label cloud_label_id cloud_provider cloud_scope created_at environment "
+ "extension_status first_detected framework last_detected policy_id policy_name policy_uuid region "
+ "requirement requirement_name resource_gcrn resource_id resource_parent resource_status resource_type "
+ "resource_type_name rule_group rule_id rule_name rule_origin rule_remediation section service "
+ "service_category severity status suppressed_by suppression_reason tactic_id tactic_name tag_key "
+ "tag_value tags tags_string technique_id technique_name",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The field to sort on. Use |asc or |desc suffix to specify sort direction.Supported "
+ "fields: account_id account_name applicable_profile attack_type benchmark_name benchmark_version "
+ "business_impact cid cloud_group cloud_label cloud_label_id cloud_provider cloud_scope created_at "
+ "environment extension_status first_detected framework last_detected policy_id policy_name policy_uuid "
+ "region requirement requirement_name resource_gcrn resource_id resource_parent resource_status "
+ "resource_type resource_type_name rule_group rule_id rule_name rule_origin rule_remediation section "
+ "service service_category severity status suppressed_by suppression_reason tactic_id tactic_name "
+ "tag_key tag_value tags tags_string technique_id technique_name",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "maximum": 1000,
+ "minimum": 0,
+ "type": "integer",
+ "default": 500,
+ "description": "The maximum number of items to return. When not specified or 0, 500 is used. When "
+ "larger than 1000, 1000 is used.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "minimum": 0,
+ "type": "integer",
+ "description": "Offset returned assets",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "token-based pagination. Use for paginating through an entire result set. Use only one "
+ "of 'offset' and 'after' parameters for paginating",
+ "name": "after",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/deprecated/_datascanner.py b/src/falconpy/_endpoint/deprecated/_correlation_rules_admin.py
similarity index 65%
rename from src/falconpy/_endpoint/deprecated/_datascanner.py
rename to src/falconpy/_endpoint/deprecated/_correlation_rules_admin.py
index c9e58a23..83f6defe 100644
--- a/src/falconpy/_endpoint/deprecated/_datascanner.py
+++ b/src/falconpy/_endpoint/deprecated/_correlation_rules_admin.py
@@ -36,50 +36,17 @@
For more information, please refer to
"""
-_datascanner_endpoints = [
+_correlation_rules_admin_endpoints = [
[
- "get-image-registry-credentials",
- "GET",
- "/data-security-dspm/entities/image-registry-credentials/v1",
- "",
- "datascanner",
- []
- ],
- [
- "get-data-scanner-tasks",
- "GET",
- "/data-security-dspm/entities/scanner-tasks/v1",
- "",
- "datascanner",
+ "entities.rules_ownership.put.v1",
+ "PUT",
+ "/correlation-rules/entities/rules/ownership/v1",
+ "Change the owner of an existing Correlation Rule",
+ "correlation_rules_admin",
[
{
- "type": "string",
- "description": "ID of the data scanner",
- "name": "X-Scanner-Id",
- "in": "header",
- "required": True
- }
- ]
- ],
- [
- "update-data-scanner-tasks",
- "PATCH",
- "/data-security-dspm/entities/scanner-tasks/v1",
- "",
- "datascanner",
- [
- {
- "type": "string",
- "description": "ID of the data scanner",
- "name": "X-Scanner-Id",
- "in": "header",
- "required": True
- },
- {
- "type": "string",
- "description": "Provider ID of machine",
- "name": "X-Machine-Id",
- "in": "header",
+ "name": "body",
+ "in": "body",
"required": True
}
]
diff --git a/src/falconpy/_endpoint/deprecated/_data_protection_configuration.py b/src/falconpy/_endpoint/deprecated/_data_protection_configuration.py
new file mode 100644
index 00000000..fccfa083
--- /dev/null
+++ b/src/falconpy/_endpoint/deprecated/_data_protection_configuration.py
@@ -0,0 +1,918 @@
+"""Internal API endpoint constant library (deprecated operations).
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+_data_protection_configuration_endpoints = [
+ [
+ "entities.classification.get.v2",
+ "GET",
+ "/data-protection/entities/classifications/v2",
+ "Gets the classifications that match the provided ids",
+ "data_protection_configuration",
+ [
+ {
+ "maxItems": 100,
+ "minItems": 1,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "IDs of the classifications to get",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.classification.post.v2",
+ "POST",
+ "/data-protection/entities/classifications/v2",
+ "Create classifications",
+ "data_protection_configuration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.classification.patch.v2",
+ "PATCH",
+ "/data-protection/entities/classifications/v2",
+ "Update classifications",
+ "data_protection_configuration",
+ [
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.classification.delete.v2",
+ "DELETE",
+ "/data-protection/entities/classifications/v2",
+ "Deletes classifications that match the provided ids",
+ "data_protection_configuration",
+ [
+ {
+ "maxItems": 100,
+ "minItems": 1,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "IDs of the classifications to delete",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.cloud-application.get",
+ "GET",
+ "/data-protection/entities/cloud-applications/v1",
+ "Get a particular cloud-application",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The cloud application id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.cloud-application.create",
+ "POST",
+ "/data-protection/entities/cloud-applications/v1",
+ "Persist the given cloud application for the provided entity instance",
+ "data_protection_configuration",
+ [
+ {
+ "description": "The cloud-application definition to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.cloud-application.patch",
+ "PATCH",
+ "/data-protection/entities/cloud-applications/v1",
+ "Update a cloud application",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The cloud app id to update.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "description": "The new cloud-application definition",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.cloud-application.delete",
+ "DELETE",
+ "/data-protection/entities/cloud-applications/v1",
+ "Delete cloud application",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The id of the cloud application to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.content-pattern.get",
+ "GET",
+ "/data-protection/entities/content-patterns/v1",
+ "Get a particular content-pattern(s)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The content-pattern id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.content-pattern.create",
+ "POST",
+ "/data-protection/entities/content-patterns/v1",
+ "Persist the given content pattern for the provided entity instance",
+ "data_protection_configuration",
+ [
+ {
+ "description": "Definition of content-pattern to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.content-pattern.patch",
+ "PATCH",
+ "/data-protection/entities/content-patterns/v1",
+ "Update a content pattern",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The id of the content pattern to patch.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "description": "Definition of content-pattern to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.content-pattern.delete",
+ "DELETE",
+ "/data-protection/entities/content-patterns/v1",
+ "Delete content pattern",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The id(s) of the content pattern to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.enterprise-account.get",
+ "GET",
+ "/data-protection/entities/enterprise-accounts/v1",
+ "Get a particular enterprise-account(s)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The enterprise-account id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.enterprise-account.create",
+ "POST",
+ "/data-protection/entities/enterprise-accounts/v1",
+ "Persist the given enterprise account for the provided entity instance",
+ "data_protection_configuration",
+ [
+ {
+ "description": "Definition of enterprise-account to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.enterprise-account.patch",
+ "PATCH",
+ "/data-protection/entities/enterprise-accounts/v1",
+ "Update a enterprise account",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The id of the enterprise account to update.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "description": "Definition of enterprise-account to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.enterprise-account.delete",
+ "DELETE",
+ "/data-protection/entities/enterprise-accounts/v1",
+ "Delete enterprise account",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The id of the enterprise account to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.file-type.get",
+ "GET",
+ "/data-protection/entities/file-types/v1",
+ "Get a particular file-type",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The file-type id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.sensitivity-label.get-v2",
+ "GET",
+ "/data-protection/entities/labels/v2",
+ "Get sensitivity label matching the IDs (V2)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The sensitivity label entity id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.sensitivity-label.create-v2",
+ "POST",
+ "/data-protection/entities/labels/v2",
+ "Create new sensitivity label (V2)",
+ "data_protection_configuration",
+ [
+ {
+ "description": "Definition of sensitivity label to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.sensitivity-label.delete-v2",
+ "DELETE",
+ "/data-protection/entities/labels/v2",
+ "Delete sensitivity labels matching the IDs (V2)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The sensitivity label entity id(s) to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.policy.get.v2",
+ "GET",
+ "/data-protection/entities/policies/v2",
+ "Gets policies that match the provided ids",
+ "data_protection_configuration",
+ [
+ {
+ "maxItems": 100,
+ "minItems": 1,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "IDs of the policies to get",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.policy.post.v2",
+ "POST",
+ "/data-protection/entities/policies/v2",
+ "Create policies",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "platform name of the policies to update, either 'win' or 'mac'",
+ "name": "platform_name",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.policy.patch.v2",
+ "PATCH",
+ "/data-protection/entities/policies/v2",
+ "Update policies",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "platform name of the policies to update, either 'win' or 'mac'",
+ "name": "platform_name",
+ "in": "query",
+ "required": True
+ },
+ {
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.policy.delete.v2",
+ "DELETE",
+ "/data-protection/entities/policies/v2",
+ "Deletes policies that match the provided ids",
+ "data_protection_configuration",
+ [
+ {
+ "maxItems": 100,
+ "minItems": 1,
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "IDs of the policies to delete",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "platform name of the policies to update, either 'win' or 'mac'",
+ "name": "platform_name",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.web-location.get-v2",
+ "GET",
+ "/data-protection/entities/web-locations/v2",
+ "Get web-location entities matching the provided ID(s)",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "The web-location entity id(s) to get.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.web-location.create-v2",
+ "POST",
+ "/data-protection/entities/web-locations/v2",
+ "Persist the given web-locations",
+ "data_protection_configuration",
+ [
+ {
+ "description": "Definition of web-locations to create",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.web-location.patch-v2",
+ "PATCH",
+ "/data-protection/entities/web-locations/v2",
+ "Update a web-location",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The web-location entity id to update.",
+ "name": "id",
+ "in": "query",
+ "required": True
+ },
+ {
+ "description": "Definition of updated web-location",
+ "name": "body",
+ "in": "body",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "entities.web-location.delete-v2",
+ "DELETE",
+ "/data-protection/entities/web-locations/v2",
+ "Delete web-location",
+ "data_protection_configuration",
+ [
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "csv",
+ "description": "The ids of the web-location to delete.",
+ "name": "ids",
+ "in": "query",
+ "required": True
+ }
+ ]
+ ],
+ [
+ "queries.classification.get.v2",
+ "GET",
+ "/data-protection/queries/classifications/v2",
+ "Search for classifications that match the provided criteria",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "Filter results by specific attributes , allowed attributes are "
+ "[properties.protection_mode properties.web_sources created_by modified_at properties.file_types "
+ "properties.sensitivity_labels name created_at modified_by properties.content_patterns "
+ "properties.evidence_duplication_enabled]",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 10000,
+ "minimum": 0,
+ "type": "integer",
+ "description": "The offset to start retrieving records from",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "maximum": 500,
+ "minimum": 0,
+ "type": "integer",
+ "default": 100,
+ "description": "The maximum records to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The property to sort by, allowed fields are :[name created_at modified_at]",
+ "name": "sort",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.cloud-application.get-v2",
+ "GET",
+ "/data-protection/queries/cloud-applications/v2",
+ "Get all cloud-application IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "Optional filter for searching cloud applications. Allowed filters are 'name' (string), "
+ " 'type' (array of strings representing the tier, accepted values are: integrated, predefined, custom), "
+ "'deleted' (boolean), supports_network_inspection (boolean) and 'application_group_id' (string)",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name' (string), 'type' "
+ "(array of strings representing the tier, accepted values are: integrated, predefined, custom), 'deleted' "
+ "(boolean) and 'application_group_id' (string)",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.content-pattern.get-v2",
+ "GET",
+ "/data-protection/queries/content-patterns/v2",
+ "Get all content-pattern IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding content patterns. Allowed filters are 'name', 'type', "
+ "'category', 'region', 'example', 'created_at', 'updated_at' and 'deleted'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name', 'type', 'category', "
+ "'region', 'created_at', 'updated_at', 'example' and 'deleted'",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.enterprise-account.get-v2",
+ "GET",
+ "/data-protection/queries/enterprise-accounts/v2",
+ "Get all enterprise-account IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding enterprise accounts. Allowed filters are 'name', "
+ "'application_group_id', 'deleted', 'created_at' and 'updated_at'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name', "
+ "'application_group_id', 'deleted', 'created_at' and 'updated_at'",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.file-type.get-v2",
+ "GET",
+ "/data-protection/queries/file-types/v2",
+ "Get all file-type IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding file types. Allowed filter is 'name', 'created_at' and 'updated_at'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name', 'created_at' and 'updated_at'",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.sensitivity-label.get-v2",
+ "GET",
+ "/data-protection/queries/labels/v2",
+ "Get all sensitivity label IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding sensitivity labels. The only allowed filters are "
+ "'name', 'display_name', 'external_id' and 'deleted'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The sort instructions to order by on. Allowed values are 'name', 'display_name', "
+ "'deleted', 'created_at' and 'updated_at'",
+ "name": "sort",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.policy.get.v2",
+ "GET",
+ "/data-protection/queries/policies/v2",
+ "Search for policies that match the provided criteria",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "platform name of the policies to search, either 'win' or 'mac'",
+ "name": "platform_name",
+ "in": "query",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "Filter results by specific attributes , allowed attributes are "
+ "[properties.network_inspection_files_exceeding_size_limit properties.be_paste_timeout_duration_milliseconds "
+ "properties.max_file_size_to_inspect created_at modified_by properties.min_confidence_level "
+ "properties.max_file_size_to_inspect_unit properties.custom_block_notification "
+ "properties.evidence_download_enabled properties.classifications properties.be_paste_timeout_response "
+ "description properties.besplash_custom_message properties.be_paste_clipboard_min_size "
+ "properties.be_paste_clipboard_max_size properties.evidence_storage_free_disk_perc is_enabled "
+ "properties.similarity_detection properties.be_exclude_domains properties.evidence_storage_max_size "
+ "properties.browsers_without_active_extension properties.unsupported_browsers_action "
+ "properties.besplash_message_source properties.be_paste_clipboard_min_size_unit "
+ "properties.be_paste_clipboard_max_size_unit precedence properties.block_all_data_access "
+ "properties.enable_clipboard_inspection properties.allow_notifications properties.block_notifications "
+ "properties.be_upload_timeout_duration_seconds properties.be_paste_clipboard_over_size_behaviour_block "
+ "properties.enable_context_inspection properties.custom_allow_notification properties.besplash_enabled "
+ "properties.be_upload_timeout_response created_by modified_at properties.enable_content_inspection "
+ "properties.inspection_depth properties.similarity_threshold "
+ "properties.enable_end_user_notifications_unsupported_browser properties.evidence_duplication_enabled_default "
+ "properties.evidence_encrypted_enabled name is_default properties.enable_network_inspection]",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "maximum": 10000,
+ "minimum": 0,
+ "type": "integer",
+ "description": "The offset to start retrieving records from",
+ "name": "offset",
+ "in": "query"
+ },
+ {
+ "maximum": 500,
+ "minimum": 0,
+ "type": "integer",
+ "default": 100,
+ "description": "The maximum records to return",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The property to sort by, allowed fields are :[name precedence created_at modified_at]",
+ "name": "sort",
+ "in": "query"
+ }
+ ]
+ ],
+ [
+ "queries.web-location.get-v2",
+ "GET",
+ "/data-protection/queries/web-locations/v2",
+ "Get web-location IDs matching the query with filter",
+ "data_protection_configuration",
+ [
+ {
+ "type": "string",
+ "description": "The filter to use when finding web locations. Allowed filters are 'name', 'type', "
+ "'deleted', 'application_id', 'provider_location_id' and 'enterprise_account_id'",
+ "name": "filter",
+ "in": "query"
+ },
+ {
+ "type": "string",
+ "description": "The type of entity to query. Allowed values are 'predefined' and 'custom'",
+ "name": "type",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "default": 100,
+ "description": "The number of items to return in this response (default: 100, max: 500). Use with the "
+ "offset parameter to manage pagination of results.",
+ "name": "limit",
+ "in": "query"
+ },
+ {
+ "type": "integer",
+ "description": "The offset to start retrieving records from. Use with the limit parameter to manage "
+ "pagination of results.",
+ "name": "offset",
+ "in": "query"
+ }
+ ]
+ ]
+]
diff --git a/src/falconpy/_endpoint/deprecated/_discover.py b/src/falconpy/_endpoint/deprecated/_discover.py
index 7d34e523..076894c7 100644
--- a/src/falconpy/_endpoint/deprecated/_discover.py
+++ b/src/falconpy/_endpoint/deprecated/_discover.py
@@ -97,8 +97,9 @@
"type": "string"
},
"collectionFormat": "multi",
- "description": "Select various details blocks to be returned for each application entity. Supported "
- "values:\n\n- browser_extension
- host_info
- install_usage
",
+ "description": "Select various details blocks to be returned for each application entity. Supported va "
+ "lues:\n\n- browser_extension
- host_info
- install_usage
- package
- ide_extensi "
+ "on
",
"name": "facet",
"in": "query"
}
@@ -162,15 +163,15 @@
"mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, "
"managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, "
"account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, "
- "discovering_by\n\t\t\tAvailable filter fields that supports wildcard (*): id, aid, entity_type, country, city, "
- " platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, "
- "system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, "
- "machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, "
- " network_interfaces.interface_alias, network_interfaces.interface_description, "
- "network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, "
- "discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, "
- "data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, "
- "cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, "
+ "discovering_by, scan_details.scan_id, scan_details.schedule_id\n\t\t\tAvailable filter fields that supports "
+ "wildcard (*): id, aid, entity_type, country, city, platform_name, os_version, kernel_version, "
+ "product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, "
+ "system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, "
+ "network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, "
+ "network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, "
+ "discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, "
+ "internet_exposure, os_is_eol, data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, "
+ "disk_sizes.disk_name, cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, "
"os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, "
"os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, "
"os_security.iommu_protection_status, os_security.secure_boot_enabled_status, "
@@ -178,14 +179,15 @@
"os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, "
"bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, "
"department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, "
- " cpu_manufacturer, discovering_by\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, "
- "<=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, "
- "number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, "
- " total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, "
- "total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, "
- "max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, "
- "available_disk_space, available_disk_space_pct, mount_storage_info.used_space, "
- "mount_storage_info.available_space, ad_user_account_control, creation_timestamp\n\t\t\tAll filter fields and "
+ " cpu_manufacturer, discovering_by, scan_details.scan_id, scan_details.schedule_id\n\t\t\tAvailable filter "
+ "fields that supports range comparisons (>, <, >=, <=): first_seen_timestamp, last_seen_timestamp, "
+ "local_ips_count, discoverer_count, confidence, number_of_disk_drives, processor_package_count, "
+ "physical_core_count, data_providers_count, logical_core_count, total_disk_space, disk_sizes.disk_space, "
+ "total_memory, encrypted_drives_count, unencrypted_drives_count, total_bios_files, average_processor_usage, "
+ "average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, "
+ "used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, "
+ "mount_storage_info.used_space, mount_storage_info.available_space, ad_user_account_control, "
+ "creation_timestamp, scan_details.scan_date, vulnerability_assessment_date\n\t\t\tAll filter fields and "
"operations supports negation (!).",
"name": "filter",
"in": "query",
@@ -472,15 +474,15 @@
"mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, "
"managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, "
"account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, "
- "discovering_by\n\t\t\tAvailable filter fields that supports wildcard (*): id, aid, entity_type, country, city, "
- " platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, "
- "system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, "
- "machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, "
- " network_interfaces.interface_alias, network_interfaces.interface_description, "
- "network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, "
- "discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, "
- "data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, "
- "cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, "
+ "discovering_by, scan_details.scan_id, scan_details.schedule_id\n\t\t\tAvailable filter fields that supports "
+ "wildcard (*): id, aid, entity_type, country, city, platform_name, os_version, kernel_version, "
+ "product_type_desc, tags, groups, agent_version, system_product_name, system_manufacturer, "
+ "system_serial_number, bios_manufacturer, bios_version, ou, machine_domain, site_name, external_ip, hostname, "
+ "network_interfaces.local_ip, network_interfaces.mac_address, network_interfaces.interface_alias, "
+ "network_interfaces.interface_description, network_interfaces.network_prefix, last_discoverer_aid, "
+ "discoverer_aids, discoverer_tags, discoverer_platform_names, discoverer_product_type_descs, confidence, "
+ "internet_exposure, os_is_eol, data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, "
+ "disk_sizes.disk_name, cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, "
"os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, "
"os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, "
"os_security.iommu_protection_status, os_security.secure_boot_enabled_status, "
@@ -488,14 +490,15 @@
"os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, "
"bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, "
"department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, "
- " cpu_manufacturer, discovering_by\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, "
- "<=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, "
- "number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, "
- " total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, "
- "total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, "
- "max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, "
- "available_disk_space, available_disk_space_pct, mount_storage_info.used_space, "
- "mount_storage_info.available_space, ad_user_account_control, creation_timestamp\n\t\t\tAll filter fields and "
+ " cpu_manufacturer, discovering_by, scan_details.scan_id, scan_details.schedule_id\n\t\t\tAvailable filter "
+ "fields that supports range comparisons (>, <, >=, <=): first_seen_timestamp, last_seen_timestamp, "
+ "local_ips_count, discoverer_count, confidence, number_of_disk_drives, processor_package_count, "
+ "physical_core_count, data_providers_count, logical_core_count, total_disk_space, disk_sizes.disk_space, "
+ "total_memory, encrypted_drives_count, unencrypted_drives_count, total_bios_files, average_processor_usage, "
+ "average_memory_usage, average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, "
+ "used_disk_space, used_disk_space_pct, available_disk_space, available_disk_space_pct, "
+ "mount_storage_info.used_space, mount_storage_info.available_space, ad_user_account_control, "
+ "creation_timestamp, scan_details.scan_date, vulnerability_assessment_date\n\t\t\tAll filter fields and "
"operations supports negation (!).",
"name": "filter",
"in": "query"
diff --git a/src/falconpy/_endpoint/deprecated/_identity_protection.py b/src/falconpy/_endpoint/deprecated/_identity_protection.py
index 3eb82ead..9aaf0d07 100644
--- a/src/falconpy/_endpoint/deprecated/_identity_protection.py
+++ b/src/falconpy/_endpoint/deprecated/_identity_protection.py
@@ -46,10 +46,8 @@
"identity_protection",
[
{
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
+ "name": "body",
+ "in": "body",
"required": True
}
]
@@ -61,13 +59,6 @@
"Get policy rules",
"identity_protection",
[
- {
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
- "required": True
- },
{
"maxItems": 100,
"minItems": 1,
@@ -91,13 +82,6 @@
"Create policy rule",
"identity_protection",
[
- {
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
- "required": True
- },
{
"name": "body",
"in": "body",
@@ -112,13 +96,6 @@
"Delete policy rules",
"identity_protection",
[
- {
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
- "required": True
- },
{
"maxItems": 100,
"minItems": 1,
@@ -142,13 +119,6 @@
"Query policy rule IDs",
"identity_protection",
[
- {
- "type": "string",
- "description": "Authorization Header",
- "name": "Authorization",
- "in": "header",
- "required": True
- },
{
"type": "boolean",
"description": "Whether the rule is enabled",
diff --git a/src/falconpy/_endpoint/deprecated/_mapping.py b/src/falconpy/_endpoint/deprecated/_mapping.py
index 3de02441..14c20fb3 100644
--- a/src/falconpy/_endpoint/deprecated/_mapping.py
+++ b/src/falconpy/_endpoint/deprecated/_mapping.py
@@ -59,11 +59,16 @@
"DiscoverCloudAzureDownloadCertificate": "AzureDownloadCertificate",
"GetDiscoverCloudAzureTenantIDs": "",
"GetDiscoverCloudGCPUserScripts": "",
- "GetHorizonD4CScripts": ""
+ "GetHorizonD4CScripts": "",
+ "GetAggregateDetects": "",
+ "UpdateDetectsByIdsV2": "",
+ "GetDetectSummaries": "",
+ "QueryDetects": ""
}
_deprecated_cls_mapping = {
"CloudConnectAWS": "CSPMRegistration",
"D4CRegistration": "CSPMRegistration",
- "Iocs": "IOC"
+ "Iocs": "IOC",
+ "Detects": "Alerts"
}
diff --git a/src/falconpy/_endpoint/deprecated/_ods.py b/src/falconpy/_endpoint/deprecated/_ods.py
index b34404c7..d8eb8acd 100644
--- a/src/falconpy/_endpoint/deprecated/_ods.py
+++ b/src/falconpy/_endpoint/deprecated/_ods.py
@@ -397,7 +397,7 @@
[
{
"type": "string",
- "description": "A FQL compatible query string. Terms: [id profile_id description.keyword "
+ "description": "A FQL compatible query string. Terms: [id profile_id description.keyword description "
"initiated_from filecount.scanned filecount.malicious filecount.quarantined filecount.skipped "
"affected_hosts_count status severity scan_started_on scan_completed_on created_on created_by last_updated "
"targeted_host_count missing_host_count]",
@@ -427,6 +427,8 @@
"initiated_from|desc",
"description.keyword|asc",
"description.keyword|desc",
+ "description|asc",
+ "description|desc",
"filecount.scanned|asc",
"filecount.scanned|desc",
"filecount.malicious|asc",
@@ -474,8 +476,8 @@
[
{
"type": "string",
- "description": "A FQL compatible query string. Terms: [id description initiated_from status "
- "schedule.start_timestamp schedule.Interval created_on created_by last_updated deleted]",
+ "description": "A FQL compatible query string. Terms: [id description.keyword description "
+ "initiated_from status schedule.start_timestamp schedule.Interval created_on created_by last_updated deleted]",
"name": "filter",
"in": "query",
"allowEmptyValue": True
@@ -500,6 +502,8 @@
"id|desc",
"description.keyword|asc",
"description.keyword|desc",
+ "description|asc",
+ "description|desc",
"status|asc",
"status|desc",
"schedule.start_timestamp|asc",
diff --git a/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py b/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py
index a214e25d..f34ab0e6 100644
--- a/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py
+++ b/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py
@@ -213,6 +213,43 @@
}
]
],
+ [
+ "RTR-CreatePut-FilesV2",
+ "POST",
+ "/real-time-response/entities/put-files/v2",
+ "Upload a new put-file to use for the RTR `put` command.",
+ "real_time_response_admin",
+ [
+ {
+ "type": "file",
+ "description": "put-file to upload",
+ "name": "file",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "File description",
+ "name": "description",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "maxLength": 32766,
+ "type": "string",
+ "description": "File name (if different than actual file name)",
+ "name": "name",
+ "in": "formData"
+ },
+ {
+ "maxLength": 4096,
+ "type": "string",
+ "description": "The audit log comment",
+ "name": "comments_for_audit_log",
+ "in": "formData"
+ }
+ ]
+ ],
[
"RTR-GetScripts",
"GET",
@@ -399,6 +436,136 @@
}
]
],
+ [
+ "RTR-CreateScriptsV2",
+ "POST",
+ "/real-time-response/entities/scripts/v2",
+ "Upload a new custom-script to use for the RTR `runscript` command.",
+ "real_time_response_admin",
+ [
+ {
+ "type": "file",
+ "description": "custom-script file to upload. These should be powershell scripts.",
+ "name": "file",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "File description",
+ "name": "description",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "maxLength": 32766,
+ "type": "string",
+ "description": "File name (if different than actual file name)",
+ "name": "name",
+ "in": "formData"
+ },
+ {
+ "maxLength": 4096,
+ "type": "string",
+ "description": "The audit log comment",
+ "name": "comments_for_audit_log",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "default": "none",
+ "description": "Permission for the custom-script. Valid permission values: \n - private, usable by "
+ "only the user who uploaded it \n - group, usable by all RTR Admins \n - public, usable by all active-"
+ "responders and RTR admins",
+ "name": "permission_type",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "string",
+ "description": "The script text that you want to use to upload",
+ "name": "content",
+ "in": "formData"
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Platforms for the file. Currently supports: windows, mac, linux, . If no platform is "
+ "provided, it will default to 'windows'",
+ "name": "platform",
+ "in": "formData"
+ }
+ ]
+ ],
+ [
+ "RTR-UpdateScriptsV2",
+ "PATCH",
+ "/real-time-response/entities/scripts/v2",
+ "Upload a new scripts to replace an existing one.",
+ "real_time_response_admin",
+ [
+ {
+ "type": "string",
+ "description": "ID to update",
+ "name": "id",
+ "in": "formData",
+ "required": True
+ },
+ {
+ "type": "file",
+ "description": "custom-script file to upload. These should be powershell scripts.",
+ "name": "file",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "File description",
+ "name": "description",
+ "in": "formData"
+ },
+ {
+ "maxLength": 32766,
+ "type": "string",
+ "description": "File name (if different than actual file name)",
+ "name": "name",
+ "in": "formData"
+ },
+ {
+ "maxLength": 4096,
+ "type": "string",
+ "description": "The audit log comment",
+ "name": "comments_for_audit_log",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "default": "none",
+ "description": "Permission for the custom-script. Valid permission values: \n - private, usable by "
+ "only the user who uploaded it \n - group, usable by all RTR Admins \n - public, usable by all active-"
+ "responders and RTR admins",
+ "name": "permission_type",
+ "in": "formData"
+ },
+ {
+ "type": "string",
+ "description": "The script text that you want to use to upload",
+ "name": "content",
+ "in": "formData"
+ },
+ {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "collectionFormat": "multi",
+ "description": "Platforms for the file. Currently supports: windows, mac, linux, ",
+ "name": "platform",
+ "in": "formData"
+ }
+ ]
+ ],
[
"RTR-ListFalconScripts",
"GET",
diff --git a/src/falconpy/_helper/__init__.py b/src/falconpy/_helper/__init__.py
index c8f8fe85..6c8ca528 100644
--- a/src/falconpy/_helper/__init__.py
+++ b/src/falconpy/_helper/__init__.py
@@ -37,6 +37,7 @@
"""
from secrets import choice
from string import ascii_letters, digits
+from .._constant import MAX_RANDOM_STRING_LENGTH
from ._text_colors import Color
from ._indicator import Indicator
from ._find_operation import find_operation
@@ -53,8 +54,9 @@ def random_string(length: int = 10,
character_set = character_set + (ascii_letters if include_letters else "")
character_set = character_set + (digits if include_digits else "")
character_set = character_set + ("!@#$%?&*_." if include_specials else "")
+ gen_length = max(1, min(length, MAX_RANDOM_STRING_LENGTH))
if character_set:
- returned = "".join(choice(character_set) for _ in range(length))
+ returned = "".join(choice(character_set) for _ in range(gen_length))
return returned
diff --git a/src/falconpy/_payload/__init__.py b/src/falconpy/_payload/__init__.py
index 9c83f5d5..aa67c66b 100644
--- a/src/falconpy/_payload/__init__.py
+++ b/src/falconpy/_payload/__init__.py
@@ -41,6 +41,16 @@
retrieve_relay_node_payload
)
from ._correlation_rules import correlation_rules_payload, correlation_rules_export_payload
+from ._case_management import (
+ case_management_notification_groups_payload,
+ case_management_create_notification_payload,
+ case_management_sla_payload,
+ case_management_template_payload,
+ specified_case_payload,
+ case_manage_payload,
+ case_evidence_payload,
+ update_case_payload
+ )
from ._host_group import host_group_create_payload, host_group_update_payload
from ._recon import (
recon_action_payload,
@@ -54,13 +64,27 @@
from ._cloud_aws_registration import cloud_aws_registration_payload
from ._cloud_azure_registration import (
cloud_azure_registration_payload,
- cloud_azure_registration_create_payload
+ cloud_azure_registration_create_payload,
+ cloud_azure_registration_legacy_payload
)
+from ._cloud_google_cloud_registration import (
+ cloud_google_registration_create_payload
+)
from ._cloud_oci_registration import (
cloud_oci_refresh_payload,
cloud_oci_validate_payload,
cloud_oci_create_payload
)
+from ._cloud_policies import (
+ cloud_policies_rule_assign_payload,
+ cloud_policies_compliance_control_payload,
+ cloud_policies_evaluation_payload,
+ cloud_policies_rule_override_payload,
+ cloud_policies_rule_create_payload,
+ cloud_policies_rule_update_payload
+ )
+from ._cloud_security import cloud_security_create_group_payload
+
from ._container import (
image_payload,
registry_payload,
@@ -72,6 +96,17 @@
inventory_scan_payload
)
from ._content_update_policy import content_update_policy_action_payload, content_update_policy_payload
+from ._correlation_rules_admin import correlation_rules_admin_payload
+
+from ._data_protection_configuration import (
+ data_protection_classification_payload,
+ data_protection_cloud_app_payload,
+ data_protection_content_pattern_payload,
+ data_protection_enterprise_account_payload,
+ data_protection_sensitivity_label_payload,
+ data_protection_policy_payload,
+ data_protection_web_locations_payload
+ )
from ._delivery_settings import delivery_settings_payload
from ._detects import update_detects_payload
from ._identity_protection import idp_policy_payload
@@ -86,10 +121,11 @@
scheduled_task_payload,
automation_policy_payload,
policy_host_group_payload,
- automation_live_query_payload
+ automation_live_query_payload,
+ automation_user_group_payload
)
from ._mobile_enrollment import mobile_enrollment_payload
-from ._ngsiem import ngsiem_search_payload
+from ._ngsiem import ngsiem_search_payload, ngsiem_parser_payload
from ._prevention_policy import prevention_policy_payload
from ._sensor_update_policy import sensor_policy_payload
from ._response_policy import response_policy_payload
@@ -191,5 +227,16 @@
"retrieve_relay_node_payload", "inventory_scan_payload", "cloud_azure_registration_create_payload",
"task_payload", "task_execution_payload", "execution_results_search_payload", "rerun_payload",
"scheduled_task_payload", "automation_policy_payload", "policy_host_group_payload",
- "automation_live_query_payload"
+ "automation_live_query_payload", "automation_user_group_payload", "ngsiem_parser_payload",
+ "case_management_notification_groups_payload", "case_management_create_notification_payload",
+ "case_management_sla_payload", "case_management_template_payload", "data_protection_classification_payload",
+ "data_protection_cloud_app_payload", "data_protection_content_pattern_payload",
+ "data_protection_enterprise_account_payload", "data_protection_sensitivity_label_payload",
+ "data_protection_policy_payload", "data_protection_web_locations_payload", "correlation_rules_admin_payload",
+ "cloud_policies_rule_assign_payload", "cloud_policies_compliance_control_payload",
+ "cloud_policies_evaluation_payload", "cloud_policies_rule_override_payload",
+ "cloud_policies_rule_create_payload", "cloud_policies_rule_update_payload", "specified_case_payload",
+ "case_manage_payload", "case_evidence_payload", "update_case_payload",
+ "cloud_azure_registration_legacy_payload", "cloud_google_registration_create_payload",
+ "cloud_security_create_group_payload"
]
diff --git a/src/falconpy/_payload/_case_management.py b/src/falconpy/_payload/_case_management.py
new file mode 100644
index 00000000..f3330e0b
--- /dev/null
+++ b/src/falconpy/_payload/_case_management.py
@@ -0,0 +1,325 @@
+"""Internal payload handling library - Case Management.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+from typing import Dict, List, Union
+
+
+def case_management_notification_groups_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Get notification groups aggregations.
+
+ [
+ {
+ "date_ranges": [
+ {
+ "from": "string",
+ "to": "string"
+ }
+ ],
+ "field": "string",
+ "filter": "string",
+ "from": 0,
+ "name": "string",
+ "size": 0,
+ "sort": "string",
+ "type": "terms"
+ }
+ ]
+ """
+ body = {}
+ returned_payload = []
+
+ body_keys = ["field", "filter", "from", "name", "size", "sort", "type", "date_ranges"]
+ for key in body_keys:
+ if passed_keywords.get(key, None) is not None:
+ provided = passed_keywords.get(key, None)
+ if key == "date_ranges" and isinstance(provided, dict):
+ provided = [provided]
+ body[key] = provided
+
+ returned_payload.append(body)
+
+ return returned_payload
+
+
+def case_management_create_notification_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Create notification group.
+
+ {
+ "channels": [
+ {
+ "config_id": "string",
+ "config_name": "string",
+ "recipients": [
+ "string"
+ ],
+ "severity": "string",
+ "type": "email"
+ }
+ ],
+ "description": "string",
+ "name": "string",
+ "id": "string"
+ }
+ """
+ returned_payload = {}
+
+ keys = ["description", "name", "id", "channels"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ provided = passed_keywords.get(key, None)
+ if key == "channels" and isinstance(provided, dict):
+ provided = [provided]
+ returned_payload[key] = provided
+
+ return returned_payload
+
+
+def case_management_sla_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Create SLA.
+
+ {
+ "description": "string",
+ "goals": [
+ {
+ "duration_seconds": 0,
+ "escalation_policy": {
+ "steps": [
+ {
+ "escalate_after_seconds": 0,
+ "notification_group_id": "string"
+ }
+ ]
+ },
+ "type": "string"
+ }
+ ],
+ "name": "string"
+ }
+ """
+ returned_payload = {}
+
+ keys = ["description", "name", "id", "goals"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ provided = passed_keywords.get(key, None)
+ if key == "goals" and isinstance(provided, dict):
+ provided = [provided]
+ returned_payload[key] = provided
+
+ return returned_payload
+
+
+def case_management_template_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Craft a properly formatted template payload.
