Payload Handling
There are multiple types of payloads that are consumed by CrowdStrike API endpoints.
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does NOT recommend hard coding API credentials or customer identifiers within source code.
Body payloads are typically used for PATCH, POST, PUT and UPDATE operations, but this is not a hard restriction. They are either JSON formatted or binary depending on the endpoint.
Body payloads are specified using the body keyword.
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"device_id": "123a4bc567de890f123a4b56cde"
}
response = falcon.init_session(body=BODY)
print(response)The Body Payload Abstraction feature was released for a limited number of Service Classes starting with version 0.7.0, and was completed (e.g. available in all Service Classes) in version 0.7.4. This feature allows developers to specify body payload parameters as keywords instead of crafting the necessary JSON dictionary to provide as the body keyword.
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.init_session(device_id="123a4bc567de890f123a4b56cde")
print(response)Body Payload Abstraction functionality is only available in Service Classes.
Query string payloads are typically used for GET or DELETE operations, but this is not a hard restriction. Query string payloads are typically JSON formatted.
Query string payloads can be specified individually as keywords (Parameter Abstraction), or as a singular JSON dictionary using the parameters keyword.
from falconpy import SensorVisibilityExclusions
falcon = SensorVisibilityExclusions(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PARAMS = {
"limit": 100
}
# Query string provided as a dictionary
response = falcon.query_exclusions(parameters=PARAMS)
print(response)The Parameter Abstraction feature was released for Service Classes in version 0.5.4. This functionality allows developers to specify query string parameters as keywords as opposed to crafting a JSON dictionary and then providing this newly created dictionary as the parameters keyword value.
Available starting in v0.5.4.
from falconpy import SensorVisibilityExclusions
falcon = SensorVisibilityExclusions(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Query string provided using parameter abstraction
response = falcon.query_exclusions(limit=100)
print(response)Available starting in v0.8.0.
# Uber class example
from falconpy import APIHarness
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("querySensorVisibilityExclusionsV1", limit=100)
print(response)NOTE! Prior to version 0.8.0, the Uber Class did not support Parameter Abstraction. Developers using versions below v0.8.0 will need to provide query string payloads to the Uber Class using the
parameterskeyword.
# Uber class example for version prior to v0.8.0
from falconpy import APIHarness
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PARAMS = {
"limit": 100
}
# Query string must be provided as a dictionary
response = falcon.command("querySensorVisibilityExclusionsV1", parameters=PARAMS)
print(response)Form data payloads are typically used for PATCH, POST or PUT requests, but this may not always be the case. They are frequently JSON formatted, but may contain (or be completely comprised) of binary data.
Form data payloads can be specified using the data keyword.
from falconpy import RealTimeResponseAdmin
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PAYLOAD = {
"description": "Just a test file",
"name": "testfile.txt",
"comments_for_audit_log": "Testing"
}
file_upload = [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]
response = falcon.create_put_files(data=PAYLOAD, files=file_upload)
print(response)There are two types of file data payloads, raw file data and file arrays.
Raw file data payloads are typically used for PATCH, POST or PUT operations and contain binary data.
Raw file data payloads can be specified using the file_data keyword.
from falconpy import SampleUploads
falcon = SampleUploads(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.upload_sample(file_data=PAYLOAD,
file_name="string",
comment='string',
is_confidential=boolean
)
print(response)
File array payloads are typically used for PATCH, POST or PUT operations. They contain a list of tuples that provide file information as well as the binary file data.
File array payloads can be specified using the files keyword.
from falconpy import RealTimeResponseAdmin
falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
PAYLOAD = {
"description": "string",
"name": "string",
"comments_for_audit_log": "string",
"permission_type": "string",
"content": "string",
"platform": [
"string",
"string"
]
}
file_upload = [('file', ('file.ext', open('file.ext','rb').read(), 'application/script'))]
response = falcon.create_scripts(data=PAYLOAD, files=file_upload)
print(response)
Custom headers can be used with any endpoint and any HTTP method. Most operations do not require custom header payloads, as a default header dictionary is maintained for every operation. Typically custom headers are used to specify content type, but can be used for other payload delivery purposes.
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
save_file = "downloaded.gz"
response = falcon.get_artifacts(id="123456", name="testfile.gz", headers=HEADERS)
open(save_file, 'wb').write(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