+
+ {
+ "description": "string",
+ "fields": [
+ {
+ "data_type": "string",
+ "default_value": "string",
+ "id"
+ "input_type": "string",
+ "multivalued": true,
+ "name": "string",
+ "options": [
+ {
+ "id": "string"
+ "value": "string"
+ }
+ ],
+ "required": true
+ }
+ ],
+ "id": "string"
+ "name": "string",
+ "sla_id": "string"
+ }
+ """
+ returned_payload = {}
+
+ keys = ["description", "name", "sla_id", "id", "fields"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ provided = passed_keywords.get(key, None)
+ if key == "fields" and isinstance(provided, dict):
+ provided = [provided]
+ returned_payload[key] = provided
+ return returned_payload
+
+
+def specified_case_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Specify case payload handler.
+
+ {
+ "alerts": [
+ {
+ "id": "string"
+ }
+ ],
+ "tags": [
+ "string"
+ ],
+ "id": "string"
+ }
+ """
+ returned_payload = {}
+ keys = ["alerts", "id", "tags"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ provided = passed_keywords.get(key, None)
+ if key == "alerts" and isinstance(provided, dict):
+ provided = [provided]
+ returned_payload[key] = provided
+
+ return returned_payload
+
+
+def case_manage_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Case manage payload handler.
+
+ {
+ "assigned_to_user_uuid": "string",
+ "description": "string",
+ "evidence": {
+ "alerts": [
+ {
+ "id": "string"
+ }
+ ],
+ "events": [
+ {
+ "id": "string"
+ }
+ ],
+ "leads": [
+ {
+ "id": "string"
+ }
+ ]
+ },
+ "name": "string",
+ "severity": 0,
+ "status": "string",
+ "tags": [
+ "string"
+ ],
+ "template": {
+ "id": "string"
+ }
+ }
+ """
+ returned_payload = {}
+
+ keys = ["assigned_to_user_uuid", "description",
+ "evidence", "name",
+ "severity", "status",
+ "tags", "template"
+ ]
+
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ provided = passed_keywords.get(key, None)
+ returned_payload[key] = provided
+
+ return returned_payload
+
+
+def update_case_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Update case payload handler.
+
+ {
+ "expected_consistency_version": 0,
+ "expected_version": 0,
+ "fields": {
+ "assigned_to_user_uuid": "string",
+ "custom_fields": [
+ {
+ "id": "string",
+ "values": [
+ "string"
+ ]
+ }
+ ],
+ "description": "string",
+ "name": "string",
+ "remove_user_assignment": true,
+ "severity": 0,
+ "slas_active": true,
+ "status": "string",
+ "template": {
+ "id": "string"
+ }
+ },
+ "id": "string"
+ }
+ """
+ returned_payload = {}
+
+ keys = ["expected_consistency_version", "expected_version", "fields", "id"]
+
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ provided = passed_keywords.get(key, None)
+ returned_payload[key] = provided
+
+ return returned_payload
+
+
+def case_evidence_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Case evidence payload handler.
+
+ {
+ "events": [
+ {
+ "id": "string"
+ }
+ ],
+ "id": "string"
+ }
+ """
+ returned_payload = {}
+
+ keys = ["events", "id"]
+
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ provided = passed_keywords.get(key, None)
+ returned_payload[key] = provided
+
+ return returned_payload
diff --git a/src/falconpy/_payload/_cloud_azure_registration.py b/src/falconpy/_payload/_cloud_azure_registration.py
index e46b2302..7de6a551 100644
--- a/src/falconpy/_payload/_cloud_azure_registration.py
+++ b/src/falconpy/_payload/_cloud_azure_registration.py
@@ -149,3 +149,30 @@ def cloud_azure_registration_payload(passed_keywords: dict) -> Dict[str, List[Di
returned["resources"].append(item)
return returned
+
+
+def cloud_azure_registration_legacy_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Delete existing legacy Azure subscriptions.
+
+ {
+ "resources": [
+ {
+ "retain_client": true,
+ "subscription_id": "string",
+ "tenant_id": "string"
+ }
+ ]
+ }
+ """
+ returned = {
+ "resources": []
+ }
+ keys = ["retain_client", "subscription_id", "tenant_id"]
+ item = {}
+ for key in keys:
+ if passed_keywords.get(key, None):
+ item[key] = passed_keywords.get(key, None)
+
+ returned["resources"].append(item)
+
+ return returned
diff --git a/src/falconpy/_payload/_cloud_google_cloud_registration.py b/src/falconpy/_payload/_cloud_google_cloud_registration.py
new file mode 100644
index 00000000..bc52692d
--- /dev/null
+++ b/src/falconpy/_payload/_cloud_google_cloud_registration.py
@@ -0,0 +1,103 @@
+"""Internal payload handling library - Cloud Google Registration.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+from typing import Dict, List, Union
+
+
+def cloud_google_registration_create_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Creates/Updates a Google Cloud Registration.
+
+ {
+ "resources": [
+ {
+ "deployment_method": "string",
+ "entity_id": [
+ "string"
+ ],
+ "excluded_project_patterns": [
+ "string"
+ ],
+ "falcon_client_key_id": "string",
+ "falcon_client_key_type": "string",
+ "infra_manager_region": "string",
+ "infra_project_id": "string",
+ "labels": {
+ "additionalProp1": "string",
+ "additionalProp2": "string",
+ "additionalProp3": "string"
+ },
+ "products": [
+ {
+ "features": [
+ "string"
+ ],
+ "product": "string"
+ }
+ ],
+ "registration_name": "string",
+ "registration_scope": "string",
+ "resource_name_prefix": "string",
+ "resource_name_suffix": "string",
+ "tags": {
+ "additionalProp1": "string",
+ "additionalProp2": "string",
+ "additionalProp3": "string"
+ },
+ "wif_project_id": "string"
+ }
+ ]
+ }
+ """
+ returned_payload = {
+ "resources": []
+ }
+ item = {}
+ keys = ["deployment_method", "entity_id", "excluded_project_patterns",
+ "falcon_client_key_id", "falcon_client_key_type", "infra_manager_region",
+ "infra_project_id", "labels", "products", "registration_name", "registration_scope"
+ "resource_name_prefix", "resource_name_suffix", "tags", "wif_project_id"
+ ]
+
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ value = passed_keywords.get(key, None)
+ item[key] = value
+
+ returned_payload["resources"].append(item)
+
+ return returned_payload
diff --git a/src/falconpy/_payload/_cloud_policies.py b/src/falconpy/_payload/_cloud_policies.py
new file mode 100644
index 00000000..aab8dc9f
--- /dev/null
+++ b/src/falconpy/_payload/_cloud_policies.py
@@ -0,0 +1,218 @@
+"""Internal payload handling library - Cloud Policies.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+from typing import Dict, List, Union
+
+
+def cloud_policies_rule_assign_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Assign rules to a compliance control (full replace).
+
+ {
+ "rule_ids": [
+ "string"
+ ]
+ }
+ """
+ returned_payload = {}
+ if passed_keywords.get("rule_ids", None) is not None:
+ returned_payload["rule_ids"] = passed_keywords.get("rule_ids", None)
+ return returned_payload
+
+
+def cloud_policies_compliance_control_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Body payload generator for compliance control operations.
+
+ {
+ "active": boolean,
+ "description": "string",
+ "framework_id": "string",
+ "name": "string",
+ "section_name": "string"
+ }
+ """
+ returned_payload = {}
+ keys = ["active", "description", "framework_id", "name", "section_name"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ returned_payload[key] = passed_keywords.get(key, None)
+ return returned_payload
+
+
+def cloud_policies_evaluation_payload(passed_keywords: dict) -> Dict[str, Union[dict, str]]:
+ """Get evaluation results based on the provided rule.
+
+ {
+ "input": {},
+ "logic": "string"
+ }
+ """
+ returned_payload = {}
+ keys = ["input", "logic"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ returned_payload[key] = passed_keywords.get(key, None)
+ return returned_payload
+
+
+def cloud_policies_rule_override_payload(passed_keywords: dict) -> Dict[str, Union[dict, str]]:
+ """Create a new rule override.
+
+ {
+ "overrides": [
+ {
+ "comment": "string",
+ "crn": "string",
+ "expires_at": "2025-11-10T21:16:14.315Z",
+ "override_type": "string",
+ "overrides_details": "string",
+ "reason": "string",
+ "rule_id": "string",
+ "target_region": "string"
+ }
+ ]
+ }
+ """
+ returned_payload = {}
+ if passed_keywords.get("overrides", None):
+ provided = passed_keywords.get("overrides", None)
+ if isinstance(provided, dict):
+ provided = [provided]
+ returned_payload["overrides"] = provided
+
+ return returned_payload
+
+
+def cloud_policies_rule_create_payload(passed_keywords: dict) -> Dict[str, Union[dict, str]]:
+ """Create a new rule.
+
+ {
+ "alert_info": "string",
+ "attack_types": "string",
+ "controls": [
+ {
+ "Authority": "string",
+ "Code": "string"
+ }
+ ],
+ "description": "string",
+ "domain": "string",
+ "logic": "string",
+ "name": "string",
+ "parent_rule_id": "string",
+ "platform": "string",
+ "provider": "string",
+ "remediation_info": "string",
+ "remediation_url": "string",
+ "resource_type": "string",
+ "severity": 0,
+ "subdomain": "string"
+ }
+ """
+ returned_payload = {}
+ if passed_keywords.get("controls", None) is not None:
+ returned_payload["controls"] = passed_keywords.get("controls", None)
+ control = {}
+ control_keys = ["Authority", "Code"]
+ for key in control_keys:
+ if passed_keywords.get(key, None) is not None:
+ control[key] = passed_keywords.get(key, None)
+ returned_payload["controls"] = [control]
+ keys = ["alert_info", "attack_types", "description", "domain", "logic",
+ "name", "parent_rule_id", "platform", "provider", "remediation_info",
+ "remediation_url", "resource_type", "severity", "subdomain"
+ ]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ returned_payload[key] = passed_keywords.get(key, None)
+
+ return returned_payload
+
+
+def cloud_policies_rule_update_payload(passed_keywords: dict) -> Dict[str, Union[dict, str, int, list]]:
+ """Update a rule.
+
+ {
+ "alert_info": "string",
+ "attack_types": [
+ "string"
+ ],
+ "category": "string",
+ "controls": [
+ {
+ "authority": "string",
+ "code": "string"
+ }
+ ],
+ "description": "string",
+ "name": "string",
+ "rule_logic_list": [
+ {
+ "logic": "string",
+ "platform": "string",
+ "remediation_info": "string",
+ "remediation_url": "string"
+ }
+ ],
+ "severity": 0,
+ "uuid": "string"
+ }
+ """
+ returned_payload = {}
+
+ simple_keys = ["alert_info", "category", "description", "name", "severity", "uuid", "rule_logic_list"]
+ for key in simple_keys:
+ if passed_keywords.get(key, None) is not None:
+ provided = passed_keywords.get(key, None)
+ if provided == "rule_logic_list" and isinstance(provided, dict):
+ provided = [provided]
+ returned_payload[key] = provided
+
+ if passed_keywords.get("attack_types", None) is not None:
+ returned_payload["attack_types"] = passed_keywords.get("attack_types", None)
+
+ if passed_keywords.get("controls", None) is not None:
+ returned_payload["controls"] = passed_keywords.get("controls", None)
+ else:
+ control = {}
+ control_keys = ["authority", "code"]
+ for key in control_keys:
+ if passed_keywords.get(key, None) is not None:
+ control[key] = passed_keywords.get(key, None)
+ if control:
+ returned_payload["controls"] = [control]
+
+ return returned_payload
diff --git a/src/falconpy/_payload/_cloud_security.py b/src/falconpy/_payload/_cloud_security.py
new file mode 100644
index 00000000..3096dc07
--- /dev/null
+++ b/src/falconpy/_payload/_cloud_security.py
@@ -0,0 +1,94 @@
+"""Internal payload handling library - Cloud Security.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+from typing import Dict, List, Union
+
+
+def cloud_security_create_group_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Create a Cloud Group. The created_by field will be set to the API client ID.
+
+ {
+ "business_impact": "high",
+ "business_unit": "string",
+ "description": "string",
+ "environment": "dev",
+ "name": "string",
+ "owners": [
+ "string"
+ ],
+ "selectors": {
+ "cloud_resources": [
+ {
+ "account_ids": [
+ "string"
+ ],
+ "cloud_provider": "aws",
+ "filters": {
+ "region": [
+ "string"
+ ],
+ "tags": [
+ "string"
+ ]
+ }
+ }
+ ],
+ "images": [
+ {
+ "filters": {
+ "repository": [
+ "string"
+ ],
+ "tag": [
+ "string"
+ ]
+ },
+ "registry": "string"
+ }
+ ]
+ }
+ }
+ """
+ returned_payload = {}
+
+ keys = ["business_impact", "business_unit", "description", "environment", "name", "owners", "selectors"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ returned_payload[key] = passed_keywords.get(key, None)
+
+ return returned_payload
diff --git a/src/falconpy/_payload/_correlation_rules_admin.py b/src/falconpy/_payload/_correlation_rules_admin.py
new file mode 100644
index 00000000..e4209fa8
--- /dev/null
+++ b/src/falconpy/_payload/_correlation_rules_admin.py
@@ -0,0 +1,57 @@
+"""Internal payload handling library - Correlation Rules Admin.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+from typing import Dict, List, Union
+
+
+def correlation_rules_admin_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int]]]]:
+ """Body payload generator for compliance control operations.
+
+ {
+ "api_client_id": "string",
+ "id": "string",
+ "user_id": "string",
+ "user_uuid": "string"
+ }
+ """
+ returned_payload = {}
+ keys = ["api_client_id", "id", "user_id", "user_uuid"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ returned_payload[key] = passed_keywords.get(key, None)
+ return returned_payload
diff --git a/src/falconpy/_payload/_data_protection_configuration.py b/src/falconpy/_payload/_data_protection_configuration.py
new file mode 100644
index 00000000..e455d6cb
--- /dev/null
+++ b/src/falconpy/_payload/_data_protection_configuration.py
@@ -0,0 +1,347 @@
+"""Internal payload handling library - Data Protection Configuration.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+
+from typing import Dict, List, Union
+
+
+# pylint: disable=R0912
+def data_protection_classification_payload(
+ passed_keywords: dict
+ ) -> Dict[str, List[Dict[str, Union[str, int, bool, list, dict]]]]:
+ """Create classifications.
+
+ {
+ "resources": [
+ {
+ "classification_properties": {
+ "content_patterns": [
+ "string"
+ ],
+ "evidence_duplication_enabled": true,
+ "file_types": [
+ "string"
+ ],
+ "protection_mode": "monitor",
+ "rules": [
+ {
+ "ad_groups": [
+ "string"
+ ],
+ "ad_users": [
+ "string"
+ ],
+ "created_time_stamp": "string",
+ "description": "string",
+ "detection_severity": "informational",
+ "enable_printer_egress": true,
+ "enable_usb_devices": true,
+ "enable_web_locations": true,
+ "id": "string",
+ "modified_time_stamp": "string",
+ "notify_end_user": true,
+ "response_action": "allow",
+ "trigger_detection": true,
+ "user_scope": "all",
+ "web_locations": [
+ "string"
+ ],
+ "web_locations_scope": "all"
+ }
+ ],
+ "sensitivity_labels": [
+ "string"
+ ],
+ "web_sources": [
+ "string"
+ ]
+ },
+ "name": "string"
+ }
+ ]
+ }
+ """
+ returned_payload = {}
+ resources = []
+ resource = {}
+ keys = ["name", "classification_properties"]
+ for key in keys:
+ if passed_keywords.get(key, None):
+ provided = passed_keywords.get(key, None)
+ resource[key] = provided
+ resources.append(resource)
+ returned_payload['resources'] = resources
+
+ return returned_payload
+
+
+def data_protection_cloud_app_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int, bool, list, dict]]]]:
+ """Persist the given cloud application for the provided entity instance.
+
+ {
+ "description": "string",
+ "name": "string",
+ "urls": [
+ {
+ "fqdn": "string",
+ "path": "string"
+ }
+ ]
+ }
+ """
+ returned_payload = {}
+ keys = ["description", "name", "urls"]
+ for key in keys:
+ if passed_keywords.get(key, None):
+ provided = passed_keywords.get(key, None)
+ if provided == "urls" and isinstance(provided, dict):
+ provided = [provided]
+ returned_payload[key] = provided
+
+ return returned_payload
+
+
+def data_protection_content_pattern_payload(
+ passed_keywords: dict
+ ) -> Dict[str, List[Dict[str, Union[str, int, bool, list, dict]]]]:
+ """Persist the given content pattern for the provided entity instance.
+
+ {
+ "category": "string",
+ "description": "string",
+ "example": "string",
+ "min_match_threshold": 0,
+ "name": "string",
+ "regexes": [
+ "string"
+ ],
+ "region": "string"
+ }
+ """
+ returned_payload = {}
+ keys = ["category", "description", "example", "min_match_threshold", "name", "regexes", "region"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ returned_payload[key] = passed_keywords.get(key, None)
+
+ return returned_payload
+
+
+def data_protection_enterprise_account_payload(
+ passed_keywords: dict
+ ) -> Dict[str, List[Dict[str, Union[str, int, bool, list, dict]]]]:
+ """Persist the given content pattern for the provided entity instance.
+
+ {
+ "application_group_id": "string",
+ "domains": [
+ "string"
+ ],
+ "name": "string",
+ "plugin_config_id": "string"
+ }
+ """
+ returned_payload = {}
+ keys = ["application_group_id", "domains", "name", "plugin_config_id"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ returned_payload[key] = passed_keywords.get(key, None)
+
+ return returned_payload
+
+
+def data_protection_sensitivity_label_payload(
+ passed_keywords: dict
+ ) -> Dict[str, List[Dict[str, Union[str, int, bool, list, dict]]]]:
+ """Create new sensitivity label (V2).
+
+ {
+ "co_authoring": true,
+ "display_name": "string",
+ "external_id": "string",
+ "label_provider": "string",
+ "name": "string",
+ "plugins_configuration_id": "string",
+ "synced": true
+ }
+ """
+ returned_payload = {}
+ keys = ["co_authoring", "display_name",
+ "external_id", "label_provider",
+ "name", "plugins_configuration_id",
+ "synced"
+ ]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ returned_payload[key] = passed_keywords.get(key, None)
+
+ return returned_payload
+
+
+# pylint: disable=R0912
+def data_protection_policy_payload(passed_keywords: dict) -> Dict[str, List[Dict[str, Union[str, int, bool, list, dict]]]]:
+ """Create data protection policies.
+
+ {
+ "resources": [
+ {
+ "description": "string",
+ "name": "string",
+ "policy_properties": {
+ "allow_notifications": "default",
+ "be_exclude_domains": "string",
+ "be_paste_clipboard_max_size": 0,
+ "be_paste_clipboard_max_size_unit": "Bytes",
+ "be_paste_clipboard_min_size": 0,
+ "be_paste_clipboard_min_size_unit": "Bytes",
+ "be_paste_clipboard_over_size_behaviour_block": true,
+ "be_paste_timeout_duration_milliseconds": 0,
+ "be_paste_timeout_response": "block",
+ "be_splash_custom_message": "string",
+ "be_splash_enabled": true,
+ "be_splash_message_source": "default",
+ "be_upload_timeout_duration_seconds": 0,
+ "be_upload_timeout_response": "block",
+ "block_all_data_access": true,
+ "block_notifications": "default",
+ "browsers_without_active_extension": "allow",
+ "classifications": [
+ "string"
+ ],
+ "custom_allow_notification": "string",
+ "custom_block_notification": "string",
+ "enable_clipboard_inspection": true,
+ "enable_content_inspection": true,
+ "enable_context_inspection": true,
+ "enable_end_user_notifications_unsupported_browser": true,
+ "enable_network_inspection": true,
+ "euj_dialog_box_logo": "string",
+ "euj_dialog_timeout": 0,
+ "euj_dropdown_options": {
+ "justifications": [
+ {
+ "default": true,
+ "id": "string",
+ "justification": "string",
+ "selected": true
+ }
+ ]
+ },
+ "euj_header_text": {
+ "headers": [
+ {
+ "default": true,
+ "header": "string",
+ "selected": true
+ }
+ ]
+ },
+ "euj_require_additional_details": true,
+ "euj_response_cache_timeout": 0,
+ "evidence_download_enabled": true,
+ "evidence_duplication_enabled_default": true,
+ "evidence_encrypted_enabled": true,
+ "evidence_storage_free_disk_perc": 0,
+ "evidence_storage_max_size": 0,
+ "inspection_depth": "balanced",
+ "max_file_size_to_inspect": 0,
+ "max_file_size_to_inspect_unit": "Bytes",
+ "min_confidence_level": "low",
+ "network_inspection_files_exceeding_size_limit": "block",
+ "similarity_detection": true,
+ "similarity_threshold": "10",
+ "unsupported_browsers_action": "allow"
+ },
+ "precedence": 0
+ }
+ ]
+ }
+ """
+ returned_payload = {}
+
+ if passed_keywords.get("resources", None) is not None:
+ returned_payload["resources"] = passed_keywords.get("resources", None)
+ return returned_payload
+
+ resources = []
+ resource = {}
+
+ resource_fields = ["description", "name", "precedence", "policy_properties"]
+ for field in resource_fields:
+ if passed_keywords.get(field, None) is not None:
+ resource[field] = passed_keywords.get(field, None)
+ resources.append(resource)
+ returned_payload['resources'] = resources
+
+ return returned_payload
+
+
+def data_protection_web_locations_payload(
+ passed_keywords: dict
+ ) -> Dict[str, List[Dict[str, Union[str, int, bool, list, dict]]]]:
+ """Persist the given web-locations.
+
+ {
+ "web_locations": [
+ {
+ "application_id": "string",
+ "deleted": true,
+ "enterprise_account_id": "string",
+ "location_type": "string",
+ "name": "string",
+ "provider_location_id": "string",
+ "provider_location_name": "string",
+ "type": "string"
+ }
+ ]
+ }
+ """
+ returned_payload = {}
+ web_locations = []
+ web_location = {}
+ keys = ["application_id", "deleted",
+ "enterprise_account_id", "location_type",
+ "name", "provider_location_id",
+ "provider_location_name", "type"
+ ]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ web_location[key] = passed_keywords.get(key, None)
+ web_locations.append(web_location)
+ returned_payload["web_locations"] = web_locations
+
+ return returned_payload
diff --git a/src/falconpy/_payload/_generic.py b/src/falconpy/_payload/_generic.py
index 97eecc25..a366de66 100644
--- a/src/falconpy/_payload/_generic.py
+++ b/src/falconpy/_payload/_generic.py
@@ -101,6 +101,9 @@ def aggregate_payload(submitted_keywords: dict) -> dict: # pylint: disable=R091
"min_doc_count": integer,
"missing": "string",
"name": "string",
+ "percents": [
+ integer
+ ],
"q": "string",
"ranges": [
{
@@ -121,6 +124,7 @@ def aggregate_payload(submitted_keywords: dict) -> dict: # pylint: disable=R091
keys = ["date_ranges", "exclude", "include", "field", "filter", "interval", "missing",
"name", "q", "ranges", "sort", "sub_aggregates", "time_zone", "type", "extended_bounds"
+ "filters_spec", "percents"
]
int_keys = ["from", "max_doc_count", "min_doc_count", "size"]
diff --git a/src/falconpy/_payload/_ioc.py b/src/falconpy/_payload/_ioc.py
index cd3bddae..7b593554 100644
--- a/src/falconpy/_payload/_ioc.py
+++ b/src/falconpy/_payload/_ioc.py
@@ -70,7 +70,7 @@ def indicator_object(passed_keywords: dict) -> dict:
"mobile_action", "severity", "source", "type", "value"
]
for key in keys:
- if passed_keywords.get(key, None):
+ if passed_keywords.get(key, None) is not None:
returned_payload[key] = passed_keywords.get(key, None)
if not passed_keywords.get("applied_globally", None) is None:
@@ -79,7 +79,7 @@ def indicator_object(passed_keywords: dict) -> dict:
list_keys = ["host_groups", "platforms", "tags"]
for list_key in list_keys:
passed_list = passed_keywords.get(list_key, None)
- if passed_list:
+ if passed_list is not None:
if isinstance(passed_list, str):
passed_list = passed_list.split(",")
returned_payload[list_key] = passed_list
diff --git a/src/falconpy/_payload/_it_automation.py b/src/falconpy/_payload/_it_automation.py
index 75045b75..c4c66aa9 100644
--- a/src/falconpy/_payload/_it_automation.py
+++ b/src/falconpy/_payload/_it_automation.py
@@ -441,7 +441,7 @@ def automation_policy_payload(passed_keywords: dict) -> dict:
def policy_host_group_payload(passed_keywords: dict) -> dict:
- """Craft a properly formatting policy host group payload.
+ """Craft a properly formatted policy host group payload.
{
"action": "string",
@@ -463,6 +463,33 @@ def policy_host_group_payload(passed_keywords: dict) -> dict:
return returned_payload
+def automation_user_group_payload(passed_keywords: dict) -> dict:
+ """Craft a properly formatted user group payload.
+
+ {
+ "add_user_ids": [
+ "string"
+ ],
+ "description": "string",
+ "name": "string",
+ "remove_user_ids": [
+ "string"
+ ]
+ }
+ """
+ returned_payload = {}
+ keys = ["add_user_ids", "description", "name", "remove_user_ids"]
+ list_keys = ["add_user_ids", "remove_user_ids"]
+ for key in keys:
+ if passed_keywords.get(key, None) is not None:
+ key_value = passed_keywords.get(key, None)
+ if key in list_keys and isinstance(key_value, str):
+ key_value = key_value.split(",")
+ returned_payload[key] = key_value
+
+ return returned_payload
+
+
def automation_live_query_payload(passed_keywords: dict) -> dict:
"""Craft a properly formatted live query payload.
diff --git a/src/falconpy/_payload/_ngsiem.py b/src/falconpy/_payload/_ngsiem.py
index c0b4bb20..56a0ce5a 100644
--- a/src/falconpy/_payload/_ngsiem.py
+++ b/src/falconpy/_payload/_ngsiem.py
@@ -89,3 +89,57 @@ def ngsiem_search_payload(passed_keywords: dict) -> dict:
returned[keystr] = passed_keywords.get(key, None)
return returned
+
+
+def ngsiem_parser_payload(passed_keywords: dict) -> dict:
+ """Craft a properly formatted parser payload.
+
+ {
+ "fields_to_be_removed_before_parsing": [
+ "string"
+ ],
+ "fields_to_tag": [
+ "string"
+ ],
+ "name": "string",
+ "id": "string",
+ "repository": "string",
+ "script": "string",
+ "test_cases": [
+ {
+ "event": {
+ "raw_string": "string"
+ },
+ "output_assertions": [
+ {
+ "assertions": {
+ "fields_have_values": [
+ {
+ "expected_value": "string",
+ "field_name": "string"
+ }
+ ],
+ "fields_not_present": [
+ "string"
+ ]
+ },
+ "output_event_index": 0
+ }
+ ]
+ }
+ ]
+ }
+ """
+ returned: dict = {}
+ keys = ["fields_to_be_removed_before_parsing", "fields_to_tag", "name", "repository", "script",
+ "test_cases", "id"
+ ]
+ list_keys = ["fields_to_be_removed_before_parsing", "fields_to_tag"]
+ for key in keys:
+ if passed_keywords.get(key, None):
+ keyval = passed_keywords.get(key, None)
+ if key in list_keys and isinstance(keyval, str):
+ keyval = keyval.split(",")
+ returned[key] = keyval
+
+ return returned
diff --git a/src/falconpy/_service_class/_service_class.py b/src/falconpy/_service_class/_service_class.py
index 89d88a53..5e45515a 100644
--- a/src/falconpy/_service_class/_service_class.py
+++ b/src/falconpy/_service_class/_service_class.py
@@ -198,6 +198,14 @@ def logout(self) -> dict:
"""Logout from the CrowdStrike API by revoking the current token."""
return self.auth_object.logout()
+ def child_login(self, member_cid: str) -> bool:
+ """Login to a child tenant by providing a member CID."""
+ return self.auth_object.child_login(member_cid=member_cid)
+
+ def child_logout(self, login_as_parent: bool) -> bool:
+ """Logout of a child tenant."""
+ return self.auth_object.child_logout(login_as_parent=login_as_parent)
+
# Legacy property getters maintained for backwards functionality.
def authenticated(self) -> bool:
"""Return the current authentication status."""
diff --git a/src/falconpy/_util/_functions.py b/src/falconpy/_util/_functions.py
index 071e5549..5912ee69 100644
--- a/src/falconpy/_util/_functions.py
+++ b/src/falconpy/_util/_functions.py
@@ -771,6 +771,10 @@ def handle_path_variables(passed: dict, route_url: str):
passed_id = passed.get("path_id", None)
if "aspm-api-gateway" in route_url and passed_id:
route_url = route_url.format(passed.get("path_id"))
+ # Falcon Container
+ passed_uuid = passed.get("uuid", None)
+ if passed_uuid:
+ route_url = route_url.format(str(passed_uuid))
# NGSIEM
passed_repository = passed.get("repository", None)
if passed_repository:
diff --git a/src/falconpy/_util/_uber.py b/src/falconpy/_util/_uber.py
index d5ab9334..f52f7cac 100644
--- a/src/falconpy/_util/_uber.py
+++ b/src/falconpy/_util/_uber.py
@@ -115,11 +115,14 @@ def scrub_target(oper: str, scrubbed: str, kwas: dict) -> str:
"GetLookupFromPackageWithNamespaceV1": ["repository", "namespace", "package", "filename"],
"GetLookupFromPackageV1": ["repository", "package", "filename"],
"StartSearchV1": ["repository"],
- "GetSearchStatusV1": ["repository", "id"],
- "StopSearchV1": ["repository", "id"]
+ "GetSearchStatusV1": ["repository", "id", "search_id"],
+ "StopSearchV1": ["repository", "id"],
+ "GetReportByScanID": ["uuid"]
}
for field_value, field_names in field_mapping.items():
if oper == field_value: # Only perform replacements on mapped operation IDs.
+ if oper == "GetSearchStatusV1" and (not kwas.get("id") and kwas.get("search_id")):
+ kwas["id"] = kwas["search_id"]
if len(field_names) == 1:
scrubbed = handle_field(scrubbed, kwas, field_names[0])
else:
diff --git a/src/falconpy/_version.py b/src/falconpy/_version.py
index 31cbf678..4fbf8bfa 100644
--- a/src/falconpy/_version.py
+++ b/src/falconpy/_version.py
@@ -35,7 +35,7 @@
For more information, please refer to
"""
-_VERSION = '1.5.4'
+_VERSION = '1.5.5'
_HEC_VERSION = '1.0.0'
_MAINTAINER = 'Joshua Hiller'
_AUTHOR = 'CrowdStrike'
diff --git a/src/falconpy/cao_hunting.py b/src/falconpy/cao_hunting.py
index 5f0732ae..0ba18df7 100644
--- a/src/falconpy/cao_hunting.py
+++ b/src/falconpy/cao_hunting.py
@@ -36,7 +36,7 @@
For more information, please refer to
"""
from typing import Dict, Union
-from ._util import force_default, process_service_request
+from ._util import force_default, process_service_request, handle_single_argument
from ._payload import aggregate_payload
from ._result import Result
from ._service_class import ServiceClass
@@ -56,6 +56,82 @@ class CAOHunting(ServiceClass):
- a valid token provided by the authentication service class (oauth2.py)
"""
+ @force_default(defaults=["body"], default_types=["dict"])
+ def aggregate_guides(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Aggregate Hunting Guides.
+
+ Keyword arguments:
+ body -- full body payload, not required when using other keywords.
+ [
+ {
+ "date_ranges": [
+ {
+ "from": "string",
+ "to": "string"
+ }
+ ],
+ "exclude": "string",
+ "extended_bounds": {
+ "max": "string",
+ "min": "string"
+ },
+ "field": "string",
+ "filter": "string",
+ "filters_spec": {
+ "filters": {
+ "additionalProp1": "string",
+ "additionalProp2": "string",
+ "additionalProp3": "string"
+ },
+ "other_bucket": boolean,
+ "other_bucket_key": "string"
+ },
+ "from": integer,
+ "include": "string",
+ "interval": "string",
+ "max_doc_count": integer,
+ "min_doc_count": integer,
+ "missing": "string",
+ "name": "string",
+ "percents": [
+ integer
+ ],
+ "q": "string",
+ "ranges": [
+ {
+ "From": integer,
+ "To": integer
+ }
+ ],
+ "size": integer,
+ "sort": "string",
+ "sub_aggregates": [
+ null
+ ],
+ "time_zone": "string",
+ "type": "string"
+ }
+ ]
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cao-hunting/AggregateHuntingGuides
+ """
+ if not body:
+ body = [aggregate_payload(submitted_keywords=kwargs)]
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="AggregateHuntingGuides",
+ body=body
+ )
+
@force_default(defaults=["body"], default_types=["dict"])
def aggregate_queries(self: object,
body: dict = None,
@@ -157,7 +233,12 @@ def create_export_archive(self: object,
Keyword arguments:
archive_type -- The Archive Type. String. Can be one of 'zip' and 'gzip'. Defaults to 'zip'.
filter -- The FQL Filter used to limit results. String.
- language -- The Query Language used. String. Accepted Values: cql, snort, suricata, or yara
+ language -- The Query Language used. String.
+ Accepted Values:
+ cql SPL
+ snort AI translated
+ suricata __all__
+ yara
parameters -- Full parameters payload dictionary. Not required if using other keywords.
This method only supports keywords for providing arguments.
@@ -177,6 +258,32 @@ def create_export_archive(self: object,
params=parameters
)
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_guides(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve a list of Hunting Guides.
+
+ Keyword arguments:
+ ids -- Hunting Guides IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'id'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cao-hunting/GetHuntingGuides
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetHuntingGuides",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
def get_queries(self: object,
parameters: dict = None,
@@ -186,6 +293,8 @@ def get_queries(self: object,
Keyword arguments:
ids -- Intelligence queries IDs. String or list of strings.
+ include_translated_content -- The AI translated language that should be returned if it exists.
+ Allowed values: SPL, __all__
parameters -- Full parameters payload dictionary. Not required if using other keywords.
This method only supports keywords for providing arguments.
@@ -234,7 +343,39 @@ def search_queries(self: object, parameters: dict = None, **kwargs) -> Union[Dic
params=parameters
)
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def search_guides(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Search for Hunting Guides that match the provided conditions.
+
+ Keyword arguments:
+ offset -- Starting index of result set from which to return IDs. Integer.
+ limit -- Number of IDs to return. Integer.
+ sort -- Order by fields. String.
+ filter -- FQL query specifying the filter parameters. String.
+ q -- Match phrase_prefix query criteria; included fields: _all (all filter string fields indexed). String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cao-hunting/SearchHuntingGuides
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="SearchHuntingGuides",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ AggregateHuntingGuides = aggregate_guides
AggregateIntelligenceQueries = aggregate_queries
GetArchiveExport = create_export_archive
+ GetHuntingGuides = get_guides
GetIntelligenceQueries = get_queries
SearchIntelligenceQueries = search_queries
+ SearchHuntingGuides = search_guides
diff --git a/src/falconpy/case_management.py b/src/falconpy/case_management.py
new file mode 100644
index 00000000..5f72467f
--- /dev/null
+++ b/src/falconpy/case_management.py
@@ -0,0 +1,1823 @@
+"""CrowdStrike Falcon CaseManagement API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+# pylint: disable=C0302
+from typing import Dict, Union
+from ._result import Result
+from ._service_class import ServiceClass
+from ._util import force_default, process_service_request, generate_error_result, handle_single_argument
+from ._endpoint._case_management import _case_management_endpoints as Endpoints
+from ._payload._case_management import (
+ case_management_notification_groups_payload,
+ case_management_create_notification_payload,
+ case_management_sla_payload,
+ case_management_template_payload,
+ specified_case_payload,
+ case_manage_payload,
+ case_evidence_payload,
+ update_case_payload
+ )
+
+
+# pylint: disable=R0904
+class CaseManagement(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials.
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py).
+ - a valid token provided by the authentication service class (oauth2.py).
+ """
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def aggregates_file_details_post_v1(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get file details aggregates as specified via json in the request body.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or a list of strings.
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ filter -- FQL filter expression. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-files/aggregates.file-details.post.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="aggregates_file_details_post_v1",
+ keywords=kwargs,
+ params=parameters,
+ body={}
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_file_details(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query file details.
+
+ Keyword arguments:
+ filter -- FQL filter expression. String.
+ limit -- Page size. Integer.
+ offset -- Page offset. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-files/combined.file-details.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="combined_file_details_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_file_details(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get file details by id.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-files/entities.file-details.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_file_details_get_v1",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_file_details(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update file details.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "description": "string",
+ "id": "string"
+ }
+ description -- File details update desecription. String.
+ id -- File details ID. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-files/entities.file-details.patch.v1
+ """
+ if not body:
+ keys = ["description", "id"]
+ for key in keys:
+ if kwargs.get(key, None) is not None:
+ body[key] = kwargs.get(key, None)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_file_details_patch_v1",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def bulk_download_files(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Download multiple existing file from case as a ZIP.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "ids": [
+ "string"
+ ]
+ }
+ ids -- List of files to download. List of strings.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-files/entities.files_bulk-download.post.v1
+ """
+ if not body:
+ if kwargs.get("ids", None):
+ provided = kwargs.get("ids", None)
+ if provided == "ids" and isinstance(provided, str):
+ provided = [provided]
+ body["ids"] = provided
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_files_bulk_download_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def download_existing_files(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Download existing file from case.
+
+ Keyword arguments:
+ id -- Resource ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'id'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-files/entities.files_download.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_files_download_get_v1",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "id")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def upload_file(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Upload file for case.
+
+ Keyword arguments:
+ file -- Local file to Upload. String.
+ description -- Description of the file. String.
+ case_id -- Case ID for the file. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-files/entities.files_upload.post.v1
+ """
+ file = kwargs.get("file", None)
+ if file:
+ # Pop the path variables from the keywords dictionary
+ # before processing query string arguments.
+ try:
+ with open(file, "rb") as upload_file:
+ # Create a multipart form payload for our upload file
+ file_extended = {"file": upload_file}
+ returned = process_service_request(calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_files_upload_post_v1",
+ keywords=kwargs,
+ params=parameters,
+ files=file_extended
+ )
+ except FileNotFoundError:
+ returned = generate_error_result("Invalid upload file specified.")
+ else:
+ returned = generate_error_result("You must provide a file "
+ "argument in order to use this operation."
+ )
+ return returned
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_file_details(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete file details by id.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'id'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-files/entities.files.delete.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_files_delete_v1",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_file_detail_ids(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query for ids of file details.
+
+ Keyword arguments:
+ filter -- FQL filter expression. String.
+ limit -- Page size. Integer.
+ offset -- Page offset. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-files/queries.file-details.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_file_details_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def get_notification_groups_aggregation(self: object,
+ body: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get notification groups aggregations.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ [
+ {
+ "date_ranges": [
+ {
+ "from": "string",
+ "to": "string"
+ }
+ ],
+ "field": "string",
+ "filter": "string",
+ "from": 0,
+ "name": "string",
+ "size": 0,
+ "sort": "string",
+ "type": "terms"
+ }
+ ]
+ date_ranges -- Date range timeframe. List of dictionaries.
+ field -- Field to retrieve. String.
+ filter -- Options filter criteria in the form of an FQL query. String.
+ from -- Integer.
+ name -- String.
+ size -- Integer.
+ sort -- The field to sort on. String.
+ type -- String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/aggregates.notification-groups.post.v1
+ """
+ if not body:
+ body = case_management_notification_groups_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="aggregates_notification_groups_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def get_notification_groups_aggregation_v2(self: object,
+ body: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get notification groups aggregations.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ [
+ {
+ "date_ranges": [
+ {
+ "from": "string",
+ "to": "string"
+ }
+ ],
+ "field": "string",
+ "filter": "string",
+ "from": 0,
+ "name": "string",
+ "size": 0,
+ "sort": "string",
+ "type": "terms"
+ }
+ ]
+ date_ranges -- Date range timeframe. List of dictionaries.
+ field -- Field to retrieve. String.
+ filter -- Options filter criteria in the form of an FQL query. String.
+ from -- Integer.
+ name -- String.
+ size -- Integer.
+ sort -- The field to sort on. String.
+ type -- String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/aggregates.notification-groups.post.v2
+ """
+ if not body:
+ body = case_management_notification_groups_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="aggregates_notification_groups_post_v2",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def get_sla_aggregations(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get SLA aggregations.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ [
+ {
+ "date_ranges": [
+ {
+ "from": "string",
+ "to": "string"
+ }
+ ],
+ "field": "string",
+ "filter": "string",
+ "from": 0,
+ "name": "string",
+ "size": 0,
+ "sort": "string",
+ "type": "terms"
+ }
+ ]
+ date_ranges -- Date range timeframe. List of dictionaries.
+ field -- Field to retrieve. String.
+ filter -- Options filter criteria in the form of an FQL query. String.
+ from -- Integer.
+ name -- String.
+ size -- Integer.
+ sort -- The field to sort on. String.
+ type -- String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/aggregates.slas.post.v1
+ """
+ if not body:
+ body = case_management_notification_groups_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="aggregates_slas_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def get_template_aggregations(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get templates aggregations.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ [
+ {
+ "date_ranges": [
+ {
+ "from": "string",
+ "to": "string"
+ }
+ ],
+ "field": "string",
+ "filter": "string",
+ "from": 0,
+ "name": "string",
+ "size": 0,
+ "sort": "string",
+ "type": "terms"
+ }
+ ]
+ date_ranges -- Date range timeframe. List of dictionaries.
+ field -- Field to retrieve. String.
+ filter -- Options filter criteria in the form of an FQL query. String.
+ from -- Integer.
+ name -- String.
+ size -- Integer.
+ sort -- The field to sort on. String.
+ type -- String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/aggregates.templates.post.v1
+ """
+ if not body:
+ body = case_management_notification_groups_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="aggregates_templates_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_fields(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get fields by ID.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.fields.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_fields_get_v1",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_notification_groups(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get notification groups by ID.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.notification-groups.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_notification_groups_get_v1",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_notification_group(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create notification group.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "channels": [
+ {
+ "config_id": "string",
+ "config_name": "string",
+ "recipients": [
+ "string"
+ ],
+ "severity": "string",
+ "type": "email"
+ }
+ ],
+ "description": "string",
+ "name": "string"
+ }
+ channels -- The notification group channel configuration parameters. List of dictionaries.
+ description -- Notification group description. String.
+ name -- Notification group name. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.notification-groups.post.v1
+ """
+ if not body:
+ body = case_management_create_notification_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_notification_groups_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_notification_group(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update notification group.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "channels": [
+ {
+ "config_id": "string",
+ "config_name": "string",
+ "recipients": [
+ "string"
+ ],
+ "severity": "string",
+ "type": "email"
+ }
+ ],
+ "description": "string",
+ "id": "string",
+ "name": "string"
+ }
+ channels -- The notification group channel configuration parameters. List of dictionaries.
+ description -- Notification group description. String.
+ id -- The ID of the notification group. String.
+ name -- Notification group name. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.notification-groups.patch.v1
+ """
+ if not body:
+ body = case_management_create_notification_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_notification_groups_patch_v1",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_notification_group(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete notification groups by ID.
+
+ Keyword arguments:
+ ids -- Resource IDs.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.notification-groups.delete.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_notification_groups_delete_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_notification_groups_v2(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get notification groups by ID.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.notification-groups.get.v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_notification_groups_get_v2",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_notification_group_v2(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create notification group.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "channels": [
+ {
+ "config_id": "string",
+ "config_name": "string",
+ "params": {},
+ "type": "email"
+ }
+ ],
+ "description": "string",
+ "name": "string"
+ }
+ channels -- The notification group channel configuration parameters. List of dictionaries.
+ description -- Notification group description. String.
+ name -- Notification group name. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.notification-groups.post.v2
+ """
+ if not body:
+ body = case_management_create_notification_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_notification_groups_post_v2",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_notification_group_v2(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update notification group.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "channels": [
+ {
+ "config_id": "string",
+ "config_name": "string",
+ "params": {},
+ "type": "email"
+ }
+ ],
+ "description": "string",
+ "id": "string",
+ "name": "string"
+ }
+ This method only supports keywords for providing arguments.
+ channels -- The notification group channel configuration parameters. List of dictionaries.
+ description -- Notification group description. String.
+ id -- The ID of the notification group. String.
+ name -- Notification group name. String.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.notification-groups.patch.v2
+ """
+ if not body:
+ body = case_management_create_notification_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_notification_groups_patch_v2",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_notification_group_v2(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete notification groups by ID.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.notification-groups.delete.v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_notification_groups_delete_v2",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_slas(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get SLAs by ID.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.slas.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_slas_get_v1",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_sla(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create SLA.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "description": "string",
+ "goals": [
+ {
+ "duration_seconds": 0,
+ "escalation_policy": {
+ "steps": [
+ {
+ "escalate_after_seconds": 0,
+ "notification_group_id": "string"
+ }
+ ]
+ },
+ "type": "string"
+ }
+ ],
+ "name": "string"
+ }
+ description -- The description of the SLA. String.
+ goals -- The SLA goals. List of dictionaries.
+ name -- The name of the SLA. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.slas.post.v1
+ """
+ if not body:
+ body = case_management_sla_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_slas_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_sla(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update SLA.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "description": "string",
+ "goals": [
+ {
+ "duration_seconds": 0,
+ "escalation_policy": {
+ "steps": [
+ {
+ "escalate_after_seconds": 0,
+ "notification_group_id": "string"
+ }
+ ]
+ },
+ "type": "string"
+ }
+ ],
+ "name": "string"
+ }
+ description -- The description of the SLA. String.
+ goals -- The SLA goals. List of dictionaries.
+ name -- The name of the SLA. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.slas.patch.v1
+ """
+ if not body:
+ body = case_management_sla_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_slas_patch_v1",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_sla(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete SLAs.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.slas.delete.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_slas_delete_v1",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_template_snapshots(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get template snapshots.
+
+ Keyword arguments:
+ ids -- Snapshot IDs. String or list of strings.
+ template_ids -- Retrieves the latest snapshot for all Template IDs. String or list of strings.
+ versions -- Retrieve a specific version of the template from the parallel array `template_ids`.
+ A value of zero will return the latest snapshot. Integer or list of Integers.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.template-snapshots.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_template_snapshots_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def export_templates(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Export templates to files in a zip archive.
+
+ Keyword arguments:
+ ids -- Template IDs. String or list of strings.
+ filter -- FQL filter expression. String.
+ format -- Export file format. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.templates_export.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_templates_export_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def import_template(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Import a template from a file.
+
+ Keyword arguments:
+ file -- Local file. formData.
+ dry_run -- Run validation only. Boolean.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.templates_import.post.v1
+ """
+ file = kwargs.get("file", None)
+ if file:
+ # Pop the path variables from the keywords dictionary
+ # before processing query string arguments.
+ try:
+ with open(file, "rb") as upload_file:
+ # Create a multipart form payload for our upload file
+ file_extended = {"file": upload_file}
+ returned = process_service_request(calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_templates_import_post_v1",
+ keywords=kwargs,
+ params=parameters,
+ files=file_extended
+ )
+ except FileNotFoundError:
+ returned = generate_error_result("Invalid upload file specified.")
+ else:
+ returned = generate_error_result("You must provide a file "
+ "argument in order to use this operation."
+ )
+ return returned
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_templates(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get templates by ID.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.templates.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_templates_get_v1",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_template(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create template.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "description": "string",
+ "fields": [
+ {
+ "data_type": "string",
+ "default_value": "string",
+ "input_type": "string",
+ "multivalued": true,
+ "name": "string",
+ "options": [
+ {
+ "value": "string"
+ }
+ ],
+ "required": true
+ }
+ ],
+ "name": "string",
+ "sla_id": "string"
+ }
+ description -- The description of the template. String.
+ fields -- The fields required to create a template. List of dictionaries.
+ name -- The name of the template. String.
+ sla_id -- The ID of the SLA. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.templates.post.v1
+ """
+ if not body:
+ body = case_management_template_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_templates_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_template(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update template.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "description": "string",
+ "fields": [
+ {
+ "data_type": "string",
+ "default_value": "string",
+ "id": "string",
+ "input_type": "string",
+ "multivalued": true,
+ "name": "string",
+ "options": [
+ {
+ "id": "string",
+ "value": "string"
+ }
+ ],
+ "required": true
+ }
+ ],
+ "id": "string",
+ "name": "string",
+ "sla_id": "string"
+ }
+ description -- The description of the template. String.
+ fields -- The fields required to create a template. List of dictionaries.
+ id -- The ID of the template to update. String.
+ name -- The name of the template. String.
+ sla_id -- The ID of the SLA. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.templates.patch.v1
+ """
+ if not body:
+ body = case_management_template_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_templates_patch_v1",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_templates(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete templates.
+
+ Keyword arguments:
+ ids -- Resource IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/entities.templates.delete.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_templates_delete_v1",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_fields(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query fields.
+
+ Keyword arguments:
+ filter -- FQL filter expression. String.
+ limit -- Page size. Integer.
+ offset -- Page offset. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/queries.fields.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_fields_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_notification_groups(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query notification groups.
+
+ Keyword arguments:
+ filter -- FQL filter expression. String.
+ sort -- Sort expression. String.
+ limit -- Page size. Integer.
+ offset -- Page offset. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/queries.notification-groups.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_notification_groups_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_notification_groups_v2(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query notification groups.
+
+ Keyword arguments:
+ filter -- FQL filter expression. String.
+ sort -- Sort expression. String.
+ limit -- Page size. Integer.
+ offset -- Page offset. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/queries.notification-groups.get.v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_notification_groups_get_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_slas(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query SLAs.
+
+ Keyword arguments:
+ filter -- FQL filter expression. String.
+ sort -- Sort expression. String.
+ limit -- Page size. Integer.
+ offset -- Page offset. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/queries.slas.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_slas_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_template_snapshots(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query template snapshots.
+
+ Keyword arguments:
+ filter -- FQL filter expression. String.
+ limit -- Page size. Integer.
+ offset -- Page offset. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/queries.template-snapshots.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_template_snapshots_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_templates(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query templates.
+
+ Keyword arguments:
+ filter -- FQL filter expression. String.
+ sort -- Sort expression. String.
+ limit -- Page size. Integer.
+ offset -- Page offset. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/case-management/queries.templates.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_templates_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def add_case_alert_evidence(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Add the given list of alert evidence to the specified case.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "alerts": [
+ {
+ "id": "string"
+ }
+ ],
+ "id": "string"
+ }
+ alerts -- The alert IDs. String.
+ id -- The specified case ID. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cases/entities.alert-evidence.post.v1
+ """
+ if not body:
+ body = specified_case_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_alert_evidence_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def add_case_tags(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Add the given list of tags to the specified case.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "id": "string",
+ "tags": [
+ "string"
+ ]
+ }
+ id -- The specified case ID. String.
+ tags -- The given list of tags. List of strings.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cases/entities.case-tags.post.v1
+ """
+ if not body:
+ body = specified_case_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_case_tags_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_case_tags(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Remove the specified tags from the specified case.
+
+ Keyword arguments:
+ id -- The ID of the case to remove tags from. String.
+ tag -- The tag to remove from the case. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cases/entities.case-tags.delete.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_case_tags_delete_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_case(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create the given Case.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "assigned_to_user_uuid": "string",
+ "description": "string",
+ "evidence": {
+ "alerts": [
+ {
+ "id": "string"
+ }
+ ],
+ "events": [
+ {
+ "id": "string"
+ }
+ ],
+ "leads": [
+ {
+ "id": "string"
+ }
+ ]
+ },
+ "name": "string",
+ "severity": 0,
+ "status": "string",
+ "tags": [
+ "string"
+ ],
+ "template": {
+ "id": "string"
+ }
+ }
+ assigned_to_user_uuid -- UUID of the user to assign the case to. String.
+ description -- The description of the case. String.
+ evidence -- The case evidence info. Dictionary.
+ name -- The name of the case. String.
+ severity -- The severity level of the case. Integer.
+ status -- The current status of the case. String.
+ tags -- The tags to be attached to the case. List of strings.
+ template -- The template case to utilize. Dictionary.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PUT
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cases/entities.cases.put.v2
+ """
+ if not body:
+ body = case_manage_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_cases_put_v2",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def get_cases(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve all Cases given their IDs.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "ids": [
+ "string"
+ ]
+ }
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cases/entities.cases.post.v2
+ """
+ if not body:
+ if kwargs.get("ids", None):
+ provided = kwargs.get("ids", None)
+ if provided == "ids" and isinstance(provided, str):
+ provided = [provided]
+ body["ids"] = provided
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_cases_post_v2",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_case_fields(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update given fields on the specified case.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "expected_consistency_version": 0,
+ "expected_version": 0,
+ "fields": {
+ "assigned_to_user_uuid": "string",
+ "custom_fields": [
+ {
+ "id": "string",
+ "values": [
+ "string"
+ ]
+ }
+ ],
+ "description": "string",
+ "name": "string",
+ "remove_user_assignment": true,
+ "severity": 0,
+ "slas_active": true,
+ "status": "string",
+ "template": {
+ "id": "string"
+ }
+ },
+ "id": "string"
+ }
+ expected_consistency_version -- The consistency version. Integer.
+ expected_version -- The version. Integer.
+ fields -- The updated given fields for the specified case. Dictionary.
+ id -- The specified case ID. String.
+
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cases/entities.cases.patch.v2
+ """
+ if not body:
+ body = update_case_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_cases_patch_v2",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def add_case_event_evidence(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Add the given list of event evidence to the specified case.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "events": [
+ {
+ "id": "string"
+ }
+ ],
+ "id": "string"
+ }
+ events -- The event evidence field . List of dictionaries.
+ id -- The specified case ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cases/entities.event-evidence.post.v1
+ """
+ if not body:
+ body = case_evidence_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_event_evidence_post_v1",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_case_ids(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve all Cases IDs that match a given query.
+
+ Keyword arguments:
+ limit -- The maximum number of Cases to return in this response (default: 100; max: 10000). Integer.
+ Use this parameter together with the `offset` parameter to manage pagination of the results.
+ offset -- The first case to return, where `0` is the latest case. Integer.
+ Use with the `offset` parameter to manage pagination of results.
+ sort -- The field to sort on. Sort parameter takes the form . String.
+ The sorting fields can be any keyword field that is part of #domain.Case except for the text based fields.
+ If the fields are missing from the Cases, the service will fallback to its default ordering.
+ filter -- FQL filter expression. String.
+ Filter fields can be any keyword field that is part of #domain.Case.
+ q -- Search all Case metadata for the provided string. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cases/queries.cases.get.v1
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_cases_get_v1",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ aggregates_file_details_post_v1 = aggregates_file_details_post_v1
+ combined_file_details_get_v1 = query_file_details
+ entities_file_details_get_v1 = get_file_details
+ entities_file_details_patch_v1 = update_file_details
+ entities_files_bulk_download_post_v1 = bulk_download_files
+ entities_files_download_get_v1 = download_existing_files
+ entities_files_upload_post_v1 = upload_file
+ entities_files_delete_v1 = delete_file_details
+ queries_file_details_get_v1 = query_file_detail_ids
+ aggregates_notification_groups_post_v1 = get_notification_groups
+ aggregates_notification_groups_post_v2 = get_notification_groups_v2
+ aggregates_slas_post_v1 = get_sla_aggregations
+ aggregates_templates_post_v1 = get_template_aggregations
+ entities_fields_get_v1 = get_fields
+ entities_notification_groups_get_v1 = get_notification_groups
+ entities_notification_groups_post_v1 = create_notification_group
+ entities_notification_groups_patch_v1 = update_notification_group
+ entities_notification_groups_delete_v1 = delete_notification_group
+ entities_notification_groups_get_v2 = get_notification_groups
+ entities_notification_groups_post_v2 = create_notification_group_v2
+ entities_notification_groups_patch_v2 = update_notification_group_v2
+ entities_notification_groups_delete_v2 = delete_notification_group_v2
+ entities_slas_get_v1 = get_slas
+ entities_slas_post_v1 = create_sla
+ entities_slas_patch_v1 = update_sla
+ entities_slas_delete_v1 = delete_sla
+ entities_template_snapshots_get_v1 = get_template_snapshots
+ entities_templates_export_get_v1 = export_templates
+ entities_templates_import_post_v1 = import_template
+ entities_templates_get_v1 = get_templates
+ entities_templates_post_v1 = create_template
+ entities_templates_patch_v1 = update_template
+ entities_templates_delete_v1 = delete_templates
+ queries_fields_get_v1 = query_fields
+ queries_notification_groups_get_v1 = query_notification_groups
+ queries_notification_groups_get_v2 = query_notification_groups_v2
+ queries_slas_get_v1 = query_slas
+ queries_template_snapshots_get_v1 = query_template_snapshots
+ queries_templates_get_v1 = query_templates
+ entities_alert_evidence_post_v1 = add_case_alert_evidence
+ entities_case_tags_post_v1 = add_case_tags
+ entities_case_tags_delete_v1 = delete_case_tags
+ entities_cases_put_v2 = create_case
+ entities_cases_post_v2 = get_cases
+ entities_cases_patch_v2 = update_case_fields
+ entities_event_evidence_post_v1 = add_case_event_evidence
+ queries_cases_get_v1 = query_case_ids
diff --git a/src/falconpy/cloud_aws_registration.py b/src/falconpy/cloud_aws_registration.py
index 5eb47106..b1500313 100644
--- a/src/falconpy/cloud_aws_registration.py
+++ b/src/falconpy/cloud_aws_registration.py
@@ -56,6 +56,35 @@ class CloudAWSRegistration(ServiceClass):
- a valid token provided by the authentication service class (oauth2.py)
"""
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def trigger_health_check(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Trigger health check scan for AWS accounts.
+
+ Keyword arguments:
+ account_ids -- AWS Account IDs. String or list of strings.
+ organization_ids -- Organization IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-aws-registration/cloud-registration-aws-trigger-health-check
+ """
+ kwargs["organization-ids"] = kwargs.get("organization_ids", None)
+ kwargs["account-ids"] = kwargs.get("account_ids", None)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_aws_trigger_health_check",
+ keywords=kwargs,
+ params=parameters
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
def get_accounts(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
"""Retrieve existing AWS accounts by account IDs.
@@ -226,36 +255,36 @@ def delete_account(self: object, parameters: dict = None, **kwargs) -> Union[Dic
params=parameters
)
- # @force_default(defaults=["parameters"], default_types=["dict"])
- # def validate_accounts(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
- # """Validate the AWS account for a provided CID. For internal clients only.
-
- # Keyword arguments:
- # products -- Product registered for an account. String.
- # feature -- Features registered for an account. String or list of strings.
- # account_id -- AWS Account ID.
- # iam_role_arn -- IAM Role ARN.
- # parameters -- Full parameters payload dictionary. Not required if using other keywords.
-
- # This method only supports keywords for providing arguments.
-
- # Returns: dict object containing API response.
-
- # HTTP Method: POST
-
- # Swagger URL
- # https://assets.falcon.crowdstrike.com/support/api/swagger.html#
- # /cloud-aws-registration/cloud-registration-aws-validate-accounts
- # """
- # kwargs["account-id"] = kwargs.get("account_id", None)
- # kwargs["iam-role-arn"] = kwargs.get("iam_role_arn", None)
- # return process_service_request(
- # calling_object=self,
- # endpoints=Endpoints,
- # operation_id="cloud_registration_aws_validate_accounts",
- # keywords=kwargs,
- # params=parameters
- # )
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def validate_accounts(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Validate the AWS account registration status, and discover organization child accounts if organization is specified.
+
+ Keyword arguments:
+ account_id -- AWS Account ID. organization-id shouldn't be specified if this is specified. String.
+ iam_role_arn -- IAM Role ARN. String.
+ organization_id -- AWS organization ID to validate master account.
+ account_id shouldn't be specified if this is specified. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-aws-registration/cloud-registration-aws-validate-accounts
+ """
+ kwargs["iam-role-arn"] = kwargs.get("iam_role_arn", None)
+ kwargs["organization-id"] = kwargs.get("organization_id", None)
+ kwargs["account-id"] = kwargs.get("account_id", None)
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_aws_validate_accounts",
+ keywords=kwargs,
+ params=parameters
+ )
@force_default(defaults=["parameters"], default_types=["dict"])
def query_accounts(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
@@ -291,9 +320,10 @@ def query_accounts(self: object, parameters: dict = None, **kwargs) -> Union[Dic
params=parameters
)
+ cloud_registration_aws_trigger_health_check = trigger_health_check
cloud_registration_aws_get_accounts = get_accounts
cloud_registration_aws_create_account = create_account
cloud_registration_aws_update_account = update_account
cloud_registration_aws_delete_account = delete_account
- # cloud_registration_aws_validate_accounts = validate_accounts
+ cloud_registration_aws_validate_accounts = validate_accounts
cloud_registration_aws_query_accounts = query_accounts
diff --git a/src/falconpy/cloud_azure_registration.py b/src/falconpy/cloud_azure_registration.py
index fca8f45f..a7845a6c 100644
--- a/src/falconpy/cloud_azure_registration.py
+++ b/src/falconpy/cloud_azure_registration.py
@@ -36,8 +36,13 @@
For more information, please refer to
"""
from typing import Dict, Union
-from ._util import force_default, process_service_request
-from ._payload import cloud_azure_registration_payload, cloud_azure_registration_create_payload
+from ._util import force_default, process_service_request, handle_single_argument
+from ._payload import (
+ cloud_azure_registration_payload,
+ cloud_azure_registration_create_payload,
+ generic_payload_list,
+ cloud_azure_registration_legacy_payload
+)
from ._result import Result
from ._service_class import ServiceClass
from ._endpoint._cloud_azure_registration import _cloud_azure_registration_endpoints as Endpoints
@@ -56,6 +61,74 @@ class CloudAzureRegistration(ServiceClass):
- a valid token provided by the authentication service class (oauth2.py)
"""
+ @force_default(defaults=["body"], default_types=["dict"])
+ def delete_legacy_subscription(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete existing legacy Azure subscriptions.
+
+ Keyword arguments:
+ body -- Full body payload as a dictionary. Not required if using other keywords.
+ {
+ "resources": [
+ {
+ "retain_client": true,
+ "subscription_id": "string",
+ "tenant_id": "string"
+ }
+ ]
+ }
+ retain_client -- Boolean.
+ subscription_id -- String.
+ tenant_id -- String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-azure-registration/cloud-registration-azure-delete-legacy-subscription
+ """
+ if not body:
+ body = cloud_azure_registration_legacy_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_azure_delete_legacy_subscription",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def health_check(self: object, *args, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Trigger health check scan for Azure registrations.
+
+ Keyword arguments:
+ tenant_ids -- Azure tenant IDs. String or list of string.
+ body -- Full body payload as a dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'tenant_ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /cloud-azure-registration/cloud-registration-azure-trigger-health-check
+ """
+ kwargs = handle_single_argument(args, kwargs, "tenant_ids")
+ if not body:
+ body = generic_payload_list(submitted_keywords=kwargs, payload_value="tenant_ids")
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_azure_trigger_health_check",
+ body=body
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
def get_registration(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
"""Retrieve existing Azure registration for a tenant.
@@ -401,9 +474,38 @@ def download_script(self: object, body: dict = None, **kwargs) -> Union[Dict[str
body=body
)
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def validate_registration(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Validate an Azure registration by checking service principal, role assignments and deployment stack.
+
+ Keyword arguments:
+ tenant_id -- Azure tenant ID to be validated. String.
+ stack_name -- Azure deployment stack name to be validated. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-azure-registration/cloud-registration-azure-validate-registration
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_azure_validate_registration",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ cloud_registration_azure_delete_legacy_subscription = delete_legacy_subscription
+ cloud_registration_azure_trigger_health_check = health_check
cloud_registration_azure_get_registration = get_registration
cloud_registration_azure_create_registration = create_registration
cloud_registration_azure_update_registration = update_registration
cloud_registration_azure_delete_registration = delete_registration
download_azure_script = deployment_script
cloud_registration_azure_download_script = download_script
+ cloud_registration_azure_validate_registration = validate_registration
diff --git a/src/falconpy/cloud_google_cloud_registration.py b/src/falconpy/cloud_google_cloud_registration.py
new file mode 100644
index 00000000..16720c3f
--- /dev/null
+++ b/src/falconpy/cloud_google_cloud_registration.py
@@ -0,0 +1,386 @@
+"""CrowdStrike Falcon CloudGoogleCloudRegistration API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+from typing import Dict, Union
+from ._util import force_default, process_service_request, handle_single_argument
+from ._result import Result
+from ._service_class import ServiceClass
+from ._endpoint._cloud_google_cloud_registration import _cloud_google_cloud_registration_endpoints as Endpoints
+from ._payload import cloud_google_registration_create_payload
+
+
+class CloudGoogleCloudRegistration(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py)
+ - a valid token provided by the authentication service class (oauth2.py)
+ """
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def trigger_health_check(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Trigger health check scan for GCP registrations.
+
+ Keyword arguments:
+ ids -- GCP Registration IDs. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-google-cloud-registration/cloud-registration-gcp-trigger-health-check
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_gcp_trigger_health_check",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_registration(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve a Google Cloud Registration.
+
+ Keyword arguments:
+ ids -- Google Cloud Registration ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-google-cloud-registration/cloud-registration-gcp-get-registration
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_gcp_get_registration",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_registration(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create a new Google Cloud Registration if one doesnt exist or update the existing Google Cloud Registration.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "resources": [
+ {
+ "deployment_method": "string",
+ "entity_id": [
+ "string"
+ ],
+ "excluded_project_patterns": [
+ "string"
+ ],
+ "falcon_client_key_id": "string",
+ "falcon_client_key_type": "string",
+ "infra_manager_region": "string",
+ "infra_project_id": "string",
+ "labels": {
+ "additionalProp1": "string",
+ "additionalProp2": "string",
+ "additionalProp3": "string"
+ },
+ "products": [
+ {
+ "features": [
+ "string"
+ ],
+ "product": "string"
+ }
+ ],
+ "registration_name": "string",
+ "registration_scope": "string",
+ "resource_name_prefix": "string",
+ "resource_name_suffix": "string",
+ "tags": {
+ "additionalProp1": "string",
+ "additionalProp2": "string",
+ "additionalProp3": "string"
+ },
+ "wif_project_id": "string"
+ }
+ ]
+ }
+ deployment_method -- The method of deployment. String.
+ entity_id -- The ID of the entity. String.
+ excluded_project_patterns -- Project patterns that should be excluded. List of Strings.
+ falcon_client_key_id -- API client key ID. String.
+ falcon_client_key_type -- API client key type. String.
+ infra_project_id -- Infrastructure project ID. String.
+ labels -- Prop labels. Dictionary.
+ products -- Products. List of dictionaries.
+ registration_name -- Registration name. String.
+ registration_scope -- Registration scope. String.
+ resource_name_prefix -- Resource name prefix. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PUT
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-google-cloud-registration/cloud-registration-gcp-put-registration
+ """
+ if not body:
+ body = cloud_google_registration_create_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_gcp_put_registration",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_registration(self: object,
+ body: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]: # noqa: E501, pylint: disable=C0301
+ """Create a Google Cloud Registration.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "resources": [
+ {
+ "deployment_method": "string",
+ "entity_id": [
+ "string"
+ ],
+ "excluded_project_patterns": [
+ "string"
+ ],
+ "falcon_client_key_id": "string",
+ "falcon_client_key_type": "string",
+ "infra_manager_region": "string",
+ "infra_project_id": "string",
+ "labels": {
+ "additionalProp1": "string",
+ "additionalProp2": "string",
+ "additionalProp3": "string"
+ },
+ "products": [
+ {
+ "features": [
+ "string"
+ ],
+ "product": "string"
+ }
+ ],
+ "registration_name": "string",
+ "registration_scope": "string",
+ "resource_name_prefix": "string",
+ "resource_name_suffix": "string",
+ "tags": {
+ "additionalProp1": "string",
+ "additionalProp2": "string",
+ "additionalProp3": "string"
+ },
+ "wif_project_id": "string"
+ }
+ ]
+ }
+ deployment_method -- The method of deployment. String.
+ entity_id -- The ID of the entity. String.
+ excluded_project_patterns -- Project patterns that should be excluded. List of Strings.
+ falcon_client_key_id -- API client key ID. String.
+ falcon_client_key_type -- API client key type. String.
+ infra_project_id -- Infrastructure project ID. String.
+ labels -- Prop labels. Dictionary.
+ products -- Products. List of dictionaries.
+ registration_name -- Registration name. String.
+ registration_scope -- Registration scope. String.
+ resource_name_prefix -- Resource name prefix. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-google-cloud-registration/cloud-registration-gcp-create-registration
+ """
+ if not body:
+ body = cloud_google_registration_create_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_gcp_create_registration",
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def cloud_registration_gcp_update_registration(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a Google Cloud Registration.
+
+ Keyword arguments:
+ ids -- Google Cloud Registration ID. String.
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "resources": [
+ {
+ "deployment_method": "string",
+ "entity_id": [
+ "string"
+ ],
+ "excluded_project_patterns": [
+ "string"
+ ],
+ "falcon_client_key_id": "string",
+ "falcon_client_key_type": "string",
+ "infra_manager_region": "string",
+ "infra_project_id": "string",
+ "labels": {
+ "additionalProp1": "string",
+ "additionalProp2": "string",
+ "additionalProp3": "string"
+ },
+ "products": [
+ {
+ "features": [
+ "string"
+ ],
+ "product": "string"
+ }
+ ],
+ "registration_name": "string",
+ "registration_scope": "string",
+ "resource_name_prefix": "string",
+ "resource_name_suffix": "string",
+ "tags": {
+ "additionalProp1": "string",
+ "additionalProp2": "string",
+ "additionalProp3": "string"
+ },
+ "wif_project_id": "string"
+ }
+ ]
+ }
+ deployment_method -- The method of deployment. String.
+ entity_id -- The ID of the entity. String.
+ excluded_project_patterns -- Project patterns that should be excluded. List of Strings.
+ falcon_client_key_id -- API client key ID. String.
+ falcon_client_key_type -- API client key type. String.
+ infra_project_id -- Infrastructure project ID. String.
+ labels -- Prop labels. Dictionary.
+ products -- Products. List of dictionaries.
+ registration_name -- Registration name. String.
+ registration_scope -- Registration scope. String.
+ resource_name_prefix -- Resource name prefix. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-google-cloud-registration/cloud-registration-gcp-update-registration
+ """
+ if not body:
+ body = cloud_google_registration_create_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_gcp_update_registration",
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_registration(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete a Google Cloud Registration and return the deleted registration in the response body.
+
+ Keyword arguments:
+ ids -- Google Cloud Registration ID. String
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_registration_gcp_delete_registration",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ cloud_registration_gcp_trigger_health_check = trigger_health_check
+ cloud_registration_gcp_get_registration = get_registration
+ cloud_registration_gcp_put_registration = update_registration
+ cloud_registration_gcp_create_registration = create_registration
+ cloud_registration_gcp_update_registration = cloud_registration_gcp_update_registration
+ cloud_registration_gcp_delete_registration = delete_registration
diff --git a/src/falconpy/cloud_policies.py b/src/falconpy/cloud_policies.py
new file mode 100644
index 00000000..f1c7bb44
--- /dev/null
+++ b/src/falconpy/cloud_policies.py
@@ -0,0 +1,991 @@
+"""CrowdStrike Falcon CloudPolicies API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+from typing import Dict, Union
+from ._util import force_default, process_service_request, handle_single_argument
+from ._result import Result
+from ._service_class import ServiceClass
+from ._endpoint._cloud_policies import _cloud_policies_endpoints as Endpoints
+from ._payload._cloud_policies import (
+ cloud_policies_rule_assign_payload,
+ cloud_policies_compliance_control_payload,
+ cloud_policies_evaluation_payload,
+ cloud_policies_rule_override_payload,
+ cloud_policies_rule_create_payload,
+ cloud_policies_rule_update_payload
+ )
+
+
+class CloudPolicies(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py)
+ - a valid token provided by the authentication service class (oauth2.py)
+ """
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_rule_input_schema(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get rule input schema for given resource type.
+
+ Keyword arguments:
+ domain -- domain. String.
+ subdomain -- subdomain. String.
+ cloud_provider -- Cloud service provider for the resource type. String.
+ resource_type -- Selects the resource type for which to retrieve the rule input schema. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/GetRuleInputSchema
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetRuleInputSchema",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def replace_control_rules(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Assign rules to a compliance control (full replace).
+
+ Keyword arguments:
+ ids -- The UUID of the compliance control to assign rules to. String or list of strings.
+ body -- Full body payload as a JSON formatted dictionary. Not required if using other keywords.
+ {
+ "rule_ids": [
+ "string"
+ ]
+ }
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+ rule_ids -- The ids of the rules to replace. List of strings.
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PUT
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/ReplaceControlRules
+ """
+ if not body:
+ body = cloud_policies_rule_assign_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ReplaceControlRules",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_compliance_controls(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get compliance controls by ID.
+
+ Keyword arguments:
+ ids -- The uuids of compliance controls to retrieve. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/GetComplianceControls
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetComplianceControls",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_compliance_control(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create a new custom compliance control.
+
+ Keyword arguments:
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ {
+ "description": "string",
+ "framework_id": "string",
+ "name": "string",
+ "section_name": "string"
+ }
+ description -- The description of hte custom compliance control. String.
+ framework_id -- The framework ID of the custom compliance control. String.
+ name -- The name of the custom compliance control. String.
+ section_name -- The section name of the custom compliance control. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/CreateComplianceControl
+ """
+ if not body:
+ body = cloud_policies_compliance_control_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateComplianceControl",
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def update_compliance_control(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a custom compliance control.
+
+ Keyword arguments:
+ ids -- The uuid of compliance control to update. String or list of strings.
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ {
+ "description": "string",
+ "name": "string"
+ }
+ description -- The description of hte custom compliance control. String.
+ name -- The name of the custom compliance control. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/UpdateComplianceControl
+ """
+ if not body:
+ body = cloud_policies_compliance_control_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="UpdateComplianceControl",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_compliance_control(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete custom compliance controls.
+
+ Keyword arguments:
+ ids -- The uuids of compliance control to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/DeleteComplianceControl
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DeleteComplianceControl",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def rename_section_compliance_framework(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Rename a section in a custom compliance framework.
+
+ Keyword arguments:
+ ids -- The uuid of compliance framework containing the section to rename. String or list of strings.
+ sectionName -- The current name of the section to rename. String.
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ {
+ "section_name": "string"
+ }
+ section_name -- The new section name of the custom compliance control. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/RenameSectionComplianceFramework
+ """
+ if not body:
+ body = cloud_policies_compliance_control_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="RenameSectionComplianceFramework",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_compliance_frameworks(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get compliance frameworks by ID.
+
+ Keyword arguments:
+ ids -- The uuids of compliance frameworks to retrieve. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/GetComplianceFrameworks
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetComplianceFrameworks",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_compliance_framework(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create a new custom compliance framework.
+
+ Keyword arguments:
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ {
+ "active": true,
+ "description": "string",
+ "name": "string"
+ }
+ active -- Value to determine if the compliance framework will be active. Boolean.
+ description -- The description of the new compliance framework. String.
+ name -- The name of the new compliance framework. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/CreateComplianceFramework
+ """
+ if not body:
+ body = cloud_policies_compliance_control_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateComplianceFramework",
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def update_compliance_framework(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a custom compliance framework.
+
+ Keyword arguments:
+ ids -- The uuids of compliance framework to update. String or list of strings.
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ {
+ "active": true,
+ "description": "string",
+ "name": "string"
+ }
+ active -- Value to determine if the compliance framework will be active. Boolean.
+ description -- The description of the new compliance framework. String.
+ name -- The name of the new compliance framework. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/UpdateComplianceFramework
+ """
+ if not body:
+ body = cloud_policies_compliance_control_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="UpdateComplianceFramework",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_compliance_framework(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete a custom compliance framework and all associated controls and rule assignments.
+
+ Keyword arguments:
+ ids -- The uuids of compliance framework to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/DeleteComplianceFramework
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DeleteComplianceFramework",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_enriched_asset(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get enriched assets that combine a primary resource with all its related resources.
+
+ Keyword arguments:
+ ids -- List of asset IDs (maximum 100 IDs allowed). String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'id'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/GetEnrichedAsset
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetEnrichedAsset",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def get_evaluation_result(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get evaluation results based on the provided rule.
+
+ Keyword arguments:
+ cloud_provider -- Cloud Service Provider of the provided IDs. String.
+ resource_type -- Resource Type of the provided IDs. String.
+ ids -- List of assets to evaluate (maximum 100 IDs allowed). String or list of strings.
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ {
+ "input": {},
+ "logic": "string"
+ }
+ input -- The input for the provided rule. Dictionary.
+ logic - The logic of the provided rule. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/GetEvaluationResult
+ """
+ if not body:
+ body = cloud_policies_evaluation_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetEvaluationResult",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_rule_override(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get a rule override.
+
+ Keyword arguments:
+ ids -- The uuids of rule overrides to retrieve. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/GetRuleOverride
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetRuleOverride",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_rule_override(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create a new rule override.
+
+ Keyword arguments:
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ {
+ "overrides": [
+ {
+ "comment": "string",
+ "crn": "string",
+ "expires_at": "2025-11-10T21:16:14.315Z",
+ "override_type": "string",
+ "overrides_details": "string",
+ "reason": "string",
+ "rule_id": "string",
+ "target_region": "string"
+ }
+ ]
+ }
+ overrides -- The new rule override. List of dictionaries.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/CreateRuleOverride
+ """
+ if not body:
+ body = cloud_policies_rule_override_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateRuleOverride",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_rule_override(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a rule override.
+
+ Keyword arguments:
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ {
+ "overrides": [
+ {
+ "comment": "string",
+ "crn": "string",
+ "expires_at": "2025-11-10T21:16:14.315Z",
+ "override_type": "string",
+ "overrides_details": "string",
+ "reason": "string",
+ "rule_id": "string",
+ "target_region": "string"
+ }
+ ]
+ }
+ overrides -- The new rule override. List of dictionaries.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/UpdateRuleOverride
+ """
+ if not body:
+ body = cloud_policies_rule_override_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="UpdateRuleOverride",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_rule_override(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete a rule override.
+
+ Keyword arguments:
+ ids -- The uuids of rule overrides to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/DeleteRuleOverride
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DeleteRuleOverride",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_rule(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get a rule by id.
+
+ Keyword arguments:
+ ids -- The uuids of rules to retrieve. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/GetRule
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetRule",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_rule(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create a new rule.
+
+ Keyword arguments:
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ For Custom Rule, logic is mandatory and parent_rule_id should not be specified.
+ For Managed Rule duplication, parent_rule_id is mandatory and logic should be not specified.
+ {
+ "alert_info": "string",
+ "attack_types": "string",
+ "controls": [
+ {
+ "Authority": "string",
+ "Code": "string"
+ }
+ ],
+ "description": "string",
+ "domain": "string",
+ "logic": "string",
+ "name": "string",
+ "parent_rule_id": "string",
+ "platform": "string",
+ "provider": "string",
+ "remediation_info": "string",
+ "remediation_url": "string",
+ "resource_type": "string",
+ "severity": 0,
+ "subdomain": "string"
+ }
+ alert_info -- The info of the alert. String.
+ attack_types -- The type of attacks. String.
+ controls -- The authority and code of the rule. List of dictionaries.
+ description -- The description of the rule. String.
+ domain -- The domain of the rule. String.
+ logic -- The logic for the rule. String.
+ name -- The name of the rule. String.
+ parent_rule_id -- The id of the parent. String.
+ platform -- The platform covered by the rule. String.
+ provider -- The provider for the rule. String.
+ remediation_info -- The remediation info provided by the rule. String.
+ remediation_url -- The URL providing the remediation. String.
+ resource_type -- The type of the resource. String.
+ severity -- The severity level. Integer.
+ subdomain -- The subdomain for the rule. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/CreateRuleMixin0
+ """
+ if not body:
+ body = cloud_policies_rule_create_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateRuleMixin0",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_rule(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a rule.
+
+ Keyword arguments:
+ body -- Full body payload dictionary in JSON format. Not required if using other keywords.
+ {
+ "alert_info": "string",
+ "attack_types": [
+ "string"
+ ],
+ "category": "string",
+ "controls": [
+ {
+ "authority": "string",
+ "code": "string"
+ }
+ ],
+ "description": "string",
+ "name": "string",
+ "rule_logic_list": [
+ {
+ "logic": "string",
+ "platform": "string",
+ "remediation_info": "string",
+ "remediation_url": "string"
+ }
+ ],
+ "severity": 0,
+ "uuid": "string"
+ }
+ alert_info -- The info of the alert. String.
+ attack_types -- The type of attacks. List of strings.
+ controls -- The authority and code of the rule. List of dictionaries.
+ description -- The description of the rule. String.
+ name -- The name of the rule. String.
+ rule_logic_list -- The logic list data. List of dictionaries.
+ severity -- The severity level. Integer.
+ uuid -- The uuid of the rule to update. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/UpdateRule
+ """
+ if not body:
+ body = cloud_policies_rule_update_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="UpdateRule",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_rule(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete a rule.
+
+ Keyword arguments:
+ ids -- The uuids of rules to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/DeleteRuleMixin0
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DeleteRuleMixin0",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_compliance_controls(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query for compliance controls by various parameters.
+
+ Keyword arguments:
+ filter -- The filter expression that should be used to limit the results. String.
+ Allowed filter fields:
+ compliance_control_name compliance_control_authority
+ compliance_control_type compliance_control_section
+ compliance_control_requirement compliance_control_benchmark_name
+ compliance_control_benchmark_version
+ limit -- The maximum number of resources to return. The maximum allowed is 500. Integer.
+ offset -- The number of results to skip before starting to return results. Integer.
+ sort -- The sort expression that should be used to sort the results. String.
+ Use the '|asc' or '|desc' suffix to specify sort direction.
+ Sortable fields:
+ compliance_control_authority compliance_control_type
+ compliance_control_section compliance_control_requirement
+ compliance_control_benchmark_name compliance_control_benchmark_version
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/QueryComplianceControls
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="QueryComplianceControls",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_compliance_frameworks(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query for compliance frameworks by various parameters.
+
+ Keyword arguments:
+ filter -- The filter expression that should be used to limit the results. String.
+ Allowed filter fields:
+ compliance_framework_name compliance_framework_version
+ compliance_framework_authority
+ limit -- The maximum number of resources to return. The maximum allowed is 500.
+ offset -- The number of results to skip before starting to return results.
+ sort -- The sort expression that should be used to sort the results. String.
+ Use the '|asc' or '|desc' suffix to specify sort direction.
+ Sortable fields:
+ compliance_framework_name compliance_framework_version
+ compliance_framework_authority
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/QueryComplianceFrameworks
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="QueryComplianceFrameworks",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_rule(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query for rules by various parameters.
+
+ Keyword arguments:
+ filter -- The filter expression that should be used to limit the results. String.
+ Allowed filter fields:
+ rule_origin rule_parent_uuid rule_name
+ rule_description rule_domain rule_status
+ rule_severity rule_short_code rule_service
+ rule_resource_type rule_provider rule_subdomain
+ rule_auto_remediable rule_control_requirement rule_control_section
+ rule_compliance_benchmark rule_compliance_framework rule_mitre_tactic
+ rule_mitre_technique rule_created_at rule_updated_at
+ rule_updated_by
+ limit -- The maximum number of resources to return. The maximum allowed is 500.
+ offset -- The number of results to skip before starting to return results.
+ sort -- The sort expression that should be used to sort the results. String.
+ Use the '|asc' or '|desc' suffix to specify sort direction.
+ Sortable fields:
+ rule_origin rule_parent_uuid rule_name
+ rule_description rule_domain rule_status
+ rule_severity rule_short_code rule_service
+ rule_resource_type rule_provider rule_subdomain
+ rule_auto_remediable rule_control_requirement rule_control_section
+ rule_compliance_benchmark rule_compliance_framework rule_mitre_tactic
+ rule_mitre_technique rule_created_at rule_updated_at
+ rule_updated_by
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-policies/QueryRule
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="QueryRule",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ ReplaceControlRules = replace_control_rules
+ GetComplianceControls = get_compliance_controls
+ CreateComplianceControl = create_compliance_control
+ UpdateComplianceControl = update_compliance_control
+ DeleteComplianceControl = delete_compliance_control
+ RenameSectionComplianceFramework = rename_section_compliance_framework
+ GetComplianceFrameworks = get_compliance_frameworks
+ CreateComplianceFramework = create_compliance_framework
+ UpdateComplianceFramework = update_compliance_framework
+ DeleteComplianceFramework = delete_compliance_framework
+ GetEvaluationResult = get_evaluation_result
+ GetRuleOverride = get_rule_override
+ CreateRuleOverride = create_rule_override
+ UpdateRuleOverride = update_rule_override
+ DeleteRuleOverride = delete_rule_override
+ GetRule = get_rule
+ CreateRuleMixin0 = create_rule
+ UpdateRule = update_rule
+ DeleteRuleMixin0 = delete_rule
+ QueryComplianceControls = query_compliance_controls
+ QueryComplianceFrameworks = query_compliance_frameworks
+ QueryRule = query_rule
+ GetRuleInputSchema = get_rule_input_schema
+ GetEnrichedAsset = get_enriched_asset
diff --git a/src/falconpy/cloud_security.py b/src/falconpy/cloud_security.py
new file mode 100644
index 00000000..496cc34f
--- /dev/null
+++ b/src/falconpy/cloud_security.py
@@ -0,0 +1,405 @@
+"""CrowdStrike Falcon CloudSecurity API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+-------' -------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+from typing import Dict, Union
+from ._util import force_default, process_service_request, handle_single_argument
+from ._result import Result
+from ._service_class import ServiceClass
+from ._endpoint._cloud_security import _cloud_security_endpoints as Endpoints
+from ._payload._cloud_security import cloud_security_create_group_payload
+
+
+class CloudSecurity(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials.
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py).
+ - a valid token provided by the authentication service class (oauth2.py).
+ """
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def combined_cloud_risks(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get cloud risks with full details based on filters and sort criteria.
+
+ Keyword arguments:
+ filter -- FQL string to filter results in Falcon Query Language (FQL). String.
+ Supported fields:
+ account_id account_name asset_gcrn
+ asset_id asset_name asset_region
+ asset_type cloud_group cloud_provider
+ first_seen last_seen resolved_at
+ risk_factor rule_id rule_name
+ service_category severity status
+ suppressed_by suppressed_reason tags
+
+ sort -- The field to sort on. Use |asc or |desc suffix to specify sort direction. String.
+ Supported fields:
+ account_id account_name asset_id
+ asset_name asset_region asset_type
+ cloud_provider first_seen last_seen
+ resolved_at rule_name service_category
+ severity status
+ limit -- The maximum number of items to return. When not specified or 0, 500 is used.
+ When larger than 1000, 1000 is used. Integer.
+ offset -- Offset returned risks. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/%2Fcloud-security-risks/combined-cloud-risks
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="combined_cloud_risks",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def list_cloud_groups(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query Cloud Groups and returns entities.
+
+ Keyword arguments:
+ filter -- A valid FQL filter. String. Supports filtering groups by:
+ Group properties:
+ name description
+ created_at updated_at
+
+ Selector properties:
+ cloud_provider account_id
+ region cloud_provider_tag
+ image_registry image_repository
+ image_tag
+
+ Group tags:
+ business_unit business_impact
+ environment
+ sort -- A valid sort string. String.
+ offset -- The starting position of the list operation. Integer.
+ limit -- The maximum number of cloud groups to retrieve. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-security/ListCloudGroupsExternal
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ListCloudGroupsExternal",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def list_cloud_groups_by_id(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """List Cloud Groups By ID.
+
+ Keyword arguments:
+ ids -- Cloud Groups UUIDs. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-security/ListCloudGroupsByIDExternal
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ListCloudGroupsByIDExternal",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_cloud_group(self: object,
+ body: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create a Cloud Group. The created_by field will be set to the API client ID.
+
+ Keyword arguments:
+ body -- Full body payload as a JSON formatted dictionary. Not required if using other keywords.
+ {
+ "business_impact": "high",
+ "business_unit": "string",
+ "description": "string",
+ "environment": "dev",
+ "name": "string",
+ "owners": [
+ "string"
+ ],
+ "selectors": {
+ "cloud_resources": [
+ {
+ "account_ids": [
+ "string"
+ ],
+ "cloud_provider": "aws",
+ "filters": {
+ "region": [
+ "string"
+ ],
+ "tags": [
+ "string"
+ ]
+ }
+ }
+ ],
+ "images": [
+ {
+ "filters": {
+ "repository": [
+ "string"
+ ],
+ "tag": [
+ "string"
+ ]
+ },
+ "registry": "string"
+ }
+ ]
+ }
+ }
+ business_impact -- String.
+ business_unit -- String.
+ description -- String.
+ environment -- String.
+ name -- String.
+ owners -- List of strings.
+ selectors -- Dictionary.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-security/CreateCloudGroupExternal
+ """
+ if not body:
+ body = cloud_security_create_group_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateCloudGroupExternal",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_cloud_group(self: object,
+ group: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update Cloud Group.
+
+ Keyword arguments:
+ group -- Full body payload as a JSON formatted dictionary. Not required if using other keywords.
+ {
+ "business_impact": "high",
+ "business_unit": "string",
+ "description": "string",
+ "environment": "dev",
+ "name": "string",
+ "owners": [
+ "string"
+ ],
+ "selectors": {
+ "cloud_resources": [
+ {
+ "account_ids": [
+ "string"
+ ],
+ "cloud_provider": "aws",
+ "filters": {
+ "region": [
+ "string"
+ ],
+ "tags": [
+ "string"
+ ]
+ }
+ }
+ ],
+ "images": [
+ {
+ "filters": {
+ "repository": [
+ "string"
+ ],
+ "tag": [
+ "string"
+ ]
+ },
+ "registry": "string"
+ }
+ ]
+ }
+ }
+ business_impact -- String.
+ business_unit -- String.
+ description -- String.
+ environment -- String.
+ name -- String.
+ owners -- List of strings.
+ selectors -- Dictionary.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-security/UpdateCloudGroupExternal
+ """
+ if not group:
+ group = cloud_security_create_group_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="UpdateCloudGroupExternal",
+ body=group
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_cloud_groups(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete Cloud Groups in batch.
+
+ Keyword arguments:
+ ids -- Cloud Groups UUIDs to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-security/DeleteCloudGroupsExternal
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DeleteCloudGroupsExternal",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def list_group_ids(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Query Cloud Groups and returns IDs.
+
+ Keyword arguments:
+ filter -- A valid FQL filter. String. Supports filtering groups by:
+ Group properties:
+ name description
+ created_at updated_at
+
+ Selector properties:
+ cloud_provider account_id
+ region cloud_provider_tag
+ image_registry image_repository
+ image_tag
+
+ Group tags:
+ business_unit business_impact
+ environment
+ sort -- A valid sort string. String.
+ offset -- The starting position of the list operation. Integer.
+ limit -- The maximum number of cloud groups to retrieve. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-security/ListCloudGroupIDsExternal
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ListCloudGroupIDsExternal",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ combined_cloud_risks = combined_cloud_risks
+ ListCloudGroupsExternal = list_cloud_groups
+ ListCloudGroupsByIDExternal = list_cloud_groups_by_id
+ CreateCloudGroupExternal = create_cloud_group
+ UpdateCloudGroupExternal = update_cloud_group
+ DeleteCloudGroupsExternal = delete_cloud_groups
+ ListCloudGroupIDsExternal = list_group_ids
diff --git a/src/falconpy/cloud_security_assets.py b/src/falconpy/cloud_security_assets.py
index 27014bae..db59e648 100644
--- a/src/falconpy/cloud_security_assets.py
+++ b/src/falconpy/cloud_security_assets.py
@@ -55,6 +55,38 @@ class CloudSecurityAssets(ServiceClass):
- a valid token provided by the authentication service class (oauth2.py)
"""
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def combined_application_findings(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get findings for an application resource with pagination.
+
+ Keyword arguments:
+ crn -- Application CRN. String.
+ type -- Finding type. String.
+ filter -- FQL string to filter findings. String.
+ offset -- Pagination offset. Integer.
+ limit -- Page size. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-security-assets/cloud-security-assets-combined-application-findings
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_security_assets_combined_application_findings",
+ keywords=kwargs,
+ params=parameters
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
def get_combined_compliance_by_account(self: object,
parameters: dict = None,
@@ -79,7 +111,7 @@ def get_combined_compliance_by_account(self: object,
compliant service
control.benchmark.name service_category
control.benchmark.version severities
- control.framework
+ control.framework control.extension.status
sort -- FQL formatted sort expression. String.
Sort expression in format: field|direction (e.g., last_evaluated|desc).
Allowed sort fields:
@@ -198,9 +230,13 @@ def query_assets(self: object, parameters: dict = None, **kwargs) -> Union[Dict[
instance_id vmware.vm_host_name
instance_state vmware.vm_tools_status
ioa_count zone
- iom_count application_security.business_applications
- tags application_security.business_criticality
- application_security.service_names
+ iom_count control.benchmark.version
+ tags control.framework
+ control.benchmark.name control.requirement
+ control.type control.version
+ non_compliant.rule_name aspm.deployment_cloud_resource_id
+ aspm.deployment_provider aspm.deployment_type
+ aspm.technologies
sort -- The field to sort on. String.
Use `|asc` or `|desc` suffix to specify sort direction.
Sortable fields include:
@@ -226,7 +262,9 @@ def query_assets(self: object, parameters: dict = None, **kwargs) -> Union[Dict[
service_category tenancy_name
compartment_name tenancy_ocid
compartment_ocid tenancy_type
- compartment_path
+ compartment_path aspm.deployment_cloud_resource_id
+ aspm.deployment_provider aspm.deployment_type
+ aspm.technologies
limit -- The maximum number of items to return. Integer.
When not specified or 0, 500 is used. When larger than 1000, 1000 is used.
offset -- Offset returned assets. Use only one of 'offset' and 'after' parameter for paginating. Integer.
@@ -251,6 +289,7 @@ def query_assets(self: object, parameters: dict = None, **kwargs) -> Union[Dict[
params=parameters
)
+ cloud_security_assets_combined_application_findings = combined_application_findings
cloud_security_assets_combined_compliance_by_account = get_combined_compliance_by_account
cloud_security_assets_entities_get = get_assets
cloud_security_assets_queries = query_assets
diff --git a/src/falconpy/cloud_security_compliance.py b/src/falconpy/cloud_security_compliance.py
new file mode 100644
index 00000000..def2d45e
--- /dev/null
+++ b/src/falconpy/cloud_security_compliance.py
@@ -0,0 +1,139 @@
+"""CrowdStrike Falcon CloudSecurityCompliance API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+from typing import Dict, Union
+from ._util import force_default, process_service_request, handle_single_argument
+from ._result import Result
+from ._service_class import ServiceClass
+from ._endpoint._cloud_security_compliance import _cloud_security_compliance_endpoints as Endpoints
+
+
+class CloudSecurityCompliance(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py)
+ - a valid token provided by the authentication service class (oauth2.py)
+ """
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def framework_posture_summaries(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get sections and requirements with scores for benchmarks.
+
+ Keyword arguments:
+ filter -- FQL formatted filter to limit returned results. String.
+ Allowed values:
+ account_id account_name
+ business_impact cloud_label
+ cloud_label_id cloud_provider
+ environment groups
+ region resource_type
+ resource_type_name tag_key
+ tag_value
+ ids -- The UUIDs of compliance frameworks to retrieve (maximum 20 IDs allowed). String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /cloud-security-compliance/cloud-compliance-framework-posture-summaries
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_compliance_framework_posture_summaries",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def rule_posture_summaries(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get compliance score and counts for rules.
+
+ Keyword arguments:
+ filter -- FQL formatted filter to limit returned results. String.
+ Allowed values:
+ account_id account_name
+ business_impact cloud_label
+ cloud_label_id cloud_provider
+ environment groups
+ region resource_type
+ resource_type_name tag_key
+ tag_value
+ ids -- The uuids of compliance rules to retrieve (maximum 350 IDs allowed).
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /cloud-security-compliance/cloud-compliance-rule-posture-summaries
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cloud_compliance_rule_posture_summaries",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ cloud_compliance_framework_posture_summaries = framework_posture_summaries
+ cloud_compliance_rule_posture_summaries = rule_posture_summaries
diff --git a/src/falconpy/cloud_security_detections.py b/src/falconpy/cloud_security_detections.py
new file mode 100644
index 00000000..b6941ed2
--- /dev/null
+++ b/src/falconpy/cloud_security_detections.py
@@ -0,0 +1,158 @@
+"""CrowdStrike Falcon CloudSecurityDetections API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+-------' -------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+from typing import Dict, Union
+from ._util import force_default, process_service_request, handle_single_argument
+from ._result import Result
+from ._service_class import ServiceClass
+from ._endpoint._cloud_security_detections import _cloud_security_detections_endpoints as Endpoints
+
+
+class CloudSecurityDetections(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials.
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py).
+ - a valid token provided by the authentication service class (oauth2.py).
+ """
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_iom_entities(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get IOMs based on the provided IDs.
+
+ Keyword arguments:
+ ids -- List of IOMs to return (maximum 100 IDs allowed).
+ Use POST method with same path if more entities are required. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-security-detections/cspm-evaluations-iom-entities
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cspm_evaluations_iom_entities",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_iom_entities(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get a list of IOM IDs for the given parameters, filters and sort criteria.
+
+ Keyword arguments:
+ filter -- The filter expression that should be used to limit the results. String.
+ Allowed filter fields:
+ account_id account_name applicable_profile
+ attack_type benchmark_name benchmark_version
+ business_impact cid cloud_group
+ cloud_label cloud_label_id cloud_provider
+ cloud_scope created_at environment
+ extension_status first_detected framework
+ last_detected policy_id policy_name
+ policy_uuid region requirement
+ requirement_name resource_gcrn resource_id
+ resource_status resource_type resource_type_name
+ rule_group rule_id rule_name
+ rule_origin rule_remediation section
+ service service_category severity
+ status suppressed_by suppression_reason
+ tactic_id tactic_name tag_key
+ tag_value tags technique_id
+ technique_name tags_string resource_parent
+
+ sort -- The field to sort on. Use |asc or |desc suffix to specify sort direction. String. Supported fields:
+ account_id account_name applicable_profile
+ attack_type benchmark_name benchmark_version
+ business_impact cid cloud_group
+ cloud_label cloud_label_id cloud_provider
+ cloud_scope created_at environment
+ extension_status first_detected framework
+ last_detected policy_id policy_name
+ policy_uuid region requirement
+ requirement_name resource_gcrn resource_id
+ resource_parent resource_status resource_type_name
+ rule_group rule_id rule_name
+ rule_origin rule_remediation section
+ service service_category severity
+ status suppressed_by suppression_reason
+ tactic_id tactic_name tag_key
+ tag_value tags technique_id
+ technique_name tags_string
+
+ limit -- The maximum number of items to return. When not specified or 0, 500 is used.
+ When larger than 1000, 1000 is used. Integer.
+ offset -- Offset returned assets. Integer.
+ after -- token-based pagination. Use for paginating through an entire result set.
+ Use only one of 'offset' and 'after' parameters for paginating. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cloud-security-detections/cspm-evaluations-iom-queries
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="cspm_evaluations_iom_queries",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ cspm_evaluations_iom_entities = get_iom_entities
+ cspm_evaluations_iom_queries = query_iom_entities
diff --git a/src/falconpy/cloud_snapshots.py b/src/falconpy/cloud_snapshots.py
index dcbe3c98..7d203b59 100644
--- a/src/falconpy/cloud_snapshots.py
+++ b/src/falconpy/cloud_snapshots.py
@@ -59,6 +59,52 @@ class CloudSnapshots(ServiceClass):
- a valid token provided by the authentication service class (oauth2.py)
"""
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def search_detections(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Search IaC Detections using a query in Falcon Query Language.
+
+ Keyword arguments:
+ filter -- Search IaC detections using a query in Falcon Query Language (FQL). String.
+ Supported filters:
+ detection_uuid file_name
+ last_detected platform
+ project_name project_owner
+ project_ref provider
+ resource_name rule_category
+ rule_name rule_type
+ rule_uuid service
+ severity
+ limit -- The upper-bound on the number of records to retrieve. Integer.
+ offset -- The offset from where to begin. Integer.
+ sort -- Fields to sort the records on. String
+ Supported columns:
+ detection_uuid file_name
+ last_detected platform
+ project_name project_owner
+ project_ref provider
+ resource_name rule_category
+ rule_name rule_type
+ rule_uuid service
+ severity
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/cspg-iacapi/CombinedDetections
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CombinedDetections",
+ keywords=kwargs,
+ params=parameters
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
def search_scan_jobs(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
"""Search for snapshot jobs identified by the provided filter.
@@ -303,9 +349,11 @@ def register_account(self: object, body: dict = None, **kwargs) -> Union[Dict[st
# This method name aligns to the operation ID in the API but
# does not conform to snake_case / PEP8 and is defined here
# for backwards compatibility / ease of use purposes
+ CombinedDetections = search_detections
ReadDeploymentsCombined = search_scan_jobs
ReadDeploymentsEntities = get_scan_jobs
CreateDeploymentEntity = launch_scan_job
GetScanReport = get_scan_reports
GetCredentialsMixin0 = get_credentials
+ GetCredentialsIAC = get_iac_credentials
RegisterCspmSnapshotAccount = register_account
diff --git a/src/falconpy/correlation_rules_admin.py b/src/falconpy/correlation_rules_admin.py
new file mode 100644
index 00000000..a727050a
--- /dev/null
+++ b/src/falconpy/correlation_rules_admin.py
@@ -0,0 +1,95 @@
+"""CrowdStrike Falcon CorrelationRulesAdmin API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+from typing import Dict, Union
+from ._util import force_default, process_service_request
+from ._result import Result
+from ._service_class import ServiceClass
+from ._endpoint._correlation_rules_admin import _correlation_rules_admin_endpoints as Endpoints
+from ._payload._correlation_rules_admin import correlation_rules_admin_payload
+
+
+class CorrelationRulesAdmin(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials.
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py).
+ - a valid token provided by the authentication service class (oauth2.py).
+ """
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def change_correlation_rule_owner(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Change the owner of an existing Correlation Rule.
+
+ Keyword arguments:
+ body -- Full body payload as a JSON formatted dictionary. Not required if using other keywords.
+ {
+ "api_client_id": "string",
+ "id": "string",
+ "user_id": "string",
+ "user_uuid": "string"
+ }
+ api_client_id -- The API client ID. String.
+ id -- The rule ID. String.
+ user_id -- The user ID. String.
+ user_uuid -- The user UUID. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PUT
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/correlation-rules-admin/entities.rules_ownership.put.v1
+ """
+ if not body:
+ body = correlation_rules_admin_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_rules_ownership_put_v1",
+ body=body
+ )
+
+ entities_rules_ownership_put_v1 = change_correlation_rule_owner
diff --git a/src/falconpy/d4c_registration.py b/src/falconpy/d4c_registration.py
index b0982b24..dbfaf122 100644
--- a/src/falconpy/d4c_registration.py
+++ b/src/falconpy/d4c_registration.py
@@ -206,32 +206,39 @@ def get_aws_console_setup(self: object,
@force_default(defaults=["parameters"], default_types=["dict"])
def get_aws_account_scripts(self: object,
- *args,
parameters: dict = None,
**kwargs
) -> Union[Dict[str, Union[int, dict]], Result]:
"""Return a script for customer to run in their cloud environment to grant CrowdStrike access.
Keyword arguments:
- accounts -- List of accounts to register. String or list of strings.
+ ids -- AWS account IDs. String.
+ template -- Template to be rendered. String
+ accounts -- The list of accounts to register. String or list of strings.
+ behavior_assessment_enabled -- Available values: true, false. Boolean.
+ sensor_management_enabled -- Available values: true, false. Boolean.
+ dspm_enabled -- Available values: true, false. Boolean.
+ dspm_regions -- DSPM Regions. String.
+ dspm_host_account_id -- DSPM Host Account ID. String.
+ dspm_host_integration_role_name -- DSPM Host Integration Role Name. String.
+ dspm_host_scanner_role_name -- DSPM Host Scanner Role Name. String.
+ dspm_role -- DSPM Role. String.
+ vulnerability_scanning_enabled -- Enabled. Available values: true, false. Boolean.
+
+ vulnerability_scanning_regions -- Regions. String or list of strings.
+ vulnerability_scanning_host_account_id -- Account ID. String.
+ vulnerability_scanning_host_integration_role_name -- Host Integration Role Name. String.
+ vulnerability_scanning_host_scanner_role_name -- Host Scanner Role Name. String.
+ vulnerability_scanning_role -- Role. String.
+ use_existing_cloudtrail -- Use Existing CloudTrail. Available values: true, false. Boolean.
+ organization_id -- The AWS organization ID to be registered. String.
+ organizational_unit_ids -- The AWS Organizational Unit IDs to be registered. String or list of strings.
aws_profile -- The AWS profile to be used during registration. String.
aws_region -- The AWS region to be used during registration. String.
- behavior_assessment_enabled -- Enable behavior assessment. String. Allowed values: true, false
- custom_role_name -- The custom IAM role to be used during registration. Same as iam_role_arn. String.
- dspm_enabled -- Flag indicating if DSPM is enabled. String. Allowed values: true, false
- dspm_regions -- List of DSPM regions. Comma delimited string.
- dspm_role -- DSPM role. String.
- iam_role_arn -- The custom IAM role to be used during registration. Same as custom_role_name. String.
- idp_enabled -- Flag indicating if IDP protection is enabled. String. Allowed values: true, false
- ids -- List of AWS Account IDs to retrieve the script for. String or list of strings.
+ iam_role_arn -- The custom IAM role to be used during registration. String.
falcon_client_id -- The Falcon client ID used during registration. String.
- organization_id -- The AWS organization ID to be registered. String.
- organization_unit_ids -- The AWS Organizational unit IDs to be registered. String or list of strings.
- parameters -- full parameters payload, not required if ids is provided as a keyword.
- sensor_management_enabled -- Enable sensor management. String. Allowed values: true, false
+ idp_enabled -- Set to true to enable Identity Protection feature. String.
tags -- Base64 encoded JSON string to be used as AWS tags. String.
- template -- Template to be rendered. String. Allowed values: aws-bash, aws-terraform
- use_existing_cloudtrail -- Use the existing cloudtrail log. String. Allowed values: true, false
Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
All others are ignored.
@@ -243,15 +250,12 @@ def get_aws_account_scripts(self: object,
Swagger URL
https://assets.falcon.crowdstrike.com/support/api/swagger.html#/d4c-registration/GetD4CAWSAccountScriptsAttachment
"""
- if kwargs.get("custom_role_name", None):
- kwargs["iam_role_arn"] = kwargs.get("custom_role_name", None)
-
return process_service_request(
calling_object=self,
endpoints=Endpoints,
operation_id="GetD4CAWSAccountScriptsAttachment",
keywords=kwargs,
- params=handle_single_argument(args, parameters, "ids")
+ params=parameters
)
@force_default(defaults=["parameters"], default_types=["dict"])
diff --git a/src/falconpy/data_protection_configuration.py b/src/falconpy/data_protection_configuration.py
new file mode 100644
index 00000000..0f3dffa6
--- /dev/null
+++ b/src/falconpy/data_protection_configuration.py
@@ -0,0 +1,1673 @@
+"""CrowdStrike Falcon DataProtectionConfiguration API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+# pylint: disable=C0302
+from typing import Dict, Union
+from ._util import force_default, process_service_request, handle_single_argument
+from ._result import Result
+from ._service_class import ServiceClass
+from ._endpoint._data_protection_configuration import _data_protection_configuration_endpoints as Endpoints
+from ._payload._data_protection_configuration import (
+ data_protection_classification_payload,
+ data_protection_cloud_app_payload,
+ data_protection_content_pattern_payload,
+ data_protection_enterprise_account_payload,
+ data_protection_sensitivity_label_payload,
+ data_protection_policy_payload,
+ data_protection_web_locations_payload
+ )
+
+
+# pylint: disable=R0904
+class DataProtectionConfiguration(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials.
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py).
+ - a valid token provided by the authentication service class (oauth2.py).
+ """
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_classification(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get the classifications that match the provided ids.
+
+ Keyword arguments:
+ ids -- IDs of the classifications to get. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.classification.get.v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_classification_get_v2",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_classification(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create classifications.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "resources": [
+ {
+ "classification_properties": {
+ "content_patterns": [
+ "string"
+ ],
+ "evidence_duplication_enabled": true,
+ "file_types": [
+ "string"
+ ],
+ "protection_mode": "monitor",
+ "rules": [
+ {
+ "ad_groups": [
+ "string"
+ ],
+ "ad_users": [
+ "string"
+ ],
+ "created_time_stamp": "string",
+ "description": "string",
+ "detection_severity": "informational",
+ "enable_printer_egress": true,
+ "enable_usb_devices": true,
+ "enable_web_locations": true,
+ "id": "string",
+ "modified_time_stamp": "string",
+ "notify_end_user": true,
+ "response_action": "allow",
+ "trigger_detection": true,
+ "user_scope": "all",
+ "web_locations": [
+ "string"
+ ],
+ "web_locations_scope": "all"
+ }
+ ],
+ "sensitivity_labels": [
+ "string"
+ ],
+ "web_sources": [
+ "string"
+ ]
+ },
+ "name": "string"
+ }
+ ]
+ }
+ classification_properties -- The properties of the new classification. Dictionary.
+ name -- The name of the new classification. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.classification.post.v2
+ """
+ if not body:
+ body = data_protection_classification_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_classification_post_v2",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_classifications(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update classifications.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "resources": [
+ {
+ "classification_properties": {
+ "content_patterns": [
+ "string"
+ ],
+ "evidence_duplication_enabled": true,
+ "file_types": [
+ "string"
+ ],
+ "protection_mode": "monitor",
+ "rules": [
+ {
+ "ad_groups": [
+ "string"
+ ],
+ "ad_users": [
+ "string"
+ ],
+ "created_time_stamp": "string",
+ "description": "string",
+ "detection_severity": "informational",
+ "enable_printer_egress": true,
+ "enable_usb_devices": true,
+ "enable_web_locations": true,
+ "id": "string",
+ "modified_time_stamp": "string",
+ "notify_end_user": true,
+ "response_action": "allow",
+ "trigger_detection": true,
+ "user_scope": "all",
+ "web_locations": [
+ "string"
+ ],
+ "web_locations_scope": "all"
+ }
+ ],
+ "sensitivity_labels": [
+ "string"
+ ],
+ "web_sources": [
+ "string"
+ ]
+ },
+ "name": "string"
+ }
+ ]
+ }
+ classification_properties -- The properties of the new classification. Dictionary.
+ name -- The name of the new classification. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.classification.patch.v2
+ """
+ if not body:
+ body = data_protection_classification_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_classification_patch_v2",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_classification(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete classifications that match the provided ids.
+
+ Keyword arguments:
+ ids -- IDs of the classifications to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.classification.delete.v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_classification_delete_v2",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_cloud_application(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get a particular cloud-application.
+
+ Keyword arguments:
+ ids -- The cloud application id(s) to get. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.cloud-application.get
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_cloud_application_get",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_cloud_application(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Persist the given cloud application for the provided entity instance.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "description": "string",
+ "name": "string",
+ "urls": [
+ {
+ "fqdn": "string",
+ "path": "string"
+ }
+ ]
+ }
+ description -- The description of the cloud application. String.
+ name -- The name of the cloud application. String.
+ urls -- The fields contain the FQDN and the path. List of dictionaries.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.cloud-application.create
+ """
+ if not body:
+ body = data_protection_cloud_app_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_cloud_application_create",
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def update_cloud_application(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a cloud application.
+
+ Keyword arguments:
+ id -- The cloud app id to update. String.
+ body -- The new cloud-application definition.
+ {
+ "description": "string",
+ "name": "string",
+ "urls": [
+ {
+ "fqdn": "string",
+ "path": "string"
+ }
+ ]
+ }
+ description -- The description of the cloud application. String.
+ name -- The name of the cloud application. String.
+ urls -- The fields contain the FQDN and the path. List of dictionaries.
+
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.cloud-application.patch
+ """
+ if not body:
+ body = data_protection_cloud_app_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_cloud_application_patch",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_cloud_application(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete cloud application.
+
+ Keyword arguments:
+ ids -- The id of the cloud application to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.cloud-application.delete
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_cloud_application_delete",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_content_pattern(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get a particular content-pattern(s).
+
+ Keyword arguments:
+ ids -- The content-pattern id(s) to get. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.content-pattern.get
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_content_pattern_get",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_content_pattern(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Persist the given content pattern for the provided entity instance.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "category": "string",
+ "description": "string",
+ "example": "string",
+ "min_match_threshold": 0,
+ "name": "string",
+ "regexes": [
+ "string"
+ ],
+ "region": "string"
+ }
+ category -- The content pattern category. String.
+ description -- The description of the content pattern. String.
+ example -- The new content pattern demonstration. String.
+ min_match_threshold -- Integer.
+ name -- The name of the new content pattern. String.
+ regexes -- List of strings.
+ region -- The region for the content pattern. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.content-pattern.create
+ """
+ if not body:
+ body = data_protection_content_pattern_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_content_pattern_create",
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def update_content_pattern(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a content pattern.
+
+ Keyword arguments:
+ id -- The id of the content pattern to patch.
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "category": "string",
+ "description": "string",
+ "example": "string",
+ "min_match_threshold": 0,
+ "name": "string",
+ "regexes": [
+ "string"
+ ],
+ "region": "string"
+ }
+ category -- The content pattern category. String.
+ description -- The description of the content pattern. String.
+ example -- The new content pattern demonstration. String.
+ min_match_threshold -- Integer.
+ name -- The name of the new content pattern. String.
+ regexes -- List of strings.
+ region -- The region for the content pattern. String.
+
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.content-pattern.patch
+ """
+ if not body:
+ body = data_protection_content_pattern_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_content_pattern_patch",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_content_pattern(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete content pattern.
+
+ Keyword arguments:
+ ids -- The id(s) of the content pattern to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.content-pattern.delete
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_content_pattern_delete",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_enterprise_account(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get a particular enterprise-account(s).
+
+ Keyword arguments:
+ ids -- The enterprise-account id(s) to get. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.enterprise-account.get
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_enterprise_account_get",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_enterprise_account(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Persist the given enterprise account for the provided entity instance.
+
+ Keyword arguments:
+ body -- Definition of enterprise-account to create.
+ {
+ "application_group_id": "string",
+ "domains": [
+ "string"
+ ],
+ "name": "string",
+ "plugin_config_id": "string"
+ }
+ application_group_id -- String.
+ domains -- List of strings.
+ name -- The name of the enterprise account. String.
+ plugin_config_id -- String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.enterprise-account.create
+ """
+ if not body:
+ body = data_protection_enterprise_account_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_enterprise_account_create",
+ keywords=kwargs,
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def update_enterprise_account(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a enterprise account.
+
+ Keyword arguments:
+ id -- The id of the enterprise account to update.
+ body -- Definition of enterprise-account to create.
+ {
+ "application_group_id": "string",
+ "domains": [
+ "string"
+ ],
+ "id": "string",
+ "name": "string",
+ "plugin_config_id": "string"
+ }
+ application_group_id -- String.
+ domains -- List of strings.
+ name -- The name of the enterprise account. String.
+ plugin_config_id -- String.
+
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.enterprise-account.patch
+ """
+ if not body:
+ body = data_protection_enterprise_account_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_enterprise_account_patch",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_enterprise_account(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete enterprise account.
+
+ Keyword arguments:
+ ids -- The id of the enterprise account to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.enterprise-account.delete
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_enterprise_account_delete",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "id")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_file_type(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get a particular file-type.
+
+ Keyword arguments:
+ ids -- The file-type id(s) to get. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.file-type.get
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_file_type_get",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_sensitivity_label(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get sensitivity label matching the IDs (V2).
+
+ Keyword arguments:
+ ids -- The sensitivity label entity id(s) to get.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.file-type.get
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_sensitivity_label_get_v2",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_sensitivity_label(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create new sensitivity label (V2).
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "co_authoring": true,
+ "display_name": "string",
+ "external_id": "string",
+ "label_provider": "string",
+ "name": "string",
+ "plugins_configuration_id": "string",
+ "synced": true
+ }
+ co_authoring -- Boolean.
+ display_name -- String.
+ external_id -- String.
+ label_provider -- String.
+ name -- The name of the new sensitivity label. String.
+ plugins_configuration_id -- String.
+ synced -- Boolean.
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.sensitivity-label.create-v2
+ """
+ if not body:
+ body = data_protection_sensitivity_label_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_sensitivity_label_create_v2",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_sensitivity_label(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete sensitivity labels matching the IDs (V2).
+
+ Keyword arguments:
+ ids -- The sensitivity label entity id(s) to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.sensitivity-label.delete-v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_sensitivity_label_delete_v2",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_policies(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get policies that match the provided ids.
+
+ Keyword arguments:
+ ids -- IDs of the policies to get. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.policy.get.v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_policy_get_v2",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def create_policy(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create policies.
+
+ Keyword arguments:
+ platform_name -- platform name of the policies to update, either 'win' or 'mac'.
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "resources": [
+ {
+ "description": "string",
+ "name": "string",
+ "policy_properties": {
+ "allow_notifications": "default",
+ "be_exclude_domains": "string",
+ "be_paste_clipboard_max_size": 0,
+ "be_paste_clipboard_max_size_unit": "Bytes",
+ "be_paste_clipboard_min_size": 0,
+ "be_paste_clipboard_min_size_unit": "Bytes",
+ "be_paste_clipboard_over_size_behaviour_block": true,
+ "be_paste_timeout_duration_milliseconds": 0,
+ "be_paste_timeout_response": "block",
+ "be_splash_custom_message": "string",
+ "be_splash_enabled": true,
+ "be_splash_message_source": "default",
+ "be_upload_timeout_duration_seconds": 0,
+ "be_upload_timeout_response": "block",
+ "block_all_data_access": true,
+ "block_notifications": "default",
+ "browsers_without_active_extension": "allow",
+ "classifications": [
+ "string"
+ ],
+ "custom_allow_notification": "string",
+ "custom_block_notification": "string",
+ "enable_clipboard_inspection": true,
+ "enable_content_inspection": true,
+ "enable_context_inspection": true,
+ "enable_end_user_notifications_unsupported_browser": true,
+ "enable_network_inspection": true,
+ "euj_dialog_box_logo": "string",
+ "euj_dialog_timeout": 0,
+ "euj_dropdown_options": {
+ "justifications": [
+ {
+ "default": true,
+ "id": "string",
+ "justification": "string",
+ "selected": true
+ }
+ ]
+ },
+ "euj_header_text": {
+ "headers": [
+ {
+ "default": true,
+ "header": "string",
+ "selected": true
+ }
+ ]
+ },
+ "euj_require_additional_details": true,
+ "euj_response_cache_timeout": 0,
+ "evidence_download_enabled": true,
+ "evidence_duplication_enabled_default": true,
+ "evidence_encrypted_enabled": true,
+ "evidence_storage_free_disk_perc": 0,
+ "evidence_storage_max_size": 0,
+ "inspection_depth": "balanced",
+ "max_file_size_to_inspect": 0,
+ "max_file_size_to_inspect_unit": "Bytes",
+ "min_confidence_level": "low",
+ "network_inspection_files_exceeding_size_limit": "block",
+ "similarity_detection": true,
+ "similarity_threshold": "10",
+ "unsupported_browsers_action": "allow"
+ },
+ "precedence": 0
+ }
+ ]
+ }
+ description -- The description of the new policy. String.
+ name -- The name of the new policy. String.
+ policy_properties -- The properties of the new policy. Dictionary.
+ precedence -- The order of precedence. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.policy.post.v2
+ """
+ if not body:
+ body = data_protection_policy_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_policy_post_v2",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def update_policies(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update policies.
+
+ Keyword arguments:
+ platform_name -- platform name of the policies to update, either 'win' or 'mac'.
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "resources": [
+ {
+ "description": "string",
+ "name": "string",
+ "policy_properties": {
+ "allow_notifications": "default",
+ "be_exclude_domains": "string",
+ "be_paste_clipboard_max_size": 0,
+ "be_paste_clipboard_max_size_unit": "Bytes",
+ "be_paste_clipboard_min_size": 0,
+ "be_paste_clipboard_min_size_unit": "Bytes",
+ "be_paste_clipboard_over_size_behaviour_block": true,
+ "be_paste_timeout_duration_milliseconds": 0,
+ "be_paste_timeout_response": "block",
+ "be_splash_custom_message": "string",
+ "be_splash_enabled": true,
+ "be_splash_message_source": "default",
+ "be_upload_timeout_duration_seconds": 0,
+ "be_upload_timeout_response": "block",
+ "block_all_data_access": true,
+ "block_notifications": "default",
+ "browsers_without_active_extension": "allow",
+ "classifications": [
+ "string"
+ ],
+ "custom_allow_notification": "string",
+ "custom_block_notification": "string",
+ "enable_clipboard_inspection": true,
+ "enable_content_inspection": true,
+ "enable_context_inspection": true,
+ "enable_end_user_notifications_unsupported_browser": true,
+ "enable_network_inspection": true,
+ "euj_dialog_box_logo": "string",
+ "euj_dialog_timeout": 0,
+ "euj_dropdown_options": {
+ "justifications": [
+ {
+ "default": true,
+ "id": "string",
+ "justification": "string",
+ "selected": true
+ }
+ ]
+ },
+ "euj_header_text": {
+ "headers": [
+ {
+ "default": true,
+ "header": "string",
+ "selected": true
+ }
+ ]
+ },
+ "euj_require_additional_details": true,
+ "euj_response_cache_timeout": 0,
+ "evidence_download_enabled": true,
+ "evidence_duplication_enabled_default": true,
+ "evidence_encrypted_enabled": true,
+ "evidence_storage_free_disk_perc": 0,
+ "evidence_storage_max_size": 0,
+ "inspection_depth": "balanced",
+ "max_file_size_to_inspect": 0,
+ "max_file_size_to_inspect_unit": "Bytes",
+ "min_confidence_level": "low",
+ "network_inspection_files_exceeding_size_limit": "block",
+ "similarity_detection": true,
+ "similarity_threshold": "10",
+ "unsupported_browsers_action": "allow"
+ },
+ "precedence": 0
+ }
+ ]
+ }
+ description -- The description of the policy. String.
+ name -- The name of the policy. String.
+ policy_properties -- The properties of the policy. Dictionary.
+ precedence -- The order of precedence. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.policy.patch.v2
+ """
+ if not body:
+ body = data_protection_policy_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_policy_patch_v2",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_policies(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete policies that match the provided ids.
+
+ Keyword arguments:
+ ids -- IDs of the policies to delete. String or list of strings.
+ platform_name -- platform name of the policies to update, either 'win' or 'mac'. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.policy.delete.v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_policy_delete_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_web_location(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get web-location entities matching the provided ID(s).
+
+ Keyword arguments:
+ ids -- The web-location entity id(s) to get. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#
+ /data-protection-configuration/entities.web-location.get-v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_web_location_get_v2",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_web_location(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Persist the given web-locations.
+
+ Keyword arguments:
+ application_id -- Associated application ID. String.
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "web_locations": [
+ {
+ "application_id": "string",
+ "deleted": true,
+ "enterprise_account_id": "string",
+ "location_type": "string",
+ "name": "string",
+ "provider_location_id": "string",
+ "provider_location_name": "string",
+ "type": "string"
+ }
+ ]
+ }
+ application_id -- The ID of the application. String.
+ deleted -- Flag indicating if this location is deleted. Boolean.
+ enterprise_account_id -- Associated enterprise account ID. String.
+ location_type -- Location type. String.
+ name -- Location name. String.
+ provider_location_id -- Provider location ID. String.
+ provider_location_name -- Provider location name. String.
+ type -- Type. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.web-location.create-v2
+ """
+ if not body:
+ body = data_protection_web_locations_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_web_location_create_v2",
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def update_web_location(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a web-location.
+
+ Keyword arguments:
+ application_id -- Application ID for the location. String.
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "web_locations": [
+ {
+ "application_id": "string",
+ "deleted": true,
+ "enterprise_account_id": "string",
+ "location_type": "string",
+ "name": "string",
+ "provider_location_id": "string",
+ "provider_location_name": "string",
+ "type": "string"
+ }
+ ]
+ }
+ application_id -- The ID of the application. String.
+ deleted -- Flag indicating if this location is deleted. Boolean.
+ enterprise_account_id -- Associated enterprise account ID. String.
+ location_type -- Location type. String.
+ name -- Location name. String.
+ provider_location_id -- Provider location ID. String.
+ provider_location_name -- Provider location name. String.
+ type -- Type. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.web-location.patch-v2
+ """
+ if not body:
+ body = data_protection_web_locations_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_web_location_patch_v2",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_web_location(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete web-location.
+
+ Keyword arguments:
+ ids -- The IDs of the web-location to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/entities.web-location.delete-v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entities_web_location_delete_v2",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_classifications(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Search for classifications that match the provided criteria.
+
+ Keyword arguments:
+ filter -- Filter results by specific attributes. String.
+ Allowed attributes are:
+ created_by modified_by
+ modified_at properties.content_patterns
+ properties.file_types properties.evidence_duplication_enabled
+ properties.protection_mode properties.sensitivity_labels
+ properties.web_sources name
+ created_at
+ offset -- The offset to start retrieving records from. Integer.
+ limit -- The maximum records to return. Integer.
+ sort -- The property to sort by. String.
+ Allowed fields are:
+ name created_at
+ modified_at
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/queries.classification.get.v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_classification_get_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_cloud_applications(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get all cloud-application IDs matching the query with filter.
+
+ Keyword arguments:
+ filter -- Optional filter for searching cloud applications. String.
+ Allowed filters are:
+ name type
+ deleted supports_network_inspection
+ application_group_id
+ sort -- The sort instructions to order by on. String.
+ Allowed values are:
+ name type
+ deleted supports_network_inspection
+ application_group_id
+ limit -- The number of items to return in this response (default: 100, max: 500). Integer.
+ Use with the offset parameter to manage pagination of results.
+ offset -- The offset to start retrieving records from. Integer.
+ Use with the limit parameter to manage pagination of results.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/queries.cloud-application.get-v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_cloud_application_get_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_content_patterns(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get all content-pattern IDs matching the query with filter.
+
+ Keyword arguments:
+ filter -- The filter to use when finding content patterns. String.
+ Allowed filters are:
+ name type
+ category region
+ example created_at
+ updated_at deleted'
+ sort -- The sort instructions to order by on. String.
+ Allowed values are:
+ name type
+ category region
+ example created_at
+ updated_at deleted'
+ limit -- The number of items to return in this response (default: 100, max: 500). Integer.
+ Use with the offset parameter to manage pagination of results.
+ offset -- The offset to start retrieving records from. Integer.
+ Use with the limit parameter to manage pagination of results.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/queries.content-pattern.get-v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_content_pattern_get_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_enterprise_accounts(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get all enterprise-account IDs matching the query with filter.
+
+ Keyword arguments:
+ filter -- The filter to use when finding enterprise accounts. String.
+ Allowed filters are:
+ name application_group_id
+ deleted created_at
+ updated_at
+ sort -- The sort instructions to order by on. Integer.
+ Allowed values are:
+ name application_group_id
+ deleted created_at
+ updated_at
+ limit -- The number of items to return in this response (default: 100, max: 500). Integer.
+ Use with the offset parameter to manage pagination of results.
+ offset -- The offset to start retrieving records from. Integer.
+ Use with the limit parameter to manage pagination of results.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/queries.enterprise-account.get-v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_enterprise_account_get_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_file_type(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get all file-type IDs matching the query with filter.
+
+ Keyword arguments:
+ filter -- The filter to use when finding file types. String.
+ Allowed filters are:
+ name created_at
+ updated_at
+ sort -- The sort instructions to order by on. String.
+ Allowed values are
+ name created_at
+ updated_at
+ limit -- The number of items to return in this response (default: 100, max: 500). Integer.
+ Use with the offset parameter to manage pagination of results.
+ offset -- The offset to start retrieving records from. Integer.
+ Use with the limit parameter to manage pagination of results.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/queries.file-type.get-v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_file_type_get_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_sensitivity_label(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get all sensitivity label IDs matching the query with filter.
+
+ Keyword arguments:
+ filter -- The filter to use when finding sensitivity labels. String.
+ The only allowed filters are:
+ name display_name
+ external_id deleted
+ sort -- The sort instructions to order by on. String.
+ Allowed values are:
+ name display_name
+ deleted created_at
+ updated_at
+ limit -- The number of items to return in this response (default: 100, max: 500). Integer.
+ Use with the offset parameter to manage pagination of results.
+ offset -- The offset to start retrieving records from. Integer.
+ Use with the limit parameter to manage pagination of results.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/queries.sensitivity-label.get-v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_sensitivity_label_get_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_policies(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Search for policies that match the provided criteria.
+
+ Keyword arguments:
+ platform_name -- platform name of the policies to search, either 'win' or 'mac'. String.
+ filter -- Filter results by specific attributes. String.
+ Allowed attributes are:
+ properties.max_file_size_to_inspect description
+ is_default properties.be_upload_timeout_duration_seconds
+ created_by modified_at
+ properties.enable_content_inspection properties.similarity_threshold
+ properties.block_notifications properties.custom_allow_notification
+ properties.evidence_duplication_enabled_default properties.be_paste_timeout_response
+ properties.inspection_depth properties.classifications
+ properties.be_paste_clipboard_max_size properties.min_confidence_level
+ properties.evidence_storage_free_disk_perc properties.besplash_enabled
+ properties.browsers_without_active_extension modified_by
+ created_at properties.enable_network_inspection
+ properties.enable_context_inspection properties.besplash_custom_message
+ properties.besplash_message_source properties.be_paste_clipboard_max_size_unit
+ properties.be_paste_clipboard_min_size_unit properties.max_file_size_to_inspect_unit
+ properties.network_inspection_files_exceeding_size_limit properties.evidence_encrypted_enabled
+ properties.similarity_detection properties.enable_clipboard_inspection
+ properties.allow_notifications properties.evidence_download_enabled
+ properties.be_exclude_domains properties.be_upload_timeout_response
+ properties.unsupported_browsers_action precedence is_enabled
+ properties.custom_block_notification properties.evidence_storage_max_size
+ properties.be_paste_clipboard_min_size name
+ properties.block_all_data_access
+ properties.be_paste_clipboard_over_size_behaviour_block
+ properties.enable_end_user_notifications_unsupported_browser
+ properties.be_paste_timeout_duration_milliseconds
+ offset -- The offset to start retrieving records from. Integer.
+ limit -- The maximum records to return. Integer.
+ sort -- The property to sort by. String.
+ Allowed fields are:
+ name precedence
+ created_at modified_at
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/queries.policy.get.v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_policy_get_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def query_web_locations(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get web-location IDs matching the query with filter.
+
+ Keyword arguments:
+ filter -- The filter to use when finding web locations. String.
+ Allowed filters:
+ name type
+ deleted application_id
+ provider_location_id enterprise_account_id
+ type -- The type of entity to query. String. Allowed values are:
+ predefined custom
+ limit -- The number of items to return in this response (default: 100, max: 500).
+ Use with the offset parameter to manage pagination of results. Integer.
+ offset -- The offset to start retrieving records from. Integer.
+ Use with the limit parameter to manage pagination of results. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/data-protection-configuration/queries.web-location.get-v2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="queries_web_location_get_v2",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ entities_classification_get_v2 = get_classification
+ entities_classification_post_v2 = create_classification
+ entities_classification_patch_v2 = update_classifications
+ entities_classification_delete_v2 = delete_classification
+ entities_cloud_application_get = get_cloud_application
+ entities_cloud_application_create = create_cloud_application
+ entities_cloud_application_patch = update_cloud_application
+ entities_cloud_application_delete = delete_cloud_application
+ entities_content_pattern_get = get_content_pattern
+ entities_content_pattern_create = create_content_pattern
+ entities_content_pattern_patch = update_content_pattern
+ entities_content_pattern_delete = delete_content_pattern
+ entities_enterprise_account_get = get_enterprise_account
+ entities_enterprise_account_create = create_enterprise_account
+ entities_enterprise_account_patch = update_enterprise_account
+ entities_enterprise_account_delete = delete_enterprise_account
+ entities_file_type_get = get_file_type
+ entities_sensitivity_label_get_v2 = get_sensitivity_label
+ entities_sensitivity_label_create_v2 = create_sensitivity_label
+ entities_sensitivity_label_delete_v2 = delete_sensitivity_label
+ entities_policy_get_v2 = get_policies
+ entities_policy_post_v2 = create_policy
+ entities_policy_patch_v2 = update_policies
+ entities_policy_delete_v2 = delete_policies
+ entities_web_location_get_v2 = get_web_location
+ entities_web_location_create_v2 = create_web_location
+ entities_web_location_patch_v2 = update_web_location
+ entities_web_location_delete_v2 = delete_web_location
+ queries_classification_get_v2 = query_classifications
+ queries_cloud_application_get_v2 = query_cloud_applications
+ queries_content_pattern_get_v2 = query_content_patterns
+ queries_enterprise_account_get_v2 = query_enterprise_accounts
+ queries_file_type_get_v2 = query_file_type
+ queries_sensitivity_label_get_v2 = query_sensitivity_label
+ queries_policy_get_v2 = query_policies
+ queries_web_location_get_v2 = query_web_locations
diff --git a/src/falconpy/detects.py b/src/falconpy/detects.py
index 783e2a21..45d9ae7d 100644
--- a/src/falconpy/detects.py
+++ b/src/falconpy/detects.py
@@ -42,6 +42,14 @@
from ._result import Result
from ._service_class import ServiceClass
from ._endpoint._detects import _detects_endpoints as Endpoints
+# _____ __ __
+# | \.-----.-----.----.-----.----.---.-.| |_.-----.--| |
+# | -- | -__| _ | _| -__| __| _ || _| -__| _ |
+# |_____/|_____| __|__| |_____|____|___._||____|_____|_____|
+# |__|
+#
+# This service collection is deprecated.
+# Developers should leverage operations from the Alerts service collection.
class Detects(ServiceClass):
diff --git a/src/falconpy/discover.py b/src/falconpy/discover.py
index 83e59b72..dbd6a933 100644
--- a/src/falconpy/discover.py
+++ b/src/falconpy/discover.py
@@ -65,15 +65,20 @@ def query_combined_applications(self: object,
Returns details on applications which match the filter criteria.
Keyword arguments:
- filter -- The filter expression that should be used to limit the results. FQL syntax.
+ after -- A pagination token used with the limit parameter to manage pagination of results.
+ On your first request, do not provide an after token. On subsequent requests,
+ provide the after token from the previous response to continue from that place in
+ the results. String.
+ facet -- Select various details blocks to be returned for each application entity. String.
+ Supported values:
+ browser_extension host_info
+ install_usage package
+ ide_extension
+ filter -- The filter expression that should be used to limit the results. FQL syntax. String.
limit -- The number of account IDs to return in this response. (Max: 100, default: 100)
- Use with the offset parameter to manage pagination of results.
- offset -- An offset used with the limit parameter to manage pagination of results.
- On your first request, don't provide an offset. On subsequent requests,
- provide the offset from the previous response to continue from that place
- in the results.
+ Use with the offset parameter to manage pagination of results. Integer.
parameters - full parameters payload, not required if using other keywords.
- sort -- Sort assets by their properties. A single sort field is allowed.
+ sort -- Sort assets by their properties. A single sort field is allowed. String.
This method only supports keywords for providing arguments.
@@ -122,7 +127,9 @@ def query_combined_hosts(self: object, parameters: dict = None, **kwargs) -> Uni
first_seen_timestamp system_product_name
groups system_serial_number
hostname tags
- id
+ id scan_details.scan_id
+ scan_details.schedule_id scan_details.scan_date
+ vulnerability_assessment_date
limit -- The number of asset IDs to return in this response. (Max: 100, default: 100)
Use with the offset parameter to manage pagination of results.
offset -- An offset used with the limit parameter to manage pagination of results.
@@ -384,7 +391,9 @@ def query_hosts(self: object, parameters: dict = None, **kwargs) -> Union[Dict[s
first_seen_timestamp system_product_name
groups system_serial_number
hostname tags
- id
+ id scan_details.scan_id
+ scan_details.schedule_id scan_details.scan_date
+ vulnerability_assessment_date
limit -- The number of asset IDs to return in this response. (Max: 100, default: 100)
Use with the offset parameter to manage pagination of results.
offset -- An offset used with the limit parameter to manage pagination of results.
diff --git a/src/falconpy/downloads.py b/src/falconpy/downloads.py
index 43a47bde..878d21ed 100644
--- a/src/falconpy/downloads.py
+++ b/src/falconpy/downloads.py
@@ -55,10 +55,82 @@ class Downloads(ServiceClass):
- a valid token provided by the authentication service class (oauth2.py)
"""
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def fetch_download_info(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get files info and pre-signed download URLs.
+
+ Keyword arguments:
+ filter -- Search files using various filters using query in Falcon Query Language (FQL). String.
+ Supported filters:
+ arch file_name
+ category file_version
+ os
+ sort -- The fields to sort records on. String.
+ Supported columns:
+ arch file_name
+ category file_version
+ os
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/downloads-api/FetchFilesDownloadInfo
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="FetchFilesDownloadInfo",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def fetch_download_info_v2(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get cloud security tools info and pre-signed download URLs.
+
+ Keyword arguments:
+ filter -- Search files using various filters. String.
+ Supported filters:
+ arch category
+ file_name file_version
+ os
+ sort -- The fields to sort records on. String.
+ Supported columns:
+ arch category
+ file_name file_version
+ os
+ limit -- The upper-bound on the number of records to retrieve. Maximum limit: 100. String.
+ offset -- The offset from where to begin. Maximum offset = 1000 - limit. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/downloads-api/FetchFilesDownloadInfoV2
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="FetchFilesDownloadInfoV2",
+ keywords=kwargs,
+ params=parameters
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
def download(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
"""Retrieve a pre-signed URL for the requested file.
+ * DEPRECATED *
+
Keyword arguments:
file_name -- Name of the file to be downloaded
file_version -- Version of the file to be downloaded
@@ -85,6 +157,8 @@ def download(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str,
def enumerate(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
"""Enumerate a list of files available for CID.
+ * DEPRECATED *
+
Keyword arguments:
arch -- Apply filtering on system architecture. String.
file_name -- Apply filtering on file name. String.
@@ -111,5 +185,7 @@ def enumerate(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str
params=parameters
)
+ FetchFilesDownloadInfo = fetch_download_info
+ FetchFilesDownloadInfoV2 = fetch_download_info_v2
DownloadFile = download
EnumerateFile = enumerate
diff --git a/src/falconpy/falcon_container.py b/src/falconpy/falcon_container.py
index 645a0848..ebc41848 100644
--- a/src/falconpy/falcon_container.py
+++ b/src/falconpy/falcon_container.py
@@ -36,7 +36,7 @@
For more information, please refer to
"""
from typing import Dict, Union
-from ._util import process_service_request, force_default, handle_single_argument
+from ._util import process_service_request, force_default, handle_single_argument, generate_error_result
from ._payload import image_payload, registry_payload, export_job_payload, inventory_scan_payload
from ._result import Result
from ._service_class import ServiceClass
@@ -172,8 +172,7 @@ def launch_export_job(self: object, body: dict = None, **kwargs) -> Union[Dict[s
assets.pods investigate.kubernetes-ioms
images.images-assessment-detections-expanded investigate.runtime-detections
images.images-assessment-expanded investigate.unidentified-containers
- images.images-assessment-vulnerabilities-expanded network.events
- policies.exclusions
+ images.images-assessment-vulnerabilities-expanded policies.exclusions
sort : str
Falcon Query Language sort string defining the export sort.
@@ -806,6 +805,111 @@ def get_scan_headers(self: object) -> Union[Dict[str, Union[int, dict]], Result]
operation_id="HeadImageScanInventory"
)
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def check_prevention_policies(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Check image prevention policies.
+
+ Keyword arguments:
+ registry -- Image registry. String.
+ repository -- Image repository. String.
+ tag -- Image tag. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/falcon-container-image/PolicyChecks
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="PolicyChecks",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_report_by_reference(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get image assessment scan report by image reference (v2).
+
+ Keyword arguments:
+ registry -- Image registry. String.
+ repository -- Image repository. String.
+ tag -- Image tag. String.
+ image_id -- Image ID. String.
+ digest -- Image digest. String.
+ report_format -- Specify image-assessment scan report format.
+ Supported formats:
+ cyclonedx-json
+ json
+ sarif
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/falcon-container-image/GetReportByReference
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetReportByReference",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_report_by_id(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get image assessment scan report by scan UUID (v2).
+
+ Keyword arguments:
+ uuid -- Scan UUID. String.
+ report_format -- Specify image-assessment scan report format. String.
+ Supported formats:
+ cyclonedx-json
+ json
+ sarif
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/falcon-container-image/GetReportByScanID
+ """
+ uuid = kwargs.get("uuid", None)
+ if uuid:
+ kwargs.pop("uuid")
+ returned = process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetReportByScanID",
+ keywords=kwargs,
+ params=parameters,
+ uuid=uuid
+ )
+ else:
+ returned = generate_error_result("You must provide the uuid argument in order to use this operation.")
+
+ return returned
+
# These method names align to the operation IDs in the API but
# do not conform to snake_case / PEP8 and are defined here for
# backwards compatibility / ease of use purposes
@@ -826,3 +930,6 @@ def get_scan_headers(self: object) -> Union[Dict[str, Union[int, dict]], Result]
UpdateRegistryEntities = update_registry_entities
PostImageScanInventory = scan_inventory
HeadImageScanInventory = get_scan_headers
+ PolicyChecks = check_prevention_policies
+ GetReportByReference = get_report_by_reference
+ GetReportByScanID = get_report_by_id
diff --git a/src/falconpy/firewall_policies.py b/src/falconpy/firewall_policies.py
index a503051a..a48bc89a 100644
--- a/src/falconpy/firewall_policies.py
+++ b/src/falconpy/firewall_policies.py
@@ -143,7 +143,7 @@ def perform_action(self: object,
Keyword arguments:
action_name -- action to perform: 'add-host-group', 'disable', 'enable',
- or 'remove-host-group'.
+ 'add-rule-group', 'remove-rule-group' or 'remove-host-group'.
action_parameters -- Action specific parameter options. List of dictionaries.
{
"name": "string",
@@ -176,7 +176,7 @@ def perform_action(self: object,
https://assets.falcon.crowdstrike.com/support/api/swagger.html#/firewall-policies/performFirewallPoliciesAction
"""
_allowed_actions = ['add-host-group', 'disable', 'enable', 'remove-host-group',
- # 'add-rule-group', 'remove-rule-group' # Currently unsupported
+ 'add-rule-group', 'remove-rule-group'
]
operation_id = "performFirewallPoliciesAction"
parameter_payload = args_to_params(parameters, kwargs, Endpoints, operation_id)
diff --git a/src/falconpy/hosts.py b/src/falconpy/hosts.py
index 2d7c9424..da38f0a2 100644
--- a/src/falconpy/hosts.py
+++ b/src/falconpy/hosts.py
@@ -164,6 +164,14 @@ def query_hidden_devices_combined(self: object,
os_version default_gateway_ip
device_policies.prevention.applied last_login_user_sid
device_policies.jumpcloud.policy_type bios_version
+ device_policies.exposure-management.applied device_policies.exposure-management.policy_type
+ device_policies.exposure-management.policy_id device_policies.logscale-collector.policy_id
+ device_policies.logscale-collector.policy_type device_policies.logscale-collector.applied
+ device_policies.cloud-ml.policy_id device_policies.cloud-ml.policy_type
+ device_policies.cloud-ml.applied device_policies.fem-browser-extension-control.applied
+ device_policies.fem-browser-extension-control.policy_type
+ device_policies.fem-browser-extension-control.policy_id
+
This method only supports keywords for providing arguments.
@@ -780,6 +788,13 @@ def query_devices_by_filter_combined(self: object,
os_version default_gateway_ip
device_policies.prevention.applied last_login_user_sid
device_policies.jumpcloud.policy_type bios_version
+ device_policies.exposure-management.applied device_policies.exposure-management.policy_type
+ device_policies.exposure-management.policy_id device_policies.logscale-collector.policy_id
+ device_policies.logscale-collector.policy_type device_policies.logscale-collector.applied
+ device_policies.cloud-ml.policy_id device_policies.cloud-ml.policy_type
+ device_policies.cloud-ml.applied device_policies.fem-browser-extension-control.applied
+ device_policies.fem-browser-extension-control.policy_id
+ device_policies.fem-browser-extension-control.policy_type
This method only supports keywords for providing arguments.
@@ -840,10 +855,11 @@ def query_device_login_history_v1(self: object,
body_required=["ids"] if self.validate_payloads else None
)
- @force_default(defaults=["body"], default_types=["dict"])
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
def query_device_login_history_v2(self: object,
*args,
body: dict = None,
+ parameters: dict = None,
**kwargs
) -> Union[Dict[str, Union[int, dict]], Result]:
"""Retrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline.
@@ -858,6 +874,9 @@ def query_device_login_history_v2(self: object,
]
}
ids -- AID(s) of the hosts to retrieve. String or list of strings. Supports a maximum of 10 IDs.
+ limit -- The maximum number of results to return. Integer. Default: 10, Max: 100
+ from -- The inclusive beginning of the time window to search. String.
+ to -- The inclusive end of the time window to search. String.
Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
All others are ignored.
@@ -874,12 +893,12 @@ def query_device_login_history_v2(self: object,
submitted_keywords=kwargs,
payload_value="ids"
)
-
return process_service_request(
calling_object=self,
endpoints=Endpoints,
operation_id="QueryDeviceLoginHistoryV2",
body=body,
+ params=parameters,
body_validator={"ids": list} if self.validate_payloads else None,
body_required=["ids"] if self.validate_payloads else None
)
diff --git a/src/falconpy/intel.py b/src/falconpy/intel.py
index b8e73a47..c303ba50 100644
--- a/src/falconpy/intel.py
+++ b/src/falconpy/intel.py
@@ -133,7 +133,7 @@ def query_indicator_entities(self: object,
kill_chains threat_types
labels type
labels.created_on vulnerabilities
- labels.last_valid_on
+ labels.last_valid_on reports.slug
include_deleted -- include both published and deleted indicators.
Boolean, defaults to False.
include_relations -- include related indicators. Boolean, defaults to True.
@@ -191,7 +191,7 @@ def query_report_entities(self: object, parameters: dict = None, **kwargs) -> Un
name type.name
name.raw type.slug
short_description url
- slug
+ slug summary
limit -- The maximum number of reports to return. [integer, 1-5000]
offset -- The integer offset to start retrieving records from.
parameters - full parameters payload, not required if using other keywords.
@@ -684,7 +684,7 @@ def query_indicator_ids(self: object, parameters: dict = None, **kwargs) -> Unio
kill_chains threat_types
labels type
labels.created_on vulnerabilities
- labels.last_valid_on
+ labels.last_valid_on reports.slug
include_deleted -- include both published and deleted indicators.
Boolean, defaults to False.
include_relations -- include related indicators. Boolean, defaults to True.
@@ -802,7 +802,7 @@ def query_report_ids(self: object, parameters: dict = None, **kwargs) -> Union[D
name type.name
name.raw type.slug
short_description url
- slug
+ slug summary
limit -- The maximum number of reports to return. [integer, 1-5000]
offset -- The integer offset to start retrieving records from.
parameters - full parameters payload, not required if using other keywords.
diff --git a/src/falconpy/intelligence_feeds.py b/src/falconpy/intelligence_feeds.py
index 15d80f3c..11b9230c 100644
--- a/src/falconpy/intelligence_feeds.py
+++ b/src/falconpy/intelligence_feeds.py
@@ -114,10 +114,11 @@ def query_feeds(self: object,
feed_name -- Feed Name.
feed_interval -- Feed interval must be one of: 'dump', 'daily', 'hourly' or 'minutely'.
since -- Since is a valid timestamp in RFC3399 format.
- Restrictions: minutely: now()-2h,
- hourly: now()-2d,
- daily: now()-5d;
+ Restrictions: minutely: now()-2h
+ hourly: now()-2d
+ daily: now()-5d
dump: now()-7d
+ any: Automatically combines the appropriate intervals
parameters -- Full parameters payload dictionary. Not required if using other keywords.
This method only supports keywords for providing arguments.
diff --git a/src/falconpy/intelligence_indicator_graph.py b/src/falconpy/intelligence_indicator_graph.py
index 60b547bf..9f40bfd0 100644
--- a/src/falconpy/intelligence_indicator_graph.py
+++ b/src/falconpy/intelligence_indicator_graph.py
@@ -76,7 +76,19 @@ def search(self: object,
}
]
}
- filter -- FQL formatted filter. String.
+ filter -- The filter expression that should be used to limit the results. String. FQL syntax.
+ Available values:
+ Type LastUpdated
+ KillChain MaliciousConfidence
+ MaliciousConfidenceValidatedTime
+ FirstSeen LastSeen
+ Adversaries.Name Adversaries.Slug
+ Reports.Title Reports.Slug
+ Threats.FamilyName Vulnerabilities.CVE
+ Sectors.Name FileDetails.SHA256
+ FileDetails.SHA1 FileDetails.MD5
+ DomainDetails.Detail IPv4Details.IPv4
+ IPv6Details.IPv6 URLDetails.URL
limit -- Returned record limit. Integer.
offset -- Offset to start returning results. Integer.
sort -- List of sort operations to perform on the returnset. String.
diff --git a/src/falconpy/it_automation.py b/src/falconpy/it_automation.py
index 316cea44..3ff2f007 100644
--- a/src/falconpy/it_automation.py
+++ b/src/falconpy/it_automation.py
@@ -47,7 +47,8 @@
scheduled_task_payload,
automation_policy_payload,
policy_host_group_payload,
- automation_live_query_payload
+ automation_live_query_payload,
+ automation_user_group_payload
)
from ._result import Result
from ._service_class import ServiceClass
@@ -308,6 +309,144 @@ def get_tasks_by_query(self: object, parameters: dict = None, **kwargs) -> Union
params=parameters
)
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_user_group(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Return user groups for each provided ID.
+
+ Keyword arguments:
+ ids -- List of user group IDs to fetch. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/it-automation/ITAutomationGetUserGroup
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ITAutomationGetUserGroup",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_user_group(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create a user group from the given request.
+
+ Keyword arguments:
+ body -- Full body payload as a JSON formatted dictionary. Not required if using other keywords.
+ {
+ "description": "string",
+ "name": "string"
+ }
+ description -- Description of the user group. String.
+ name -- Name of the user group. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/it-automation/ITAutomationCreateUserGroup
+ """
+ if not body:
+ body = automation_user_group_payload(passed_keywords=kwargs)
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ITAutomationCreateUserGroup",
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def update_user_group(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update a user group for a given ID.
+
+ Keyword arguments:
+ add_user_ids -- List of user IDs to add. String or list of strings.
+ body -- Full body payload as a JSON formatted dictionary. Not required if using other keywords.
+ {
+ "add_user_ids": [
+ "string"
+ ],
+ "description": "string",
+ "name": "string",
+ "remove_user_ids": [
+ "string"
+ ]
+ }
+ description -- The updated user group description. String.
+ name -- The updated user group name. String.
+ id -- The ID of the user groups to update. String.
+ remove_user_ids -- List of user IDs to remove. String or list of strings.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/it-automation/ITAutomationUpdateUserGroup
+ """
+ if not body:
+ body = automation_user_group_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ITAutomationUpdateUserGroup",
+ keywords=kwargs,
+ body=body,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_user_groups(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete user groups for each provided IDs.
+
+ Keyword arguments:
+ ids -- List of user group IDs to delete. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'ids'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/it-automation/ITAutomationDeleteUserGroup
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ITAutomationDeleteUserGroup",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "ids")
+ )
+
@force_default(defaults=["body"], default_types=["dict"])
def run_live_query(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
"""Start a new task execution from the provided query data in the request and return the initiated task executions.
@@ -1820,6 +1959,50 @@ def delete_task(self: object, *args, parameters: dict = None, **kwargs) -> Union
params=handle_single_argument(args, parameters, "ids")
)
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def search_user_groups(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Return the list of user group IDs matching the filter query parameter.
+
+ This operation can be used together with the ITAutomationGetUserGroup operation
+ to retrieve full information on user groups.
+
+ Keyword arguments:
+ filter -- The filter expression that should be used to limit the results.
+ Allowed filter fields:
+ created_by created_time
+ description modified_by
+ modified_time name
+ Example:
+ example_string_field:'example@example.com'+example_date_field:>='2024-08-27T03:21:32Z'
+ sort -- The sort expression that should be used to sort the results.
+ Sort either `asc` (ascending) or `desc` (descending).
+ Allowed sort fields:
+ created_by created_time
+ modified_by modified_time
+ name
+ Example:
+ example_field|asc
+ offset -- Starting index for record retrieval. Integer. Example: 100
+ limit -- The maximum records to return. Integer. Example: 50
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/it-automation/ITAutomationSearchUserGroup
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ITAutomationSearchUserGroup",
+ keywords=kwargs,
+ params=parameters
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
def query_policies(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
"""Return the list of policy ids matching the filter query parameter.
@@ -2054,6 +2237,10 @@ def search_tasks(self: object, parameters: dict = None, **kwargs) -> Union[Dict[
ITAutomationGetTaskExecutionsByQuery = get_executions_by_query
ITAutomationGetTaskGroupsByQuery = get_task_groups_by_query
ITAutomationGetTasksByQuery = get_tasks_by_query
+ ITAutomationGetUserGroup = get_user_group
+ ITAutomationCreateUserGroup = create_user_group
+ ITAutomationUpdateUserGroup = update_user_group
+ ITAutomationDeleteUserGroup = delete_user_groups
ITAutomationRunLiveQuery = run_live_query
ITAutomationUpdatePolicyHostGroups = update_policy_host_groups
ITAutomationUpdatePoliciesPrecedence = update_policies_precedence
@@ -2081,6 +2268,7 @@ def search_tasks(self: object, parameters: dict = None, **kwargs) -> Union[Dict[
ITAutomationCreateTask = create_task
ITAutomationUpdateTask = update_task
ITAutomationDeleteTask = delete_task
+ ITAutomationSearchUserGroup = search_user_groups
ITAutomationQueryPolicies = query_policies
ITAutomationSearchScheduledTasks = search_scheduled_tasks
ITAutomationSearchTaskExecutions = search_task_executions
diff --git a/src/falconpy/kubernetes_protection.py b/src/falconpy/kubernetes_protection.py
index bcfdde08..9a0cd8a8 100644
--- a/src/falconpy/kubernetes_protection.py
+++ b/src/falconpy/kubernetes_protection.py
@@ -98,7 +98,8 @@ def read_clusters_by_version(self: object,
cloud_region node_count
cloud_service pod_count
cluster_id tags
- cluster_name
+ cluster_name pod_name
+ namespace
parameters -- Full parameters payload dictionary. Not required if using other keywords.
Arguments: When not specified, the first argument to this method is assumed to be 'filter'.
@@ -141,7 +142,8 @@ def read_clusters_by_status(self: object,
cloud_region node_count
cloud_service pod_count
cluster_id tags
- cluster_name
+ cluster_name pod_name
+ namespace
parameters -- Full parameters payload dictionary. Not required if using other keywords.
Arguments: When not specified, the first argument to this method is assumed to be 'filter'.
@@ -183,7 +185,8 @@ def read_cluster_count(self: object,
cloud_region node_count
cloud_service pod_count
cluster_id tags
- cluster_name
+ cluster_name pod_name
+ namespace
parameters -- Full parameters payload dictionary. Not required if using other keywords.
Arguments: When not specified, the first argument to this method is assumed to be 'filter'.
@@ -1412,7 +1415,8 @@ def read_clusters_combined(self: object, parameters: dict = None, **kwargs) -> U
cloud_region node_count
cloud_service pod_count
cluster_id tags
- cluster_name
+ cluster_name pod_name
+ namespace
limit -- The upper-bound on the number of records to retrieve. Integer.
offset -- The offset from where to begin. Integer.
sort -- Field to sort results by. String.
@@ -1455,7 +1459,8 @@ def read_clusters_combined_v2(self: object,
cloud_region node_count
cloud_service pod_count
cluster_id tags
- cluster_name
+ cluster_name pod_name
+ namespace
limit -- The upper-bound on the number of records to retrieve. Integer.
offset -- The offset from where to begin. Integer.
sort -- Field to sort results by. String.
@@ -1606,6 +1611,64 @@ def read_deployments_combined(self: object,
params=parameters
)
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def search_kubernetes_ioms(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Search for Kubernetes IOMs with filtering options.
+
+ Pagination is supported via Elasticsearch's search_after search param and point in time.
+ Assets are sorted by unique ID in ascending direction.
+
+ Keyword arguments:
+ body -- Full body payload as a JSON formatted dictionary. Not required if using other keywords.
+ {
+ "pit": "string",
+ "search_after": [
+ null
+ ]
+ }
+ filter -- Search Kubernetes IOMs using a query in Falcon Query Language (FQL). String.
+ Supported filter fields:
+ cid cis_id
+ cluster_id cluster_name
+ containers_impacted_ai_related containers_impacted_count
+ containers_impacted_ids detection_type
+ name namespace
+ prevented resource_id
+ resource_name resource_type
+ severity
+ sort -- The fields to sort the records on. FQL Format. String.
+ limit -- Maximum number of records to return. Integer. Default: 100, Max: 500
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/PostSearchKubernetesIOMEntities
+ """
+ if not body:
+ if kwargs.get("pit", None):
+ body["pit"] = kwargs.get("pit", None)
+ if kwargs.get("search_after", None):
+ search_after = kwargs.get("search_after", None)
+ if isinstance(search_after, str):
+ search_after = search_after.split(",")
+ body["search_after"] = search_after
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="PostSearchKubernetesIOMEntities",
+ keywords=kwargs,
+ params=parameters
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
def search_and_read_ioms(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
"""Search Kubernetes IOM by the provided search criteria.
@@ -2381,6 +2444,7 @@ def update_azure_service_principal(self: object,
ReadRunningContainerImages = read_running_images
ReadContainerCombined = read_containers_combined
ReadDeploymentCombined = read_deployments_combined
+ PostSearchKubernetesIOMEntities = search_kubernetes_ioms
SearchAndReadKubernetesIomEntities = search_and_read_ioms
ReadNodeCombined = read_nodes_combined
ReadPodCombined = read_pods_combined
diff --git a/src/falconpy/message_center.py b/src/falconpy/message_center.py
index eecd761c..bd545ef4 100644
--- a/src/falconpy/message_center.py
+++ b/src/falconpy/message_center.py
@@ -408,7 +408,7 @@ def query_activities(self: object, parameters: dict = None, **kwargs) -> Union[D
filter -- The filter expression that should be used to limit the results. FQL syntax.
String.
limit -- The maximum number of records to return. [integer, 1-500]
- offset -- The integer offset to start retrieving records from. String.
+ offset -- The integer offset to start retrieving records from. Integer.
parameters - full parameters payload, not required if using other keywords. Dictionary.
sort -- The property to sort on. FQL syntax. String.
Available properties
@@ -440,7 +440,7 @@ def query_cases(self: object, parameters: dict = None, **kwargs) -> Union[Dict[s
filter -- The filter expression that should be used to limit the results. FQL syntax.
String.
limit -- The maximum number of records to return. [integer, 1-500]
- offset -- The integer offset to start retrieving records from. String.
+ offset -- The integer offset to start retrieving records from. Integer.
parameters - full parameters payload, not required if using other keywords. Dictionary.
sort -- The property to sort on. FQL syntax. String.
Available properties
diff --git a/src/falconpy/ngsiem.py b/src/falconpy/ngsiem.py
index 3024b77a..c8423a8f 100644
--- a/src/falconpy/ngsiem.py
+++ b/src/falconpy/ngsiem.py
@@ -35,11 +35,11 @@
For more information, please refer to
"""
-
+# pylint: disable=C0302
from typing import Dict, Union
from requests import Response
from ._util import force_default, process_service_request, generate_error_result
-from ._payload import ngsiem_search_payload
+from ._payload import ngsiem_search_payload, ngsiem_parser_payload
from ._result import Result
from ._service_class import ServiceClass
from ._endpoint._ngsiem import _ngsiem_endpoints as Endpoints
@@ -443,6 +443,845 @@ def stop_search(self: object,
)
return returned
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_dashboard_template(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve Dashboard in NGSIEM as LogScale YAML Template.
+
+ Keyword arguments:
+ ids -- Dashboard ID value. String.
+ search_domain -- Name of search domain (view or repo). String.
+ Allowed options:
+ all falcon
+ third-party dashboards
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/GetDashboardTemplate
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetDashboardTemplate",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def create_dashboard_from_template(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create Dashboard from LogScale YAML Template in NGSIEM.
+
+ Keyword arguments:
+ search_domain -- Name of search domain (view or repo). String.
+ Allowed options:
+ all
+ falcon
+ third-party
+ name -- Name of the dashboard. String.
+ yaml_template -- LogScale dashboard YAML template content, see schema at https://schemas.humio.com/. Binary data.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/CreateDashboardFromTemplate
+ """
+ yaml_data = kwargs.get("yaml_template", None)
+ file_extended = {}
+ if kwargs.get("search_domain", None):
+ file_extended["search_domain"] = kwargs.get("search_domain")
+ if kwargs.get("name", None):
+ file_extended["name"] = kwargs.get("name")
+ if yaml_data:
+ kwargs.pop("yaml_template", None)
+ returned = process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateDashboardFromTemplate",
+ data=file_extended,
+ files=[("yaml_template", (file_extended["name"], yaml_data))],
+ params=parameters,
+ keywords=kwargs
+ )
+ else:
+ returned = generate_error_result("You must provide a YAML template to upload", code=400)
+
+ return returned
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def update_dashboard_from_template(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update Dashboard from LogScale YAML Template in NGSIEM.
+
+ Please note a successful update will result in a new ID value being returned.
+
+ Keyword arguments:
+ search_domain -- Name of search domain (view or repo). String.
+ Allowed options:
+ all
+ falcon
+ third-party
+ name -- Name of the dashboard. String.
+ yaml_template -- LogScale dashboard YAML template content, see schema at https://schemas.humio.com/. Binary data.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/UpdateDashboardFromTemplate
+ """
+ yaml_data = kwargs.get("yaml_template", None)
+ file_extended = {}
+ if kwargs.get("search_domain", None):
+ file_extended["search_domain"] = kwargs.get("search_domain")
+ if kwargs.get("name", None):
+ file_extended["name"] = kwargs.get("name")
+ if yaml_data:
+ kwargs.pop("yaml_template", None)
+ returned = process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="UpdateDashboardFromTemplate",
+ data=file_extended,
+ files=[("yaml_template", (None, yaml_data))],
+ params=parameters,
+ keywords=kwargs
+ )
+ else:
+ returned = generate_error_result("You must provide the dashboard template to update", code=400)
+
+ return returned
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_dashboard(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete Dashboard in NGSIEM.
+
+ Keyword arguments:
+ ids -- Dashboard ID to be removed. String.
+ search_domain -- name of search domain (view or repo). String.
+ Allowed options:
+ all
+ falcon
+ third-party
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/DeleteDashboard
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DeleteDashboard",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_lookup_file(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve Lookup File in NGSIEM.
+
+ Keyword arguments:
+ filename -- Lookup file filename. String.
+ search_domain -- Name of search domain (view or repo). String.
+ Allowed options:
+ all falcon
+ third-party dashboards
+ parsers-repository
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/GetLookupFile
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetLookupFile",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def create_lookup_file(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create Lookup File in NGSIEM.
+
+ Keyword arguments:
+ search_domain -- Name of search domain (view or repo). String.
+ Allowed options:
+ all falcon
+ third-party parsers-repository
+ filename -- Filename of the lookup file to create. String.
+ file -- File content to upload. Binary data.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/CreateLookupFile
+ """
+ file_name = kwargs.get("filename", None)
+ file_data = kwargs.get("file", None)
+ file_extended = {"search_domain": kwargs.get("search_domain", "all")}
+ if file_name and file_data:
+ kwargs.pop("file", None)
+ returned = process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateLookupFile",
+ keywords=kwargs,
+ params=parameters,
+ data=file_extended,
+ files=[("file", (file_name, file_data))]
+ )
+ else:
+ returned = generate_error_result("You must provide the filename and file in order to use this method.", code=400)
+
+ return returned
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def update_lookup_file(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update Lookup File in NGSIEM.
+
+ Keyword arguments:
+ search_domain -- Name of search domain (view or repo). String.
+ Allowed options:
+ all falcon
+ third-party parsers-repository
+ filename -- Filename of the lookup file to create. String.
+ file -- File content to upload. Binary data.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/UpdateLookupFile
+ """
+ file_name = kwargs.get("filename", None)
+ file_data = kwargs.get("file", None)
+ file_extended = {"search_domain": kwargs.get("search_domain", "all")}
+ if file_name and file_data:
+ kwargs.pop("file", None)
+ returned = process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="UpdateLookupFile",
+ keywords=kwargs,
+ params=parameters,
+ data=file_extended,
+ files=[("file", (file_name, file_data))]
+ )
+ else:
+ returned = generate_error_result("You must provide the filename and file in order to use this method.", code=400)
+
+ return returned
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_lookup_file(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete Lookup File in NGSIEM.
+
+ Keyword arguments:
+ filename -- Lookup file filename. String.
+ search_domain -- Name of search domain (view or repo). String.
+ Allowed options:
+ all falcon
+ third-party dashboards
+ parsers-repository
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/DeleteLookupFile
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DeleteLookupFile",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_parser_template(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve Parser in NGSIEM as LogScale YAML Template.
+
+ Keyword arguments:
+ ids -- Parser ID to retrieve. String.
+ repository -- Name of repository. String.
+ Allowed options: parsers-repository
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/GetParserTemplate
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetParserTemplate",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def create_parser_from_template(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create Parser from LogScale YAML Template in NGSIEM.
+
+ Keyword arguments:
+ repository -- Name of repository. String.
+ Allowed options: parsers-repository
+ name -- Name of the parser. String.
+ yaml_template -- LogScale dashboard YAML template content, see schema at https://schemas.humio.com/. Binary data.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/CreateParserFromTemplate
+ """
+ yaml_data = kwargs.get("yaml_template", None)
+ file_extended = {}
+ if kwargs.get("repository", None):
+ file_extended["repository"] = kwargs.get("repository")
+ if kwargs.get("name", None):
+ file_extended["name"] = kwargs.get("name")
+ if yaml_data:
+ kwargs.pop("yaml_data", None)
+ returned = process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateParserFromTemplate",
+ keywords=kwargs,
+ params=parameters,
+ data=file_extended,
+ files=[("yaml_template", (file_extended["name"], yaml_data))]
+ )
+ else:
+ returned = generate_error_result("You must provide a YAML template for the parser to upload", code=400)
+
+ return returned
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_parser(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve Parser in NGSIEM.
+
+ Keyword arguments:
+ ids -- Parser ID to retrieve. String.
+ repository -- Name of repository. String.
+ Allowed options: parsers-repository
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/GetParser
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetParser",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def create_parser(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create Parser in NGSIEM.
+
+ Keyword arguments:
+ body -- Full body payload as a JSON formatted dictionary. Not required if using other keywords.
+ {
+ "fields_to_be_removed_before_parsing": [
+ "string"
+ ],
+ "fields_to_tag": [
+ "string"
+ ],
+ "name": "string",
+ "repository": "string",
+ "script": "string",
+ "test_cases": [
+ {
+ "event": {
+ "raw_string": "string"
+ },
+ "output_assertions": [
+ {
+ "assertions": {
+ "fields_have_values": [
+ {
+ "expected_value": "string",
+ "field_name": "string"
+ }
+ ],
+ "fields_not_present": [
+ "string"
+ ]
+ },
+ "output_event_index": 0
+ }
+ ]
+ }
+ ]
+ }
+ fields_to_be_removed_before_parsing -- List of fields to remove before parsing. String or list of strings.
+ fields_to_tag -- List of fields to tag. String or list of strings.
+ name -- Parser name. String.
+ repository -- Parser repository. String.
+ script -- Parser script. String.
+ test_cases -- List of test cases to apply to the parser. List of dictionaries.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/CreateParser
+ """
+ if not body:
+ body = ngsiem_parser_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateParser",
+ body=body
+ )
+
+ @force_default(defaults=["body"], default_types=["dict"])
+ def update_parser(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update Parser in NGSIEM.
+
+ Please note that name changes are not supported, but rather should be created as a new parser.
+
+ Keyword arguments:
+ body -- Full body payload as a JSON formatted dictionary. Not required if using other keywords.
+ {
+ "fields_to_be_removed_before_parsing": [
+ "string"
+ ],
+ "fields_to_tag": [
+ "string"
+ ],
+ "name": "string",
+ "repository": "string",
+ "script": "string",
+ "test_cases": [
+ {
+ "event": {
+ "raw_string": "string"
+ },
+ "output_assertions": [
+ {
+ "assertions": {
+ "fields_have_values": [
+ {
+ "expected_value": "string",
+ "field_name": "string"
+ }
+ ],
+ "fields_not_present": [
+ "string"
+ ]
+ },
+ "output_event_index": 0
+ }
+ ]
+ }
+ ]
+ }
+ fields_to_be_removed_before_parsing -- List of fields to remove before parsing. String or list of strings.
+ fields_to_tag -- List of fields to tag. String or list of strings.
+ id -- ID of the parser to be updated. String.
+ name -- Parser name. String.
+ repository -- Parser repository. String.
+ script -- Parser script. String.
+ test_cases -- List of test cases to apply to the parser. List of dictionaries.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/UpdateParser
+ """
+ if not body:
+ body = ngsiem_parser_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="UpdateParser",
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_parser(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete Parser in NGSIEM.
+
+ Keyword arguments:
+ ids -- Parser ID to be removed. String.
+ repository -- Name of repository.
+ Allowed options: parsers-repository
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/DeleteParser
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DeleteParser",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_saved_query_template(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve Saved Query in NGSIEM as LogScale YAML Template.
+
+ Keyword arguments:
+ ids -- Saved query ID to retrieve. String.
+ search_domain -- Name of search domain (view or repo).
+ Allowed options:
+ all falcon
+ third-party dashboards
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/GetSavedQueryTemplate
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetSavedQueryTemplate",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def create_saved_query(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Create a Saved Query from LogScale YAML Template in NGSIEM.
+
+ Keyword arguments:
+ search_domain -- Name of search domain (view or repo). String.
+ Allowed options:
+ all
+ falcon
+ third-party
+ yaml_template -- LogScale saved query YAML template content, see schema at https://schemas.humio.com/. Binary data.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/CreateSavedQuery
+ """
+ yaml_data = kwargs.get("yaml_template", None)
+ file_extended = {}
+ if kwargs.get("search_domain", None):
+ file_extended["search_domain"] = kwargs.get("search_domain")
+ if yaml_data:
+ kwargs.pop("yaml_template", None)
+ returned = process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="CreateSavedQuery",
+ data=file_extended,
+ files=[("yaml_template", (None, yaml_data))],
+ params=parameters,
+ keywords=kwargs
+ )
+ else:
+ returned = generate_error_result("You must provide the YAML template in order to create a saved query.", code=400)
+
+ return returned
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def update_saved_query_from_template(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Update Saved Query from LogScale YAML Template in NGSIEM.
+
+ Please note a successful update will result in a new ID value being returned.
+
+ Keyword arguments:
+ ids -- ID of the saved query to update. String.
+ search_domain -- Name of search domain (view or repo). String.
+ Allowed options:
+ all
+ falcon
+ third-party
+ yaml_template -- LogScale saved query YAML template content, see schema at https://schemas.humio.com/. Binary data.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/UpdateSavedQueryFromTemplate
+ """
+ yaml_data = kwargs.get("yaml_template", None)
+ file_extended = {}
+ if kwargs.get("search_domain", None):
+ file_extended["search_domain"] = kwargs.get("search_domain")
+ if yaml_data:
+ kwargs.pop("yaml_template", None)
+ returned = process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="UpdateSavedQueryFromTemplate",
+ data=file_extended,
+ files=[("yaml_template", (None, yaml_data))],
+ params=parameters,
+ keywords=kwargs
+ )
+ else:
+ returned = generate_error_result("You must provide the YAML template in order to update a saved query.", code=400)
+
+ return returned
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def delete_saved_query(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Delete Saved Query in NGSIEM.
+
+ Keyword arguments:
+ ids -- Saved query ID to retrieve. String.
+ search_domain -- Name of search domain (view or repo).
+ Allowed options:
+ all
+ falcon
+ third-party
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: DELETE
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/DeleteSavedQuery
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DeleteSavedQuery",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def list_dashboards(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """List Dashboards in NGSIEM.
+
+ Keyword arguments:
+ limit -- Maximum number of results to return. Integer string. Default value: 50
+ offset -- Number of results to offset the returned results by. Integer string. Default value: 0
+ filter -- FQL filter to apply to the name of the content. String.
+ Only currently support text match on name field: name:~'value'
+ search_domain -- Name of search domain (view or repo).
+ Allowed options:
+ all falcon
+ third-party dashboards
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/ListDashboards
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ListDashboards",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def list_lookup_files(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """List Lookup Files in NGSIEM.
+
+ Keyword arguments:
+ limit -- Maximum number of results to return. Integer string. Default value: 50
+ offset -- Number of results to offset the returned results by. Integer string. Default value: 0
+ filter -- FQL filter to apply to the name of the content. String.
+ Only currently support text match on name field: name:~'value'
+ search_domain -- Name of search domain (view or repo).
+ Allowed options:
+ all falcon
+ third-party dashboards
+ parsers-repository
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/ListLookupFiles
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ListLookupFiles",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def list_parsers(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """List Parsers in NGSIEM.
+
+ Keyword arguments:
+ limit -- Maximum number of results to return. Integer string. Default value: 50
+ offset -- Number of results to offset the returned results by. Integer string. Default value: 0
+ filter -- FQL filter to apply to the name of the content. String.
+ Only currently support text match on name field: name:~'value'
+ repository -- Name of repository.
+ Allowed options: parsers-repository
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/ListParsers
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ListParsers",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def list_saved_queries(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get Saved Queries in NGSIEM.
+
+ Keyword arguments:
+ limit -- Maximum number of results to return. Integer string. Default value: 50
+ offset -- Number of results to offset the returned results by. Integer string. Default value: 0
+ filter -- FQL filter to apply to the name of the content. String.
+ Only currently support text match on name field: name:~'value'
+ search_domain -- name of search domain (view or repo).
+ Allowed options:
+ all falcon
+ third-party dashboards
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ngsiem/ListSavedQueries
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="ListSavedQueries",
+ keywords=kwargs,
+ params=parameters
+ )
+
UploadLookupV1 = upload_file
GetLookupV1 = get_file
GetLookupFromPackageWithNamespaceV1 = get_file_from_package_with_namespace
@@ -450,3 +1289,25 @@ def stop_search(self: object,
StartSearchV1 = start_search
GetSearchStatusV1 = get_search_status
StopSearchV1 = stop_search
+ GetDashboardTemplate = get_dashboard_template
+ CreateDashboardFromTemplate = create_dashboard_from_template
+ UpdateDashboardFromTemplate = update_dashboard_from_template
+ DeleteDashboard = delete_dashboard
+ GetLookupFile = get_lookup_file
+ CreateLookupFile = create_lookup_file
+ UpdateLookupFile = update_lookup_file
+ DeleteLookupFile = delete_lookup_file
+ GetParserTemplate = get_parser_template
+ CreateParserFromTemplate = create_parser_from_template
+ GetParser = get_parser
+ CreateParser = create_parser
+ UpdateParser = update_parser
+ DeleteParser = delete_parser
+ GetSavedQueryTemplate = get_saved_query_template
+ CreateSavedQuery = create_saved_query
+ UpdateSavedQueryFromTemplate = update_saved_query_from_template
+ DeleteSavedQuery = delete_saved_query
+ ListDashboards = list_dashboards
+ ListLookupFiles = list_lookup_files
+ ListParsers = list_parsers
+ ListSavedQueries = list_saved_queries
diff --git a/src/falconpy/ods.py b/src/falconpy/ods.py
index fcab52b3..1e1e2681 100644
--- a/src/falconpy/ods.py
+++ b/src/falconpy/ods.py
@@ -818,7 +818,7 @@ def query_scans(self: object, parameters: dict = None, **kwargs) -> Union[Dict[s
description.keyword scan_completed_on
filecount.scanned scan_started_on
filecount.malicious created_on
- last_updated
+ last_updated description
limit -- The maximum number of records to return. [Integer, 1-500]
offset -- The integer offset to start retrieving records from. Integer.
parameters - full parameters payload, not required if using other keywords.
@@ -831,7 +831,7 @@ def query_scans(self: object, parameters: dict = None, **kwargs) -> Union[Dict[s
filecount.malicious scan_completed_on
filecount.quarantined created_on
filecount.skipped created_by
- last_updated
+ last_updated description
This method only supports keywords for providing arguments.
@@ -862,7 +862,7 @@ def query_scheduled_scans(self: object, parameters: dict = None, **kwargs) -> Un
description created_on
initiated_from created_by
status deleted
- last_updated
+ last_updated description.keyword
limit -- The maximum number of records to return. [Integer, 1-500]
offset -- The integer offset to start retrieving records from. Integer.
parameters - full parameters payload, not required if using other keywords.
@@ -872,7 +872,7 @@ def query_scheduled_scans(self: object, parameters: dict = None, **kwargs) -> Un
description schedule.interval
status last_updated
created_on created_by
-
+ description
This method only supports keywords for providing arguments.
Returns: dict object containing API response.
diff --git a/src/falconpy/real_time_response_admin.py b/src/falconpy/real_time_response_admin.py
index d5d13682..cf58da59 100644
--- a/src/falconpy/real_time_response_admin.py
+++ b/src/falconpy/real_time_response_admin.py
@@ -381,6 +381,47 @@ def delete_put_files(self: object,
params=handle_single_argument(args, parameters, "ids")
)
+ @force_default(defaults=["data", "files"], default_types=["dict", "list"])
+ def create_put_files_v2(self: object,
+ files: list,
+ data: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Upload a new put-file to use for the RTR `put` command.
+
+ Keyword arguments:
+ data -- full formData payload, not required if other keywords are used. formData.
+ {
+ "description": "string",
+ "name": "string",
+ "comments_for_audit_log": "string"
+ }
+ files -- File to be uploaded. List of tuples. *REQUIRED*
+ Ex: [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]
+ description -- File description. String.
+ name -- File name (if different than actual file name). String.
+ comments_for_audit_log -- Audit log comment. String.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/real-time-response-admin/RTR-CreatePut-FilesV2
+ """
+ if not data:
+ data = data_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="RTR_CreatePut_FilesV2",
+ data=data,
+ files=files
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
def get_scripts(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
"""Get custom-scripts based on the ID's given.
@@ -515,6 +556,112 @@ def delete_scripts(self: object, *args, parameters: dict = None, **kwargs) -> Un
params=handle_single_argument(args, parameters, "ids")
)
+ @force_default(defaults=["data", "files"], default_types=["dict", "list"])
+ def create_scripts_v2(self: object,
+ data: dict = None,
+ files: list = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Upload a new custom-script to use for the RTR `runscript` command.
+
+ Keyword arguments:
+ data -- full formData payload, not required if other keywords are used. formData.
+ {
+ "description": "string",
+ "name": "string",
+ "comments_for_audit_log": "string",
+ "content": "string",
+ "platform": "string",
+ "permission_type": "string"
+ }
+ files -- File to be uploaded. List of tuples. *REQUIRED*
+ Ex: [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]
+ description -- File description. String.
+ name -- File name (if different than actual file name). String.
+ comments_for_audit_log -- Audit log comment. String.
+ permission_type -- Permission for the custom-script. STring.
+ Valid permission values:
+ `private` - usable by only the user who uploaded it
+ `group` - usable by all RTR Admins
+ `public` - usable by all active-responders and RTR admins
+ content -- The script text that you want to use to upload. String.
+ platform -- Platforms for the file. Currently supports: windows, mac, linux. String.
+ If no platform is provided, it will default to 'windows'.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/real-time-response-admin/RTR-CreateScriptsV2
+ """
+ if not data:
+ data = data_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="RTR_CreateScriptsV2",
+ data=data,
+ files=files
+ )
+
+ @force_default(defaults=["data", "files"], default_types=["dict", "list"])
+ def update_scripts_v2(self: object,
+ data: dict = None,
+ files: list = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Upload a new scripts to replace an existing one.
+
+ Keyword arguments:
+ data -- full formData payload, not required if other keywords are used. formData.
+ {
+ "id": "string",
+ "description": "string",
+ "name": "string",
+ "comments_for_audit_log": "string",
+ "content": "string",
+ "platform": "string",
+ "permission_type": "string"
+ }
+ files -- File to be uploaded. List of tuples. *REQUIRED*
+ Ex: [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]
+ description -- File description. String.
+ id -- Script ID to be updated. String.
+ name -- File name (if different than actual file name). String.
+ comments_for_audit_log -- Audit log comment. String.
+ permission_type -- Permission for the custom-script. String.
+ Valid permission values:
+ `private` - usable by only the user who uploaded it
+ `group` - usable by all RTR Admins
+ `public` - usable by all active-responders and RTR admins
+ content -- The script text that you want to use to upload. String.
+ platform -- Platforms for the file. Currently supports: windows, mac, linux. String.
+ If no platform is provided, it will default to 'windows'.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: PATCH
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/real-time-response-admin/RTR-UpdateScriptsV2
+ """
+ if not data:
+ data = data_payload(passed_keywords=kwargs)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="RTR_UpdateScriptsV2",
+ data=data,
+ files=files
+ )
+
@force_default(defaults=["data", "files"], default_types=["dict", "list"])
def update_scripts(self: object,
data: dict = None,
@@ -673,10 +820,13 @@ def list_scripts(self: object, parameters: dict = None, **kwargs) -> Union[Dict[
RTR_GetPut_FilesV2 = get_put_files_v2
RTR_CreatePut_Files = create_put_files
RTR_DeletePut_Files = delete_put_files
+ RTR_CreatePut_FilesV2 = create_put_files_v2
RTR_GetScripts = get_scripts
RTR_GetScriptsV2 = get_scripts_v2
RTR_CreateScripts = create_scripts
RTR_DeleteScripts = delete_scripts
+ RTR_CreateScriptsV2 = create_scripts_v2
+ RTR_UpdateScriptsV2 = update_scripts_v2
RTR_UpdateScripts = update_scripts
RTR_ListFalconScripts = list_falcon_scripts
RTR_ListPut_Files = list_put_files
diff --git a/src/falconpy/recon.py b/src/falconpy/recon.py
index 08ac8178..53121e06 100644
--- a/src/falconpy/recon.py
+++ b/src/falconpy/recon.py
@@ -1098,10 +1098,17 @@ def query_rules(self: object, parameters: dict = None, **kwargs) -> Union[Dict[s
Use with the limit parameter to manage pagination of results.
parameters - full parameters payload, not required if using other keywords.
q -- Free text search across all indexed fields.
- secondary_sort -- Possible order by fields: created_timestamp, last_updated_timestamp.
+ secondary_sort -- Possible order by fields:
+ created_timestamp last_updated_timestamp,
+ permissions priority
+ template_priority topic
Ex: last_updated_timestamp|desc
The keyword "secondarySort" will also be accepted for this value.
sort -- The property to sort by. FQL syntax.
+ Possible order by fields:
+ created_timestamp last_updated_timestamp,
+ permissions priority
+ template_priority topic
(e.g. created_timestamp|asc, last_updated_timestamp|desc)
This method only supports keywords for providing arguments.
diff --git a/src/falconpy/saas_security.py b/src/falconpy/saas_security.py
new file mode 100644
index 00000000..4a1fbd59
--- /dev/null
+++ b/src/falconpy/saas_security.py
@@ -0,0 +1,771 @@
+"""CrowdStrike Falcon SaasSecurity API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+from typing import Dict, Union
+from ._util import force_default, process_service_request, handle_single_argument
+from ._result import Result
+from ._service_class import ServiceClass
+from ._endpoint._saas_security import _saas_security_endpoints as Endpoints
+
+
+class SaasSecurity(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py)
+ - a valid token provided by the authentication service class (oauth2.py)
+ """
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_metrics(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Metrics.
+
+ Keyword arguments:
+ status -- Exposure status. String.
+ Available values:
+ Passed Failed
+ Dismissed Pending
+ Can't Run Stale
+ limit -- The maximum number of objects to return. Integer.
+ offset -- The starting index of the results. Integer.
+ integration_id -- Comma separated list of integration IDs. String.
+ impact -- Impact. String.
+ Available values:
+ 1 2 3
+ compliance -- Compliance. Boolean.
+ check_type -- Check Type. String.
+ Available values:
+ apps devices
+ users assets
+ permissions Falcon Shield Security Check
+ custom
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetMetricsV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetMetricsV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_alerts(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Alert by ID or GET Alerts.
+
+ Keyword arguments:
+ id -- Alert ID. String
+ limit -- The maximum number of objects to return. Integer.
+ offset -- The starting index of the results. Integer.
+ last_id -- The last id of the alert you want to get. String.
+ type -- The type of alert you want to get. String.
+ Available values:
+ configuration_drift check_degraded
+ integration_failure Threat
+ integration_id -- Comma separated list of integration ID's of the alert you want to get. String
+ from_date -- The start date of the alert you want to get (in YYYY-MM-DD format). String.
+ to_date -- The end date of the alert you want to get (in YYYY-MM-DD format). String.
+ ascending -- Boolean.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetAlertsV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetAlertsV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_application_users(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Application Users.
+
+ Keyword arguments:
+ item_id -- Item ID in format: 'integration_id|||app_id' (item_id). String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'item_id'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetAppInventoryUsers
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetAppInventoryUsers",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "item_id")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_application_inventory(self: object,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Applications Inventory.
+
+ Keyword arguments:
+ type -- Comma separated list of app types. String.
+ limit -- The maximum number of objects to return. Integer.
+ offset -- The starting index of the results Integer.
+ status -- Comma separated list of application statuses. String.
+ Available values:
+ approved in review
+ rejected unclassified
+ access_level -- Comma separated list of access levels. String.
+ scopes -- Comma separated list of scopes. String.
+ users -- Users. Format: 'is equal value' or 'contains value' or 'value' (implies 'is equal value'). String.
+ groups -- Comma separated list of groups. String
+ last_activity -- Last activity was within or was not within the last 'value' days. String.
+ Format: 'was value' or 'was not value' or 'value' (implies 'was value'). 'value' is an integer
+ integration_id -- Comma separated list of integration IDs. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetAppInventory
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetAppInventory",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_security_check(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Security Check Affected.
+
+ Keyword arguments:
+ id -- Security Check ID. String.
+ limit -- The maximum number of objects to return. Integer.
+ offset -- The starting index of the results. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetSecurityCheckAffectedV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetSecurityCheckAffectedV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def dismiss_affected_entity(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """POST Dismiss Affected Entity.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "entities": "string",
+ "reason": "string"
+ }
+ entities -- Entities. String.
+ reason -- Reason for dismiss. String.
+ id -- Security Check ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/DismissAffectedEntityV3
+ """
+ if not body:
+ keys = ["entities", "reason"]
+ for key in keys:
+ if kwargs.get(key, None) is not None:
+ body[key] = kwargs.get(key, None)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DismissAffectedEntityV3",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def dismiss_security_check(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """POST Dismiss Security Check by ID.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "reason": "string"
+ }
+ reason -- The reason for dismissal. String.
+ id -- Security Check ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/DismissSecurityCheckV3
+ """
+ if not body:
+ if kwargs.get("reason", None) is not None:
+ body["reason"] = kwargs.get("reason", None)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="DismissSecurityCheckV3",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_security_checks(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Security Check by ID or GET List Security Checks.
+
+ Keyword arguments:
+ id -- Security Check ID. String
+ limit -- The maximum number of objects to return. Integer.
+ offset -- The starting index of the results. Integer.
+ status -- Exposure status. String.
+ Available values:
+ Passsed Failed
+ Dismissed Pending
+ Can't Run Stale
+ integration_id -- Comma separated list of integration IDs. String.
+ impact -- Impact. String.
+ Available values:
+ Low Medium High
+ compliance -- Compliance. Boolean.
+ check_type -- Check Type. String.
+ Available values:
+ apps devices
+ users assets
+ permissions Falcon Shield Security Check
+ custom
+ check_tags -- Comma separated list of check tags names or ids. String or list of strings.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetSecurityChecksV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetSecurityChecksV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_security_check_compliance(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Compliance.
+
+ Keyword arguments:
+ id -- Security Check ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'id'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetSecurityCheckComplianceV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetSecurityCheckComplianceV3",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "id")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def complete_integration_upload(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """POST Data Upload Transaction Completion.
+
+ Keyword arguments:
+ id -- Integration ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'id'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/IntegrationBuilderEndTransactionV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="IntegrationBuilderEndTransactionV3",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "id")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def reset_integration_builder(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Reset.
+
+ Keyword arguments:
+ id -- Integration ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'id'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/IntegrationBuilderResetV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="IntegrationBuilderResetV3",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "id")
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_integration_builder_status(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Status.
+
+ Keyword arguments:
+ id -- Integration ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ Arguments: When not specified, the first argument to this method is assumed to be 'id'.
+ All others are ignored.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/IntegrationBuilderGetStatusV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="IntegrationBuilderGetStatusV3",
+ keywords=kwargs,
+ params=handle_single_argument(args, parameters, "id")
+ )
+
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def upload_integration_builder(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """POST Upload.
+
+ Keyword arguments:
+ body -- Full body payload provided as a dictionary. Not required if using other keywords.
+ {
+ "data": "string"
+ }
+ data -- String.
+ id -- Integration ID. String.
+ source_id -- Source ID. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/IntegrationBuilderUploadV3
+ """
+ if not body:
+ if kwargs.get("data", None) is not None:
+ body["data"] = kwargs.get("data", None)
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="IntegrationBuilderUploadV3",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_asset_inventory(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Data Inventory.
+
+ Keyword arguments:
+ integration_id -- Comma separated list of integration IDs. String.
+ limit -- The maximum number of objects to return. Integer.
+ offset -- The starting index of the results. Integer.
+ resource_type -- Comma separated list of resource types. String.
+ access_level -- Comma separated list of access levels. String.
+ last_accessed -- Last accessed date was within or was not within the last 'value' days. String.
+ Format: 'was value' or 'was not value' or 'value' (implies 'was value'). 'value' is an integer
+ last_modified -- Last modified date was within or was not within the last 'value' days. String.
+ Format: 'was value' or 'was not value' or 'value' (implies 'was value'). 'value' is an integer
+ resource_name -- Resource name contains 'value' (case insensitive). String.
+ password_protected -- Password protected. Boolean.
+ resource_owner -- Resource owner contains 'value' (case insensitive). String.
+ resource_owner_enabled -- Resource owner enabled. Boolean.
+ unmanaged_domain -- Comma separated list of unmanaged domains. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetAssetInventoryV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetAssetInventoryV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_device_inventory(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Device Inventory.
+
+ Keyword arguments:
+ integration_id -- Comma separated integration ID's. String.
+ limit -- The maximum number of objects to return. Integer.
+ offset -- The starting index of the results. Integer.
+ email -- Email. String.
+ privileged_only -- Privileged Only. Boolean.
+ unassociated_devices -- Unassociated Devices. Boolean.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetDeviceInventoryV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetDeviceInventoryV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_integrations(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Integrations.
+
+ Keyword arguments:
+ saas_id -- Comma separated SaaS ID's. String.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetIntegrationsV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetIntegrationsV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_activity_monitor(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Activity Monitor.
+
+ Keyword arguments:
+ integration_id -- Integration ID. String.
+ actor -- Actor. String.
+ category -- Comma separated list of categories. String.
+ projection -- Comma separated list of projections. String.
+ from_date -- From Date. String.
+ to_date -- To Date. String.
+ limit -- Max number of logs to fetch. Integer.
+ skip -- Number of logs to skip. Integer.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetActivityMonitorV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetActivityMonitorV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_supported_saas(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET Supported SaaS.
+
+ Keyword arguments:
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetSupportedSaasV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetSupportedSaasV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_system_logs(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET System Logs.
+
+ Keyword arguments:
+ from_date -- From Date (in YYYY-MM-DD format). String.
+ limit -- The maximum number of objects to return. Integer.
+ offset -- The starting index of the results. Integer.
+ to_date -- To Date (in YYYY-MM-DD format). String.
+ total_count -- Fetch Total Count?. Boolean.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetSystemLogsV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetSystemLogsV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_system_users(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET System Users.
+
+ Keyword arguments:
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetSystemUsersV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetSystemUsersV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_user_inventory(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """GET User Inventory.
+
+ Keyword arguments:
+ integration_id -- Comma separated integration ID's. String.
+ limit -- The maximum number of objects to return. Integer.
+ offset -- The starting index of the results. Integer.
+ email -- Email. String.
+ privileged_only -- Privileged Only. Boolean.
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/saas-security/GetUserInventoryV3
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetUserInventoryV3",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ GetMetricsV3 = get_metrics
+ GetAlertsV3 = get_alerts
+ GetAppInventoryUsers = get_application_users
+ GetAppInventory = get_application_inventory
+ GetSecurityCheckAffectedV3 = get_security_check
+ DismissAffectedEntityV3 = dismiss_affected_entity
+ DismissSecurityCheckV3 = dismiss_security_check
+ GetSecurityChecksV3 = get_security_checks
+ GetSecurityCheckComplianceV3 = get_security_check_compliance
+ IntegrationBuilderEndTransactionV3 = complete_integration_upload
+ IntegrationBuilderResetV3 = reset_integration_builder
+ IntegrationBuilderGetStatusV3 = get_integration_builder_status
+ IntegrationBuilderUploadV3 = upload_integration_builder
+ GetAssetInventoryV3 = get_asset_inventory
+ GetDeviceInventoryV3 = get_device_inventory
+ GetIntegrationsV3 = get_integrations
+ GetActivityMonitorV3 = get_activity_monitor
+ GetSupportedSaasV3 = get_supported_saas
+ GetSystemLogsV3 = get_system_logs
+ GetSystemUsersV3 = get_system_users
+ GetUserInventoryV3 = get_user_inventory
diff --git a/src/falconpy/sensor_usage.py b/src/falconpy/sensor_usage.py
index d9ad0bbf..cf02ecad 100644
--- a/src/falconpy/sensor_usage.py
+++ b/src/falconpy/sensor_usage.py
@@ -97,4 +97,48 @@ def get_weekly_usage(self: object, parameters: dict = None, **kwargs) -> Union[D
params=parameters
)
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_hourly_usage(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Fetch hourly sensor usage average used to measure cloud usage.
+
+ Each data point represents the average of how many unique AIDs were seen per week for the previous 28 days.
+
+ Keyword arguments:
+ filter -- The FQL search filter.
+ Allowed fields:
+ event_date - A specified date that will be final date of the results returned.
+ Specified date cannot be after the default.
+ Format: '2024-06-11'
+ Default: the current date, minus 2 days, in UTC
+ period - An integer surrounded by single quotes representing the number of days to return.
+ Format: '30'
+ Default: '28'
+ Minimum: '1'
+ Maximum: '395'
+ selected_cids - A comma delimited list of CIDs to return data for.
+ Caller must be a parent CID or have special access enabled.
+ Format: 'cid_1,cid_2,cid_3'
+ Default: for parent CIDs the default is the parent and all children,
+ otherwise the current CID
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/sensor-usage-api/GetSensorUsageWeekly
+ Endpoint is not in Swagger file, but allows you to pull `hourly` usage which is used to determine cloud usage
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="GetSensorUsageHourly",
+ keywords=kwargs,
+ params=parameters
+ )
+
GetSensorUsageWeekly = get_weekly_usage
+ GetSensorUsageHourly = get_hourly_usage
diff --git a/src/falconpy/spotlight_vulnerability_metadata.py b/src/falconpy/spotlight_vulnerability_metadata.py
new file mode 100644
index 00000000..19fabe28
--- /dev/null
+++ b/src/falconpy/spotlight_vulnerability_metadata.py
@@ -0,0 +1,107 @@
+"""CrowdStrike Falcon SpotlightVulnerabilityMetadata API interface class.
+
+ _______ __ _______ __ __ __
+| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
+|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
+|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
+|: 1 | |: 1 |
+|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy
+`-------' `-------'
+
+OAuth2 API - Customer SDK
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to
+"""
+from typing import Dict, Union
+from ._util import force_default, process_service_request
+from ._result import Result
+from ._service_class import ServiceClass
+from ._endpoint._spotlight_vulnerability_metadata import _spotlight_vulnerability_metadata_endpoints as Endpoints
+
+
+class SpotlightVulnerabilityMetadata(ServiceClass):
+ """The only requirement to instantiate an instance of this class is one of the following.
+
+ - a valid client_id and client_secret provided as keywords.
+ - a credential dictionary with client_id and client_secret containing valid API credentials
+ {
+ "client_id": "CLIENT_ID_HERE",
+ "client_secret": "CLIENT_SECRET_HERE"
+ }
+ - a previously-authenticated instance of the authentication service class (oauth2.py)
+ - a valid token provided by the authentication service class (oauth2.py)
+ """
+
+ @force_default(defaults=["parameters"], default_types=["dict"])
+ def get_cve_metadata(self: object, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Retrieve CVEs(vulnerability metadata) entities by specifying their ids.
+
+ Keyword arguments:
+ after -- A pagination token used with the `limit` parameter to manage pagination of results. String.
+ On your first request, don't provide an `after` token. On subsequent requests, provide
+ the `after` token from the previous response to continue from that place in the results.
+ offset -- Starting index of overall result set from which to return IDs. Integer.
+ limit -- The number of items to return in this response (default: 100, max: 10000). Integer.
+ Use with the after parameter to manage pagination of results.
+ sort -- Sort vulnerabilities by their properties. String.
+ Can be used in a format |asc for ascending order or |desc for descending order.
+ Available sort options:
+ created_timestamp|asc/desc
+ updated_timestamp|asc/desc
+ filter -- Filter items using a query in Falcon Query Language (FQL). String.
+ Wildcards * and empty filter values are unsupported.
+ Available filter fields that supports exact match:
+ id provider
+ cve_ids cwe_ids
+ impact.cvss_v2.base_metrics.vector impact.cvss_v2.temporal_metrics.vector
+ impact.cvss_v3.base_metrics.integrity_impact impact.cvss_v3.base_metrics.vector
+ impact.cvss_v3.temporal_metrics.vector
+ Available filter fields that supports range comparisons (>, <, >=, <=):
+ created_timestamp impact.cvss_v2.base_metrics.base_score
+ impact.cvss_v3.base_metrics.base_score impact.cvss_v2.temporal_metrics.temporal_score
+ impact.cvss_v3.temporal_metrics.temporal_score source_created_timestamp
+ source_updated_timestamp updated_timestamp
+
+ parameters -- Full parameters payload dictionary. Not required if using other keywords.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: GET
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/spotlight-vulnerability-metadata/combineVulnMetadataExt
+ """
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="combineVulnMetadataExt",
+ keywords=kwargs,
+ params=parameters
+ )
+
+ combineVulnMetadataExt = get_cve_metadata
diff --git a/src/falconpy/threatgraph.py b/src/falconpy/threatgraph.py
index 51765633..f4f8e0a0 100644
--- a/src/falconpy/threatgraph.py
+++ b/src/falconpy/threatgraph.py
@@ -265,7 +265,7 @@ def get_ran_on(self: object, parameters: dict = None, **kwargs) -> Union[Dict[st
@force_default(defaults=["parameters"], default_types=["dict"])
def get_summary(self: object,
parameters: dict = None,
- vertex_type: str = "any-vertext",
+ vertex_type: str = "any-vertex",
**kwargs
) -> Union[Dict[str, Union[int, dict]], Result]:
"""Retrieve summary for a given vertex ID.
diff --git a/src/falconpy/user_management.py b/src/falconpy/user_management.py
index 30c69e0f..e60db5ff 100644
--- a/src/falconpy/user_management.py
+++ b/src/falconpy/user_management.py
@@ -262,10 +262,75 @@ def get_user_grants(self: object, *args, parameters: dict = None, **kwargs) -> U
params=handle_single_argument(args, parameters, "user_uuid")
)
+ @force_default(defaults=["body", "parameters"], default_types=["dict", "dict"])
+ def get_roles_mssp(self: object,
+ *args,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Get info about a role, supports Flight Control.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/user-management/entitiesRolesGETV2
+
+ Keyword arguments
+ ----
+ cid : str
+ Customer ID to get available roles for.
+ Providing no value for `cid` returns results for the current CID.
+ ids : str or list[str] (required)
+ List of role IDs to retrieve. Comma-delimited strings accepted.
+ Must be provided as a keyword, argument or part of the `body` payload.
+ parameters : str
+ Full parameters payload in JSON format, not required if `ids` is provided as a keyword.
+
+ Arguments
+ ----
+ When not specified, the first argument to this method is assumed to be `ids`.
+ All others are ignored.
+
+ Returns
+ ----
+ dict
+ Dictionary containing API response.
+ """
+ parameters = handle_single_argument(args, parameters, "ids")
+
+ if not body:
+ body = generic_payload_list(submitted_keywords=kwargs, payload_value="ids")
+ # Try to gracefully catch IDs passed incorrectly as a query string parameter
+ if parameters:
+ if "ids" in parameters and "ids" not in body:
+ body["ids"] = parameters["ids"]
+ parameters.pop("ids")
+
+ if "ids" in body:
+ # Make sure the provided ids are a properly formatted list
+ if isinstance(body["ids"], str):
+ body["ids"] = body["ids"].split(",")
+
+ return process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id="entitiesRolesGETV2",
+ keywords=kwargs,
+ params=parameters,
+ body=body
+ )
+
@force_default(defaults=["parameters"], default_types=["dict"])
- def get_roles_mssp(self: object, *args, parameters: dict = None, **kwargs) -> Union[Dict[str, Union[int, dict]], Result]:
+ def get_roles_mssp_v1(self: object,
+ *args,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
"""Get information about a role, supports Flight Control.
+ * DEPRECATED*
+
HTTP Method: GET
Swagger URL
@@ -344,12 +409,11 @@ def user_action(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Un
body = generic_payload_list(submitted_keywords=kwargs,
payload_value="ids"
)
- action = {
- "action_name": kwargs.get("action_name", "reset_password"),
- "action_value": kwargs.get("action_value", "")
- }
- body["action"] = []
- body["action"].append(action)
+ body["action"] = {}
+ if kwargs.get("action_name", None):
+ body["action"]["action_name"] = kwargs.get("action_name", "reset_password")
+ if kwargs.get("action_value", None):
+ body["action"]["action_value"] = kwargs.get("action_value", "")
return process_service_request(
calling_object=self,
@@ -688,6 +752,7 @@ def query_users(self: object, parameters: dict = None, **kwargs) -> Union[Dict[s
direct_assigned_cids status
first_name uid
has_temporary_roles temporarily_assigned_cids
+ uuid
limit : int (range 1-500, default 0)
The maximum number of records to return.
offset : int (default 0)
@@ -1227,7 +1292,8 @@ def retrieve_user_uuid(self: object,
CombinedUserRolesV2 = get_user_grants
get_user_roles = get_user_grants # Helper alias
get_user_roles_combined = get_user_grants # Helper alias
- entitiesRolesV1 = get_roles_mssp
+ entitiesRolesGETV2 = get_roles_mssp
+ entitiesRolesV1 = get_roles_mssp_v1
userActionV1 = user_action
userRolesActionV1 = user_roles_action
retrieveUsersGETV1 = retrieve_users
diff --git a/src/falconpy/workflows.py b/src/falconpy/workflows.py
index 7af382a6..26351ccf 100644
--- a/src/falconpy/workflows.py
+++ b/src/falconpy/workflows.py
@@ -42,7 +42,8 @@
force_default,
process_service_request,
handle_single_argument,
- generate_error_result
+ generate_error_result,
+ args_to_params
)
from ._payload import (
simple_action_parameter,
@@ -456,12 +457,17 @@ def mock_execute(self: object,
String or List of Strings.
execution_cid -- CID(s) to execute on. This can be a child for Flight Control scenarios.
If unset, the definition CID is used. String or List of strings.
+ ignore_activity_mock_references -- When enabled, treats all activity mocks in the definition as disabled for this mock
+ execution. Mocks provided in the request body are treated normally. Boolean.
name -- Workflow name to execute. Either a name or ID can be specified. String.
parameters -- Full parameters payload in dictionary (JSON) format. Not required
if you are using other keywords. Dictionary.
key -- Key used to help deduplicate executions. If unset a new UUID is used. String.
depth -- Used to record the execution depth to help limit execution loops when a workflow
triggers another. The maximum depth is 4. Integer.
+ skip_validation -- When enabled, skips validating mocks from the request body against the mocked entity's
+ output schema. Mocks provided in the definition by reference are not validated in any case.
+ Boolean.
source_event_url -- Used to record a URL to the source that led to trigger the workflow.
String.
validate_only -- PRevent execution after validating mocks against definition. Boolean.
@@ -840,6 +846,61 @@ def provision(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Unio
body=body
)
+ @force_default(defaults=["parameters", "body"], default_types=["dict"])
+ def workflow_definition_action(self: object,
+ body: dict = None,
+ parameters: dict = None,
+ **kwargs
+ ) -> Union[Dict[str, Union[int, dict]], Result]:
+ """Enable or disable a workflow definition, or stop all executions for a definition.
+
+ When a definition is disabled it will not execute against any new trigger events.
+
+ Keyword arguments:
+ action_name -- action to perform, 'enable', 'disable', or 'cancel'.
+ body -- full body payload, not required if ids are provided as keyword.
+ You must use body if you are going to specify action_parameters.
+ {
+ "ids": [
+ "string"
+ ]
+ }
+ ids -- IDs of workflow definitions to perform the action against. String or list of strings.
+ parameters - full parameters payload, not required if action_name is provide as a keyword.
+
+ This method only supports keywords for providing arguments.
+
+ Returns: dict object containing API response.
+
+ HTTP Method: POST
+
+ Swagger URL
+ https://assets.falcon.crowdstrike.com/support/api/swagger.html#/workflows/WorkflowDefinitionsAction
+ """
+ if not body:
+ body = generic_payload_list(submitted_keywords=kwargs, payload_value="ids")
+
+ _allowed_actions = ['enable', 'disable', 'cancel']
+ operation_id = "WorkflowDefinitionsAction"
+ parameter_payload = args_to_params(parameters, kwargs, Endpoints, operation_id)
+ action_name = parameter_payload.get("action_name", "Not Specified")
+ # Only process allowed actions
+ if action_name.lower() in _allowed_actions:
+ returned = process_service_request(
+ calling_object=self,
+ endpoints=Endpoints,
+ operation_id=operation_id,
+ body=body,
+ keywords=kwargs,
+ params=parameters,
+ body_validator={"ids": list} if self.validate_payloads else None,
+ body_required=["ids"] if self.validate_payloads else None
+ )
+ else:
+ returned = generate_error_result("Invalid value specified for action_name parameter.")
+
+ return returned
+
# These method names align to the operation IDs in the API but
# do not conform to snake_case / PEP8 and are defined here for
# backwards compatibility / ease of use purposes
@@ -851,6 +912,8 @@ def provision(self: object, body: dict = None, **kwargs) -> Union[Dict[str, Unio
WorkflowDefinitionsExport = export_definition
WorkflowDefinitionsImport = import_definition
WorkflowDefinitionsUpdate = update_definition
+ WorkflowDefinitionsStatus = workflow_definition_action
+ WorkflowDefinitionsAction = workflow_definition_action
WorkflowExecute = execute
WorkflowExecuteInternal = execute_internal
WorkflowMockExecute = mock_execute
diff --git a/tests/test_aspm.py b/tests/test_aspm.py
index af9d2e98..f4552e33 100644
--- a/tests/test_aspm.py
+++ b/tests/test_aspm.py
@@ -93,8 +93,10 @@ def test_all_code_paths(self):
"SetCloudSecurityIntegrationState2": falcon.set_cloud_security_integration_state(body={"is_enabled": False}),
}
for key in tests:
- if tests[key]["status_code"] not in AllowedResponses:
- error_checks = False
- # print(key)
- # print(tests[key])
+ if not isinstance(tests[key], bytes):
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+
assert error_checks
diff --git a/tests/test_authentications.py b/tests/test_authentications.py
index 122dc889..9559a662 100644
--- a/tests/test_authentications.py
+++ b/tests/test_authentications.py
@@ -16,7 +16,6 @@
version,
InvalidCredentialFormat,
Hosts,
- Detects
)
from falconpy._util import confirm_base_region, confirm_base_url
from falconpy._version import _TITLE, _VERSION
@@ -51,12 +50,12 @@ def serviceAny_TestBadCredRevoke(self):
return False
def serviceAny_TestStaleObjectAuth(self):
- falcon = Detects(auth_object=OAuth2(creds={"client_id": auth.config["falcon_client_id"],
+ falcon = Hosts(auth_object=OAuth2(creds={"client_id": auth.config["falcon_client_id"],
"client_secret": auth.config["falcon_client_secret"]
},
base_url = "us-1", # Testing dashed base specifier
debug=_DEBUG))
- result = falcon.QueryDetects()
+ result = falcon.QueryDevicesByFilterScroll()
if result["status_code"] in AllowedResponses:
return True
else:
@@ -142,12 +141,12 @@ def serviceAny_forceGovCloudAutoSelectFailure(self):
}
result = falcon.command("oauth2AccessToken", data=t_creds, base_url="usgov1")
if result["status_code"] == 201:
- falcon = Detects(client_id=os.environ["CROSS_DEBUG_KEY"],
- client_secret=os.environ["CROSS_DEBUG_SECRET"],
- base_url="usgov1",
- renew_window=300,
- debug=_DEBUG
- )
+ falcon = Hosts(client_id=os.environ["CROSS_DEBUG_KEY"],
+ client_secret=os.environ["CROSS_DEBUG_SECRET"],
+ base_url="usgov1",
+ renew_window=300,
+ debug=_DEBUG
+ )
result = falcon.auth_object.token()
if result["status_code"] == 429:
pytest.skip("Rate limit hit")
@@ -169,8 +168,8 @@ def serviceAny_TestObjectAuth(self):
)
auth_obj.token()
# While we're at it, test user_agent override
- falcon = Detects(auth_object=auth_obj, user_agent=f"{_TITLE}/{str(_VERSION)}", debug=_DEBUG)
- result = falcon.QueryDetects()
+ falcon = Hosts(auth_object=auth_obj, user_agent=f"{_TITLE}/{str(_VERSION)}", debug=_DEBUG)
+ result = falcon.QueryDevicesByFilterScroll()
if result["status_code"] not in AllowedResponses:
_returned = False
# And test the new built in logout functionality
@@ -202,8 +201,8 @@ def serviceAny_TestObjectAuth(self):
def serviceAny_TestBadObjectAuth(self):
# Should also test bad direct auth in the authentication class
- falcon = Detects(auth_object=OAuth2(debug=_DEBUG))
- result = falcon.QueryDetects()
+ falcon = Hosts(auth_object=OAuth2(debug=_DEBUG))
+ result = falcon.QueryDevicesByFilterScroll()
if result["status_code"] in AllowedResponses:
return True
else:
@@ -217,8 +216,8 @@ def serviceAny_TestEasyObjectAuth(self):
# auth_obj.token()
# Test passing just the service class object, not the auth_object attribute
# Service Class base object should detect and handle this.
- falcon = Detects(auth_object=auth_obj)
- result = falcon.QueryDetects()
+ falcon = Hosts(auth_object=auth_obj)
+ result = falcon.QueryDevicesByFilterScroll()
if result["status_code"] in AllowedResponses:
return True
else:
@@ -354,3 +353,13 @@ def test_named_log_target(self):
named_log = logging.getLogger("named_target")
test_object = Hosts(debug=named_log, pythonic=True, access_token=auth.authorization.token_value, base_url=auth.authorization.base_url)
assert bool(test_object.query_devices_by_filter_scroll(limit=1).status_code == 200)
+
+ def test_child_login_logout(self):
+ _success = False
+ test_object = Hosts(client_id="whatever", client_secret="whatever", debug=_DEBUG)
+ failed_child_login = test_object.child_login(member_cid="12345678")
+ if not failed_child_login:
+ failed_child_login = test_object.child_logout(login_as_parent=False)
+ if not failed_child_login:
+ _success = True
+ assert _success
\ No newline at end of file
diff --git a/tests/test_cao_hunting.py b/tests/test_cao_hunting.py
index f338e9b3..b40895f7 100644
--- a/tests/test_cao_hunting.py
+++ b/tests/test_cao_hunting.py
@@ -23,10 +23,13 @@ class TestCAOHunting:
def test_all_code_paths(self):
error_checks = True
tests = {
+ "AggregateHuntingGuides": falcon.aggregate_guides(body={}),
"AggregateIntelligenceQueries": falcon.aggregate_queries(),
"GetArchiveExport": falcon.create_export_archive(),
"GetIntelligenceQueries": falcon.get_queries(),
- "SearchIntelligenceQueries": falcon.search_queries()
+ "SearchIntelligenceQueries": falcon.search_queries(),
+ "GetHuntingGuides": falcon.get_guides(ids="12345678"),
+ "SearchHuntingGuides": falcon.search_guides()
}
for key in tests:
if tests[key]["status_code"] not in AllowedResponses:
diff --git a/tests/test_case_management.py b/tests/test_case_management.py
new file mode 100644
index 00000000..680c2d7a
--- /dev/null
+++ b/tests/test_case_management.py
@@ -0,0 +1,78 @@
+# test_case_management.py
+# This class tests the CaseManagement service class
+
+# import json
+import os
+import sys
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+# Classes to test - manually imported from sibling folder
+from falconpy import CaseManagement
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = CaseManagement(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 404, 429]
+
+
+class TestCaseManagement:
+ def test_all_code_paths(self):
+ error_checks = True
+ tests = {
+ "aggregates_file_details_post_v1": falcon.aggregates_file_details_post_v1(),
+ "combined_file_details_get_v1": falcon.query_file_details(),
+ "entities_file_details_get_v1": falcon.get_file_details(ids="1234567890"),
+ #"entities_file_details_patch_v1": falcon.update_file_details(body={}),
+ "entities_files_bulk_download_post_v1": falcon.bulk_download_files(body={}),
+ "entities_files_download_get_v1": falcon.download_existing_files(id="1234567890"),
+ #"entities_files_upload_post_v1": falcon.CHECKTHIS_upload_file(),
+ "entities_files_delete_v1": falcon.delete_file_details(ids="1234567890"),
+ "queries_file_details_get_v1": falcon.query_file_detail_ids(),
+ "aggregates_notification_groups_post_v1": falcon.get_notification_groups(body={}),
+ "aggregates_notification_groups_post_v2": falcon.get_notification_groups_v2(body={}),
+ "aggregates_slas_post_v1": falcon.get_sla_aggregations(body={}),
+ "aggregates_templates_post_v1": falcon.get_template_aggregations(body={}),
+ "entities_fields_get_v1": falcon.get_fields(ids=["1234567890"]),
+ "entities_notification_groups_get_v1": falcon.get_notification_groups(ids=["1234567890"]),
+ "entities_notification_groups_post_v1": falcon.create_notification_group(body={}),
+ "entities_notification_groups_patch_v1": falcon.update_notification_group(body={}),
+ "entities_notification_groups_delete_v1": falcon.delete_notification_group(ids=["1234567890"]),
+ "entities_notification_groups_post_v2": falcon.create_notification_group_v2(body={}),
+ "entities_notification_groups_patch_v2": falcon.update_notification_group_v2(body={}),
+ "entities_notification_groups_delete_v2": falcon.delete_notification_group_v2(ids=["1234567890"]),
+ "entities_slas_get_v1": falcon.get_slas(ids="1234567890"),
+ "entities_slas_post_v1": falcon.create_sla(body={}),
+ "entities_slas_patch_v1": falcon.update_sla(body={}),
+ "entities_slas_delete_v1": falcon.delete_sla(ids="1234567890"),
+ "entities_template_snapshots_get_v1": falcon.get_template_snapshots(template_ids="1234567890"),
+ "entities_templates_export_get_v1": falcon.export_templates(ids="1234567890"),
+ "entities_templates_import_post_v1": falcon.import_template(file="README.md"),
+ "entities_templates_get_v1": falcon.get_templates(ids="1234567890"),
+ "entities_templates_post_v1": falcon.create_template(body={}),
+ "entities_templates_patch_v1": falcon.update_template(body={}),
+ "entities_templates_delete_v1": falcon.delete_templates(ids="1234567890"),
+ "queries_fields_get_v1": falcon.query_fields(),
+ "queries_notification_groups_get_v1": falcon.query_notification_groups(),
+ "queries_notification_groups_get_v2": falcon.query_notification_groups_v2(),
+ "queries_slas_get_v1": falcon.query_slas(),
+ "queries_template_snapshots_get_v1": falcon.query_template_snapshots(),
+ "queries_templates_get_v1": falcon.query_templates(),
+ "entities_alert_evidence_post_v1": falcon.add_case_alert_evidence(body={}),
+ "entities_case_tags_post_v1": falcon.add_case_tags(body={}),
+ "entities_case_tags_delete_v1": falcon.delete_case_tags(id="1234567890", tag="todo"),
+ "entities_cases_put_v2": falcon.create_case(body={}),
+ "entities_cases_post_v2": falcon.get_cases(ids="1234567890"),
+ "entities_cases_patch_v2": falcon.update_case_fields(body={}),
+ "entities_event_evidence_post_v1": falcon.add_case_event_evidence(body={}),
+ "queries_cases_get_v1": falcon.query_case_ids()
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
\ No newline at end of file
diff --git a/tests/test_cloud_aws_registration.py b/tests/test_cloud_aws_registration.py
index dc44e64c..bdebd309 100644
--- a/tests/test_cloud_aws_registration.py
+++ b/tests/test_cloud_aws_registration.py
@@ -23,11 +23,12 @@ class TestCloudAWSRegistration:
def test_all_code_paths(self):
error_checks = True
tests = {
+ "cloud_registration_aws_trigger_health_check": falcon.trigger_health_check(account_ids="whatever", organization_ids="whatever"),
"cloud_registration_aws_get_accounts": falcon.get_accounts(ids="12345678"),
"cloud_registration_aws_create_account": falcon.create_account(account_type="whatever", csp_events=False, products={"product": "whatever"}),
"cloud_registration_aws_update_account": falcon.update_account(account_type="whatever", csp_events=True),
"cloud_registration_aws_delete_account": falcon.delete_account(organization_ids="12345678"),
- # "cloud_registration_aws_validate_accounts": falcon.validate_accounts(products="whatever", account_id="whatever", iam_role_arn="whatever"),
+ "cloud_registration_aws_validate_accounts": falcon.validate_accounts(account_id="whatever", iam_role_arn="whatever"),
"cloud_registration_aws_query_accounts": falcon.query_accounts(products="whatever", features="whatever"),
}
for key in tests:
diff --git a/tests/test_cloud_azure_registration.py b/tests/test_cloud_azure_registration.py
index a08499e4..e131cb43 100644
--- a/tests/test_cloud_azure_registration.py
+++ b/tests/test_cloud_azure_registration.py
@@ -84,12 +84,15 @@ class TestCloudAzureRegistration:
def test_all_code_paths(self):
error_checks = True
tests = {
+ "cloud_registration_azure_delete_legacy_subscription": falcon.delete_legacy_subscription(body={}),
+ "cloud_registration_azure_trigger_health_check": falcon.health_check(tenant_id="12345678"),
"cloud_registration_azure_get_registration": falcon.get_registration(tenant_id="12345678"),
"cloud_registration_azure_create_registration": falcon.create_registration(**AZURE_PAYLOAD["resource"]),
"cloud_registration_azure_update_registration": falcon.update_registration(**AZURE_PAYLOAD["resource"]),
"cloud_registration_azure_delete_registration": falcon.delete_registration(tenant_ids="12345678"),
"download_azure_script": falcon.deployment_script(tenant_id="12345678"),
- "cloud_registration_azure_download_script": falcon.download_script(tenant_id="12345678")
+ "cloud_registration_azure_download_script": falcon.download_script(tenant_id="12345678"),
+ "cloud_registration_azure_validate_registration": falcon.validate_registration(tenant_id="12345678", stack_name="12345678")
}
for key in tests:
if tests[key]["status_code"] not in AllowedResponses:
diff --git a/tests/test_cloud_google_cloud_registration.py b/tests/test_cloud_google_cloud_registration.py
new file mode 100644
index 00000000..bff96053
--- /dev/null
+++ b/tests/test_cloud_google_cloud_registration.py
@@ -0,0 +1,39 @@
+# test_cloud_google_cloud_registration.py
+# This class tests the cloud_google_cloud_registration service class
+
+# import json
+import os
+import sys
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+# Classes to test - manually imported from sibling folder
+from falconpy import CloudGoogleCloudRegistration
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = CloudGoogleCloudRegistration(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 403, 404, 429]
+
+
+class TestCloudGoogleCloudRegistration:
+ def test_all_code_paths(self):
+ error_checks = True
+ tests = {
+ "cloud_registration_gcp_trigger_health_check": falcon.trigger_health_check(ids="12345678"),
+ "cloud_registration_gcp_get_registration": falcon.get_registration(ids="12345678"),
+ "cloud_registration_gcp_put_registration": falcon.update_registration(body={}),
+ "cloud_registration_gcp_create_registration": falcon.create_registration(body={}),
+ "cloud_registration_gcp_update_registration": falcon.cloud_registration_gcp_update_registration(ids="12345678", body={}),
+ "cloud_registration_gcp_delete_registration": falcon.delete_registration(ids="12345678")
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ if not (key == "cloud_registration_gcp_trigger_health_check" and tests[key]["status_code"] == 500):
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
diff --git a/tests/test_cloud_policies.py b/tests/test_cloud_policies.py
new file mode 100644
index 00000000..405063aa
--- /dev/null
+++ b/tests/test_cloud_policies.py
@@ -0,0 +1,61 @@
+# test_cloud_policies.py
+# This class tests the CloudPolicies service class
+
+# import json
+import os
+import sys
+import pytest
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Classes to test - manually imported from sibling folder
+from falconpy import CloudPolicies
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = CloudPolicies(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 401, 404, 429, 500]
+
+
+class TestCloudPolicies:
+ @pytest.mark.skipif(config.base_url == "https://api.laggar.gcw.crowdstrike.com",
+ reason="Unit testing unavailable on US-GOV-1"
+ )
+ def test_all_code_paths(self):
+ error_checks = True
+
+ tests = {
+ "ReplaceControlRules": falcon.ReplaceControlRules(body={}),
+ "GetComplianceControls": falcon.GetComplianceControls(ids="1234567"),
+ "CreateComplianceControl": falcon.CreateComplianceControl(body={}),
+ "UpdateComplianceControl": falcon.UpdateComplianceControl(body={}),
+ "DeleteComplianceControl": falcon.DeleteComplianceControl(ids="1234567"),
+ "RenameSectionComplianceFramework": falcon.RenameSectionComplianceFramework(ids="1234567"),
+ "GetComplianceFrameworks": falcon.GetComplianceFrameworks(ids="1234567"),
+ "CreateComplianceFramework": falcon.CreateComplianceFramework(body={}),
+ "UpdateComplianceFramework": falcon.UpdateComplianceFramework(body={}),
+ "DeleteComplianceFramework": falcon.DeleteComplianceFramework(ids="1234567"),
+ "GetEvaluationResult": falcon.GetEvaluationResult(body={}),
+ "GetRuleOverride": falcon.GetRuleOverride(ids="1234567"),
+ "CreateRuleOverride": falcon.CreateRuleOverride(body={}),
+ "UpdateRuleOverride": falcon.UpdateRuleOverride(body={}),
+ "DeleteRuleOverride": falcon.DeleteRuleOverride(ids="1234567"),
+ "GetRule": falcon.GetRule(ids="1234567"),
+ "CreateRuleMixin0": falcon.CreateRuleMixin0(body={}),
+ "UpdateRule": falcon.UpdateRule(body={}),
+ "DeleteRuleMixin0": falcon.DeleteRuleMixin0(ids="1234567"),
+ "QueryComplianceControls": falcon.QueryComplianceControls(),
+ "QueryComplianceFrameworks": falcon.QueryComplianceFrameworks(),
+ "QueryRule": falcon.QueryRule(),
+ "GetRuleInputSchema": falcon.GetRuleInputSchema(domain="whatever", subdomain="whatever", resource_type="whatever"),
+ "GetEnrichedAsset": falcon.GetEnrichedAsset(ids="1234567")
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
diff --git a/tests/test_cloud_security.py b/tests/test_cloud_security.py
new file mode 100644
index 00000000..edb352b8
--- /dev/null
+++ b/tests/test_cloud_security.py
@@ -0,0 +1,43 @@
+# test_cloud_security.py
+# This class tests the CloudSecurity service class
+
+# import json
+import os
+import sys
+import pytest
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Classes to test - manually imported from sibling folder
+from falconpy import CloudSecurity
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = CloudSecurity(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 404, 429, 500]
+
+
+class TestCloudPolicies:
+ @pytest.mark.skipif(config.base_url == "https://api.laggar.gcw.crowdstrike.com",
+ reason="Unit testing unavailable on US-GOV-1"
+ )
+ def test_all_code_paths(self):
+ error_checks = True
+ tests = {
+ "combined_cloud_risks": falcon.combined_cloud_risks(),
+ "ListCloudGroupsExternal": falcon.list_cloud_groups(),
+ "ListCloudGroupsByIDExternal": falcon.list_cloud_groups_by_id(),
+ "CreateCloudGroupExternal": falcon.create_cloud_group(body={}),
+ "UpdateCloudGroupExternal": falcon.update_cloud_group(group={}),
+ "DeleteCloudGroupsExternal": falcon.delete_cloud_groups(ids="1234567"),
+ "ListCloudGroupIDsExternal": falcon.list_group_ids()
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
\ No newline at end of file
diff --git a/tests/test_cloud_security_assets.py b/tests/test_cloud_security_assets.py
index 975ccc6c..6ee0d3a2 100644
--- a/tests/test_cloud_security_assets.py
+++ b/tests/test_cloud_security_assets.py
@@ -23,13 +23,15 @@ class TestCloudSecurityAssets:
def test_all_code_paths(self):
error_checks = True
tests = {
+ "cloud_security_assets_combined_application_findings": falcon.combined_application_findings(crn="12345678", type="whatever"),
"cloud_security_assets_combined_compliance_by_account": falcon.get_combined_compliance_by_account(limit=1),
"cloud_security_assets_entities_get": falcon.get_assets("12345678"),
"cloud_security_assets_queries": falcon.query_assets(filter="zone:'bob'"),
}
for key in tests:
if tests[key]["status_code"] not in AllowedResponses:
- error_checks = False
- # print(key)
- # print(tests[key])
+ if key != "cloud_security_assets_combined_application_findings":
+ error_checks = False
+ # print(key)
+ # print(tests[key])
assert error_checks
diff --git a/tests/test_cloud_security_compliance.py b/tests/test_cloud_security_compliance.py
new file mode 100644
index 00000000..bb5ec2e6
--- /dev/null
+++ b/tests/test_cloud_security_compliance.py
@@ -0,0 +1,34 @@
+# test_cloud_security_compliance.py
+# This class tests the cloud_security_compliance service class
+
+# import json
+import os
+import sys
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+# Classes to test - manually imported from sibling folder
+from falconpy import CloudSecurityCompliance
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = CloudSecurityCompliance(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 403, 404, 429]
+
+
+class TestCloudSecurityCompliance:
+ def test_all_code_paths(self):
+ error_checks = True
+ tests = {
+ "cloud_compliance_framework_posture_summaries": falcon.framework_posture_summaries("1ab2c345-67d8-90e1-2345-6789f0a12bc3"),
+ "cloud_compliance_rule_posture_summaries": falcon.rule_posture_summaries(ids="1ab2c345-67d8-90e1-2345-6789f0a12bc3"),
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
diff --git a/tests/test_cloud_security_detections.py b/tests/test_cloud_security_detections.py
new file mode 100644
index 00000000..1fa39914
--- /dev/null
+++ b/tests/test_cloud_security_detections.py
@@ -0,0 +1,34 @@
+# test_cloud_security_detections.py
+# This class tests the CloudSecurityDetections service class
+
+# import json
+import os
+import sys
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+# Classes to test - manually imported from sibling folder
+from falconpy import CloudSecurityDetections
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = CloudSecurityDetections(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 403, 404, 429]
+
+
+class TestCloudSecurityAssets:
+ def test_all_code_paths(self):
+ error_checks = True
+ tests = {
+ "cspm_evaluations_iom_entities": falcon.get_iom_entities(ids = "1234567"),
+ "cspm_evaluations_iom_queries": falcon.query_iom_entities()
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
diff --git a/tests/test_cloud_snapshots.py b/tests/test_cloud_snapshots.py
index a517421d..58edfb4f 100644
--- a/tests/test_cloud_snapshots.py
+++ b/tests/test_cloud_snapshots.py
@@ -23,6 +23,7 @@ def run_tests(self):
error_checks = True
tests = {
+ "CombinedDetections": falcon.search_detections(),
"RegisterAccount": falcon.register_account(aws_accounts=[{"account_number": "1"}]),
"RegisterAccountToo": falcon.register_account(account_number="12345678"),
"ReadDeploymentsCombined": falcon.search_scan_jobs(),
diff --git a/tests/test_container_images.py b/tests/test_container_images.py
index 61710671..6b0282ca 100644
--- a/tests/test_container_images.py
+++ b/tests/test_container_images.py
@@ -39,7 +39,8 @@ def test_all_code_paths(self):
}
for key in tests:
if tests[key]["status_code"] not in AllowedResponses:
- error_checks = False
- # print(key)
- # print(tests[key])
+ if key != "DeleteBaseImages":
+ error_checks = False
+ # print(key)
+ # print(tests[key])
assert error_checks
diff --git a/tests/test_correlation_rules_admin.py b/tests/test_correlation_rules_admin.py
new file mode 100644
index 00000000..f307eddd
--- /dev/null
+++ b/tests/test_correlation_rules_admin.py
@@ -0,0 +1,33 @@
+# test_cloud_security_rules_admin.py
+# This class tests the CorrelationRulesAdmin service class
+
+# import json
+import os
+import sys
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+# Classes to test - manually imported from sibling folder
+from falconpy import CorrelationRulesAdmin
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = CorrelationRulesAdmin(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 403, 404, 429]
+
+
+class TestCloudSecurityAssets:
+ def test_all_code_paths(self):
+ error_checks = True
+ tests = {
+ "entities_rules_ownership_put_v1": falcon.change_correlation_rule_owner(body={}),
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
diff --git a/tests/test_d4c_registration.py b/tests/test_d4c_registration.py
index 9ccc8baa..d46871f3 100644
--- a/tests/test_d4c_registration.py
+++ b/tests/test_d4c_registration.py
@@ -104,7 +104,11 @@ def d4c_generate_errors(self):
),
"DeleteD4CAwsAccount": falcon.delete_aws_account("ID_DOES_NOT_EXIST"),
"GetD4CAwsConsoleSetupURLs": falcon.get_aws_console_setup("us-east-2"),
- "GetD4CAwsAccountScriptsAttachment": falcon.get_aws_account_scripts("123456789", custom_role_name="Bob"),
+ "GetD4CAwsAccountScriptsAttachment": falcon.get_aws_account_scripts(ids="12345678",
+ behavior_assessment_enabled=False,
+ sensor_management_enabled=False,
+ vulnerability_scanning_enabled=False
+ ),
"GetHorizonD4CScripts": falcon.get_aws_horizon_scripts(organization_id="123456789"),
"GetDiscoverCloudAzureTenantIDs": falcon.get_azure_tenant_ids(),
"DeleteD4CGCPAccount": falcon.delete_gcp_account("1234567"),
diff --git a/tests/test_dashboard.yml b/tests/test_dashboard.yml
new file mode 100644
index 00000000..cacbed99
--- /dev/null
+++ b/tests/test_dashboard.yml
@@ -0,0 +1,7 @@
+# This is an incomplete dashboard.
+
+name: Test-Dashboard
+description: Generic test dashboard
+stuff:
+ - Thing1
+ - Thing2
diff --git a/tests/test_data_protection_configuration.py b/tests/test_data_protection_configuration.py
new file mode 100644
index 00000000..b19a7401
--- /dev/null
+++ b/tests/test_data_protection_configuration.py
@@ -0,0 +1,80 @@
+# test_data_protection_configuration.py
+# This class tests the DataProtectionConfiguration service class
+
+# import json
+import os
+import sys
+import pytest
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+# Classes to test - manually imported from sibling folder
+from falconpy import DataProtectionConfiguration
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = DataProtectionConfiguration(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 403, 404, 429]
+
+
+class TestDataProtectionConfiguration:
+ @pytest.mark.skipif(config.base_url == "https://api.laggar.gcw.crowdstrike.com",
+ reason="Unit testing unavailable on US-GOV-1"
+ )
+ def test_all_code_paths(self):
+ error_checks = True
+ tests = {
+ "entities_classification_get_v2": falcon.get_classification(ids="test-id"),
+ "entities_classification_post_v2": falcon.create_classification(body={}),
+ "entities_classification_patch_v2": falcon.update_classifications(body={}),
+ "entities_classification_delete_v2": falcon.delete_classification(ids="test-id"),
+
+ "entities_cloud_application_get": falcon.get_cloud_application(ids="test-id"),
+ "entities_cloud_application_create": falcon.create_cloud_application(body={}),
+ "entities_cloud_application_patch": falcon.update_cloud_application(id="test-id", body={}),
+ "entities_cloud_application_delete": falcon.delete_cloud_application(ids="test-id"),
+
+ "entities_content_pattern_get": falcon.get_content_pattern(ids="test-id"),
+ "entities_content_pattern_create": falcon.create_content_pattern(body={}),
+ "entities_content_pattern_patch": falcon.update_content_pattern(id="test-id", body={}),
+ "entities_content_pattern_delete": falcon.delete_content_pattern(ids="test-id"),
+
+ "entities_enterprise_account_get": falcon.get_enterprise_account(ids="test-id"),
+ "entities_enterprise_account_create": falcon.create_enterprise_account(body={}),
+ "entities_enterprise_account_patch": falcon.update_enterprise_account(body={}),
+ "entities_enterprise_account_delete": falcon.delete_enterprise_account(ids="test-id"),
+
+ "entities_file_type_get": falcon.get_file_type(ids="test-id"),
+
+ "entities_sensitivity_label_get_v2": falcon.get_sensitivity_label(ids="test-id"),
+ "entities_sensitivity_label_create_v2": falcon.create_sensitivity_label(body={}),
+ "entities_sensitivity_label_delete_v2": falcon.delete_sensitivity_label(ids="test-id"),
+
+ "entities_policy_get_v2": falcon.get_policies(ids="test-id"),
+ "entities_policy_post_v2": falcon.create_policy(platform_name="win", body={}),
+ "entities_policy_patch_v2": falcon.update_policies(platform_name="win", body={}),
+ "entities_policy_delete_v2": falcon.delete_policies(ids="test-id", platform_name="win"),
+
+ "entities_web_location_get_v2": falcon.get_web_location(ids="test-id"),
+ "entities_web_location_create_v2": falcon.create_web_location(body={}),
+ "entities_web_location_patch_v2": falcon.update_web_location(id="test-id", body={}),
+ "entities_web_location_delete_v2": falcon.delete_web_location(ids="test-id"),
+
+ "queries_classification_get_v2": falcon.query_classifications(),
+ "queries_cloud_application_get_v2": falcon.query_cloud_applications(),
+ "queries_content_pattern_get_v2": falcon.query_content_patterns(),
+ "queries_enterprise_account_get_v2": falcon.query_enterprise_accounts(),
+ "queries_file_type_get_v2": falcon.query_file_type(),
+ "queries_sensitivity_label_get_v2": falcon.query_sensitivity_label(),
+ "queries_policy_get_v2": falcon.query_policies(platform_name="win"),
+ "queries_web_location_get_v2": falcon.query_web_locations(),
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
diff --git a/tests/test_detects.py b/tests/test_detects.py
index 8c25de1e..41f76083 100644
--- a/tests/test_detects.py
+++ b/tests/test_detects.py
@@ -12,7 +12,7 @@
auth = Authorization.TestAuthorization()
config = auth.getConfigObject()
falcon = Detects(auth_object=config, validate_payloads=True)
-AllowedResponses = [200, 400, 429]
+AllowedResponses = [200, 400, 404, 429]
class TestDetects:
diff --git a/tests/test_downloads.py b/tests/test_downloads.py
index e9781adf..8e19ef1f 100644
--- a/tests/test_downloads.py
+++ b/tests/test_downloads.py
@@ -22,6 +22,8 @@ class TestDownloads:
def test_all_code_paths(self):
error_checks = True
tests = {
+ "FetchFilesDownloadInfo": falcon.fetch_download_info(),
+ "FetchFilesDownloadInfoV2": falcon.fetch_download_info_v2(),
"DownloadFile": falcon.download(file_name="the_file_named_jeff.txt", file_version="1"),
"EnumerateFile": falcon.enumerate()
}
diff --git a/tests/test_falcon_container.py b/tests/test_falcon_container.py
index ac0f4a37..cf462e60 100644
--- a/tests/test_falcon_container.py
+++ b/tests/test_falcon_container.py
@@ -492,7 +492,10 @@ def run_tests(self):
"ReadExportJobs": falcon.read_export_jobs(ids="12345678"),
"LaunchExportJob": falcon.launch_export_job(format="json", resource="assets.clusters"),
"HeadImageScanInventory": falcon.get_scan_headers(),
- "PostImageScanInventory": falcon.scan_inventory(**SCAN_INVENTORY_SAMPLE_PAYLOAD)
+ "PostImageScanInventory": falcon.scan_inventory(**SCAN_INVENTORY_SAMPLE_PAYLOAD),
+ "PolicyChecks": falcon.check_prevention_policies(),
+ "GetReportByReference": falcon.get_report_by_reference(),
+ "GetReportByScanID": falcon.get_report_by_id()
}
for key in tests:
if tests[key]["status_code"] not in AllowedResponses:
diff --git a/tests/test_firewall_management.py b/tests/test_firewall_management.py
index ea505a5b..66439bdb 100644
--- a/tests/test_firewall_management.py
+++ b/tests/test_firewall_management.py
@@ -239,7 +239,7 @@ def firewall_test_all_code_paths(self):
if tests[key]["status_code"] not in AllowedResponses:
if os.getenv("DEBUG_API_BASE_URL", "us1").lower() != "https://api.laggar.gcw.crowdstrike.com":
# Flakiness
- if key != "delete_rule_groups":
+ if not key in ["delete_rule_groups", "get_network_locations", "update_network_locations_precedence"]:
error_checks = False
# print(f"Failed on {key} with {tests[key]}")
diff --git a/tests/test_foundry_logscale.py b/tests/test_foundry_logscale.py
index 9a6ceddf..1c79799c 100644
--- a/tests/test_foundry_logscale.py
+++ b/tests/test_foundry_logscale.py
@@ -15,7 +15,7 @@
auth = Authorization.TestAuthorization()
config = auth.getConfigObject()
falcon = FoundryLogScale(auth_object=config)
-AllowedResponses = [200, 201, 400, 403, 404, 429, 406, 500, 501, 502, 503]
+AllowedResponses = [200, 201, 400, 401, 403, 404, 429, 406, 500, 501, 502, 503]
class TestFoundryLogScale:
diff --git a/tests/test_identity_protection.py b/tests/test_identity_protection.py
index 321dc2a1..66106ac8 100644
--- a/tests/test_identity_protection.py
+++ b/tests/test_identity_protection.py
@@ -16,7 +16,7 @@
config = auth.getConfigObject()
falcon = IdentityProtection(auth_object=config)
-AllowedResponses = [200, 400, 429]
+AllowedResponses = [200, 400, 403, 429]
# TEST_QUERY = r"""query ($after: Cursor) {
# entities(types: [USER], archived: false, learned: false, first: 5, after: $after) {
diff --git a/tests/test_intel.py b/tests/test_intel.py
index a01df7df..a7c95c99 100644
--- a/tests/test_intel.py
+++ b/tests/test_intel.py
@@ -11,7 +11,7 @@
auth = Authorization.TestAuthorization()
config = auth.getConfigObject()
falcon = Intel(auth_object=config)
-AllowedResponses = [200, 201, 400, 404, 429]
+AllowedResponses = [200, 201, 400, 403, 404, 429]
class TestIntel:
diff --git a/tests/test_intelligence_indicator_graph.py b/tests/test_intelligence_indicator_graph.py
index 75d3c8b8..75ffdd8e 100644
--- a/tests/test_intelligence_indicator_graph.py
+++ b/tests/test_intelligence_indicator_graph.py
@@ -17,7 +17,7 @@
auth = Authorization.TestAuthorization()
config = auth.getConfigObject()
falcon = IntelligenceIndicatorGraph(auth_object=config)
-AllowedResponses = [200, 201, 207, 400, 401, 403, 429]
+AllowedResponses = [200, 201, 207, 400, 401, 403, 404, 429]
class TestIntelligenceIndicatorGraph:
diff --git a/tests/test_it_automation.py b/tests/test_it_automation.py
index 7de00b04..5d5f538c 100644
--- a/tests/test_it_automation.py
+++ b/tests/test_it_automation.py
@@ -60,6 +60,11 @@ def test_all_code_paths(self):
"ITAutomationSearchTaskExecutions": falcon.search_task_executions(),
"ITAutomationSearchTaskGroups": falcon.search_task_groups(),
"ITAutomationSearchTasks": falcon.search_tasks(),
+ "ITAutomationGetUserGroup": falcon.get_user_group(ids="12345678"),
+ "ITAutomationCreateUserGroup": falcon.create_user_group(name="whatever"),
+ "ITAutomationUpdateUserGroup": falcon.update_user_group(id="12345678"),
+ "ITAutomationDeleteUserGroup": falcon.delete_user_groups(ids="12345678"),
+ "ITAutomationSearchUserGroups": falcon.search_user_groups(limit=1)
}
for key in tests:
if tests[key]["status_code"] not in AllowedResponses:
diff --git a/tests/test_kubernetes_protection.py b/tests/test_kubernetes_protection.py
index 4e0881a6..7b740c35 100644
--- a/tests/test_kubernetes_protection.py
+++ b/tests/test_kubernetes_protection.py
@@ -13,7 +13,7 @@
auth = Authorization.TestAuthorization()
config = auth.getConfigObject()
falcon = KubernetesProtection(auth_object=config)
-AllowedResponses = [200, 201, 207, 400, 404, 403, 429, 500] # Allowing 500 to reduce flakiness
+AllowedResponses = [200, 201, 207, 400, 404, 403, 406, 429, 500] # Allowing 500 to reduce flakiness
class TestKubeProtect:
@@ -85,7 +85,8 @@ def serviceKubeProtect_RunAllTests(self):
"ReadDeploymentEnrichment": falcon.read_deployment_enrichment(filter="something_else"),
"ReadNamespacesByDateRangeCount": falcon.read_namespaces_by_date_range_count(),
"ReadNamespaceCount": falcon.read_namespace_count(filter="something"),
- "ReadClusterCombinedV2": falcon.read_clusters_combined_v2(filter="whatever")
+ "ReadClusterCombinedV2": falcon.read_clusters_combined_v2(filter="whatever"),
+ "PostSearchKubernetesIOMEntities": falcon.search_kubernetes_ioms(limit=1)
}
for key in tests:
diff --git a/tests/test_ngsiem.py b/tests/test_ngsiem.py
index 92094e87..313c2c40 100644
--- a/tests/test_ngsiem.py
+++ b/tests/test_ngsiem.py
@@ -94,6 +94,42 @@ def run_all_tests(self):
if not isinstance(result, Response):
if result.status_code not in AllowedResponses:
error_checks = False
+ test_db = open("tests/test_dashboard.yml", "r", encoding="utf-8").read()
+ more_tests = {
+ "GetDashboardTemplate": falcon.get_dashboard_template(ids="12345678"),
+ "CreateDashboardFromTemplate": falcon.create_dashboard_from_template(search_domain="all", name="whatever", yaml_template=test_db),
+ "CreateDashboardFromTemplateFail": falcon.create_dashboard_from_template(search_domain="all", name="whatever"),
+ "UpdateDashboardFromTemplate": falcon.update_dashboard_from_template(search_domain="all", name="whatever", yaml_template=test_db),
+ "UpdateDashboardFromTemplateFail": falcon.update_dashboard_from_template(search_domain="all", name="whatever"),
+ "DeleteDashboard": falcon.delete_dashboard(ids="12345678"),
+ "GetLookupFile": falcon.get_lookup_file(ids="12345678"),
+ "CreateLookupFile": falcon.create_lookup_file(search_domain="all", filename="testfile.yml", file=test_db),
+ "CreateLookupFileFail": falcon.create_lookup_file(search_domain="all", filename="testfile.yml"),
+ "UpdateLookupFile": falcon.update_lookup_file(search_domain="all", filename="testfile.yml", file=test_db),
+ "UpdateLookupFileFail": falcon.update_lookup_file(search_domain="all", filename="testfile.yml"),
+ "DeleteLookupFile": falcon.delete_lookup_file(ids="12345678"),
+ "GetParserTemplate": falcon.get_parser_template(ids="12345678"),
+ "CreateParserFromTemplate": falcon.create_parser_from_template(repository="whatever", name="whatever", yaml_template=test_db),
+ "CreateParserFromTemplateFail": falcon.create_parser_from_template(repository="whatever", name="whatever"),
+ "GetParser": falcon.get_parser(ids="12345678"),
+ "CreateParser": falcon.create_parser(script=test_db, repository="whatever", fields_to_tag="bob,larry"),
+ "UpdateParser": falcon.update_parser(script=test_db, repository="whatever", fields_to_tag="bob,larry", id="12345678"),
+ "DeleteParser": falcon.delete_parser(ids="12345678"),
+ "GetSavedQueryTemplate": falcon.get_saved_query_template(ids="12345678"),
+ "CreateSavedQuery": falcon.create_saved_query(search_domain="all", yaml_template=test_db),
+ "CreateSavedQueryFail": falcon.create_saved_query(search_domain="all"),
+ "UpdateSavedQueryFromTemplate": falcon.update_saved_query_from_template(ids="12345678", search_domain="all", yaml_template=test_db),
+ "UpdateSavedQueryFromTemplateFail": falcon.update_saved_query_from_template(ids="12345678", search_domain="all"),
+ "DeleteSavedQuery": falcon.delete_saved_query(ids="12345678"),
+ "ListDashboards": falcon.list_dashboards(limit="1"),
+ "ListLookupFiles": falcon.list_lookup_files(limit="1"),
+ "ListParsers": falcon.list_parsers(limit="1"),
+ "ListSavedQueries": falcon.list_saved_queries(limit="1"),
+ }
+
+ for test in more_tests:
+ if more_tests[test]["status_code"] not in AllowedResponses:
+ error_checks = False
return error_checks
def test_all_functionality(self):
diff --git a/tests/test_overwatch_dashboard.py b/tests/test_overwatch_dashboard.py
index f16c8ec9..31a47e07 100644
--- a/tests/test_overwatch_dashboard.py
+++ b/tests/test_overwatch_dashboard.py
@@ -13,7 +13,7 @@
auth = Authorization.TestAuthorization()
config = auth.getConfigObject()
falcon = OverwatchDashboard(auth_object=config)
-AllowedResponses = [200, 401, 403, 429]
+AllowedResponses = [200, 401, 403, 404, 429]
class TestOverwatchDashboard:
diff --git a/tests/test_real_time_response_admin.py b/tests/test_real_time_response_admin.py
index 027962aa..2aa73640 100644
--- a/tests/test_real_time_response_admin.py
+++ b/tests/test_real_time_response_admin.py
@@ -71,11 +71,17 @@ def rtra_retrieve_file_id(file_name: str, ver: int = 1):
def rtra_generate_errors(self):
error_checks = True
script_test = falcon.create_scripts(data={})
+ script_test_v2 = falcon.create_scripts_v2(data={})
putfile_test = falcon.create_put_files(data={}, files=[])
+ putfile_v2_test = falcon.create_put_files_v2(data={}, files=[])
if script_test["status_code"] not in [406, 415]:
error_checks = False
print(script_test)
+ if script_test_v2["status_code"] not in [406, 415]:
+ error_checks = False
+ print(script_test_v2)
+
if putfile_test["status_code"] not in [406, 415]:
error_checks = False
print(putfile_test)
@@ -121,6 +127,7 @@ def rtra_test_all_code_paths(self):
"execute_admin_command": falcon.RTR_ExecuteAdminCommand(body={})["status_code"], # 400
"get_falcon_script": falcon.RTR_GetFalconScripts(ids="12345678")["status_code"],
"create_put_files": falcon.RTR_CreatePut_Files(data=file_payload, files=files_detail)["status_code"],
+ "create_put_files_v2": falcon.RTR_CreatePut_FilesV2(data=file_payload, files=files_detail)["status_code"],
# Expanding the result to retrieve the status code
"get_contents": falcon.RTR_GetPutFileContents(self.rtra_retrieve_file_id(file_name=upload_filename), expand_result=True)[0],
"get_again": falcon.RTR_GetPut_FilesV2(self.rtra_retrieve_file_id(file_name=upload_filename, ver=2))["status_code"],
@@ -128,6 +135,7 @@ def rtra_test_all_code_paths(self):
ids=self.rtra_retrieve_file_id(file_name=upload_filename)
)["status_code"],
"create_scripts": falcon.RTR_CreateScripts(data=script_payload, files=script_detail)["status_code"],
+ "create_scripts_v2": falcon.RTR_CreateScriptsV2(data=script_payload, files=script_detail)["status_code"],
"update_scripts": falcon.RTR_UpdateScripts(
id=self.rtra_create_updated_payload(script_filename, new_script_payload),
files=script_detail,
@@ -138,6 +146,16 @@ def rtra_test_all_code_paths(self):
comments_for_audit_log="Unit Testing",
content="#!/bin/bash"
)["status_code"],
+ "update_scripts_v2": falcon.RTR_UpdateScriptsV2(
+ id=self.rtra_create_updated_payload(script_filename, new_script_payload),
+ files=script_detail,
+ description="UnitTesting",
+ name=f"UnitTesting{jdate}",
+ platform="windows",
+ permission_type="private",
+ comments_for_audit_log="Unit Testing",
+ content="#!/bin/bash"
+ )["status_code"],
"delete_scripts": falcon.RTR_DeleteScripts(ids=self.rtra_retrieve_script_id(script_filename))["status_code"],
"list_falcon_scripts": falcon.RTR_ListFalconScripts()["status_code"],
"list_put_files": falcon.RTR_ListPut_Files()["status_code"],
diff --git a/tests/test_saas_security.py b/tests/test_saas_security.py
new file mode 100644
index 00000000..13097697
--- /dev/null
+++ b/tests/test_saas_security.py
@@ -0,0 +1,57 @@
+# test_saas_security.py
+# This class tests the SaasSecurity service class
+
+# import json
+import os
+import sys
+import pytest
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Classes to test - manually imported from sibling folder
+from falconpy import SaasSecurity
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = SaasSecurity(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 403, 404, 429, 500]
+
+
+class TestSaasSecurity:
+ @pytest.mark.skipif(config.base_url == "https://api.laggar.gcw.crowdstrike.com",
+ reason="Unit testing unavailable on US-GOV-1"
+ )
+ def test_all_code_paths(self):
+ error_checks = True
+ tests = {
+ "GetMetricsV3": falcon.GetMetricsV3(),
+ "GetAlertsV3": falcon.GetAlertsV3(),
+ "GetAppInventoryUsers": falcon.GetAppInventoryUsers(item_id="1234567|||app123"),
+ "GetAppInventory": falcon.GetAppInventory(),
+ "GetSecurityCheckAffectedV3": falcon.GetSecurityCheckAffectedV3(id="1234567"),
+ "DismissAffectedEntityV3": falcon.DismissAffectedEntityV3(id="1234567", body={}),
+ "DismissSecurityCheckV3": falcon.DismissSecurityCheckV3(id="1234567", body={}),
+ "GetSecurityChecksV3": falcon.GetSecurityChecksV3(),
+ "GetSecurityCheckComplianceV3": falcon.GetSecurityCheckComplianceV3(id="1234567"),
+ "IntegrationBuilderEndTransactionV3": falcon.IntegrationBuilderEndTransactionV3(id="1234567"),
+ "IntegrationBuilderResetV3": falcon.IntegrationBuilderResetV3(id="1234567"),
+ "IntegrationBuilderGetStatusV3": falcon.IntegrationBuilderGetStatusV3(id="1234567"),
+ "IntegrationBuilderUploadV3": falcon.IntegrationBuilderUploadV3(id="1234567", source_id="source123", body={}),
+ "GetAssetInventoryV3": falcon.GetAssetInventoryV3(),
+ "GetDeviceInventoryV3": falcon.GetDeviceInventoryV3(),
+ "GetIntegrationsV3": falcon.GetIntegrationsV3(),
+ "GetActivityMonitorV3": falcon.GetActivityMonitorV3(integration_id="1234567"),
+ "GetSupportedSaasV3": falcon.GetSupportedSaasV3(),
+ "GetSystemLogsV3": falcon.GetSystemLogsV3(),
+ "GetSystemUsersV3": falcon.GetSystemUsersV3(),
+ "GetUserInventoryV3": falcon.GetUserInventoryV3()
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
diff --git a/tests/test_sensor_usage.py b/tests/test_sensor_usage.py
index 8870bfce..a0aab111 100644
--- a/tests/test_sensor_usage.py
+++ b/tests/test_sensor_usage.py
@@ -23,7 +23,8 @@ class TestSensorUsage:
def test_all_code_paths(self):
error_checks = True
tests = {
- "GetWeeklySensorUsage": falcon.get_weekly_usage()
+ "GetWeeklySensorUsage": falcon.get_weekly_usage(),
+ "GetHourlySensorUsage": falcon.get_hourly_usage()
}
for key in tests:
if tests[key]["status_code"] not in AllowedResponses:
diff --git a/tests/test_spotlight_vulnerability_metadata.py b/tests/test_spotlight_vulnerability_metadata.py
new file mode 100644
index 00000000..8f6c73df
--- /dev/null
+++ b/tests/test_spotlight_vulnerability_metadata.py
@@ -0,0 +1,33 @@
+# test_spotlight_vulnerability_metadata.py
+# This class tests the SpotlightVulnerabilityMetadata service class
+
+# import json
+import os
+import sys
+
+# Authentication via the test_authorization.py
+from tests import test_authorization as Authorization
+
+# Import our sibling src folder into the path
+sys.path.append(os.path.abspath('src'))
+# Classes to test - manually imported from sibling folder
+from falconpy import SpotlightVulnerabilityMetadata
+
+auth = Authorization.TestAuthorization()
+config = auth.getConfigObject()
+falcon = SpotlightVulnerabilityMetadata(auth_object=config)
+AllowedResponses = [200, 201, 207, 400, 403, 404, 429]
+
+
+class TestSpotlightVulnerabilityMetadata:
+ def test_all_code_paths(self):
+ error_checks = True
+ tests = {
+ "combineVulnMetadataExt": falcon.get_cve_metadata(),
+ }
+ for key in tests:
+ if tests[key]["status_code"] not in AllowedResponses:
+ error_checks = False
+ # print(key)
+ # print(tests[key])
+ assert error_checks
diff --git a/tests/test_user_management.py b/tests/test_user_management.py
index dbdbbb2e..be841cc1 100644
--- a/tests/test_user_management.py
+++ b/tests/test_user_management.py
@@ -117,9 +117,9 @@ def um_generate_errors(self):
"get_user_grants_v1": falcon.get_user_grants_v1(user_uuid="12345678"),
"get_user_grants": falcon.get_user_grants(user_uuid="12345678"),
"get_roles_mssp": falcon.get_roles_mssp(ids="1234567890", cid="1234567890"),
+ "get_roles_mssp_v1": falcon.get_roles_mssp_v1(ids="1234567890", cid="1234567890"),
"user_action": falcon.user_action(action_name="reset_password",
- action_value="whatever",
- ids="1234567890"
+ ids="1ab2c345-67d8-90e1-2345-6789f0a12bc3"
),
"user_roles_action": falcon.user_roles_action(action="grant",
role_ids="12345678",
@@ -138,7 +138,7 @@ def um_generate_errors(self):
}
for key in tests:
if tests[key]["status_code"] not in AllowedResponses:
- if key != "query_roles": # Temporarily allow 500s from this op
+ if key not in ["query_roles", "user_action"]: # Temporarily allow 500s from these ops
error_checks = False
# print(f"{key} processed with a {tests[key]} response")
diff --git a/tests/test_workflows.py b/tests/test_workflows.py
index 5b4de55d..151857c5 100644
--- a/tests/test_workflows.py
+++ b/tests/test_workflows.py
@@ -43,6 +43,8 @@ def run_all_tests(self):
"WorkflowDefinitionsImport4": falcon.import_definition(validate_only=True, data_file="tests/test.yml", name="workflow_name"),
"WorkflowDefinitionsImport4": falcon.import_definition(validate_only=True, data_file=binary_example, name="workflow_name"),
"WorkflowDefinitionsUpdate": falcon.update_definition(change_log="testing"),
+ "WorkflowDefinitionsAction1": falcon.workflow_definition_action(ids="1234567", action_name="enable"),
+ "WorkflowDefinitionsAction2": falcon.workflow_definition_action(ids="1234567", action_name="whatever"),
"WorkflowGetHumanInputV1": falcon.get_human_input(ids="1234567"),
"WorkflowUpdateHumanInputV1": falcon.update_human_input(input="whatever", note="whatever"),
"WorkflowActivitiesContentCombined": falcon.search_activities_content(limit=1)