Cloud Security Assets
The Cloud Security Assets service collection provides operations for querying and retrieving cloud resource data across your environment. Find assets by application resource, retrieve compliance data by account, fetch raw resource details by ID, and query the full asset inventory using FQL filters.
| Language | Last Update |
|---|---|
| Python | v1.5.5 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
cloud_security_assets_combined_application_findingscombined_application_findings | Get findings for an application resource with pagination. |
cloud_security_assets_combined_compliance_by_accountget_combined_compliance_by_account | Get combined compliance by account. |
cloud_security_assets_entities_getget_assets | Gets raw resources based on the provided IDs param. Maximum of 100 resources can be requested with this method. Use POST method with same path if more are required. |
cloud_security_assets_queriesquery_assets | Query cloud security assets. |
cloud_security_assets_combined_application_findings
Section titled “cloud_security_assets_combined_application_findings”Get findings for an application resource with pagination.
GET /cloud-security-assets/combined/application-findings/v1
PEP 8
combined_application_findingsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| crn | query | string | Deprecated: Use gcrn instead. Application CRN. |
| gcrn | query | string | Application GCRN. |
| type | query | string | Finding type. |
| filter | query | string | FQL string to filter findings. |
| offset | query | integer | Pagination offset. |
| limit | query | integer | Page size. Maximum value is 1000, minimum value is 1. When not specified, 50 is used. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import CloudSecurityAssets
falcon = CloudSecurityAssets(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.combined_application_findings(crn="string", gcrn="string", type="string", filter="string", offset=integer, limit=integer)print(response)from falconpy import CloudSecurityAssets
falcon = CloudSecurityAssets(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.cloud_security_assets_combined_application_findings(crn="string", gcrn="string", type="string", filter="string", offset=integer, limit=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("cloud_security_assets_combined_application_findings", crn="string", gcrn="string", type="string", filter="string", offset=integer, limit=integer)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cloud_security_assets")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
crn := "string" gcrn := "string" filter := "string" offset := int64(0) limit := int64(0)
response, err := client.CloudSecurityAssets.CloudSecurityAssetsCombinedApplicationFindings( &cloud_security_assets.CloudSecurityAssetsCombinedApplicationFindingsParams{ Crn: &crn, Gcrn: &gcrn, Type: "string", Filter: &filter, Offset: &offset, Limit: &limit, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.cloudSecurityAssets.cloudSecurityAssetsCombinedApplicationFindings( "string", // type "string", // crn "string", // gcrn "string", // filter integer, // offset integer // limit);
console.log(response);Examples coming soon.
require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CloudSecurityAssets.new
response = api.cloud_security_assets_combined_application_findings('string')
puts responsecloud_security_assets_combined_compliance_by_account
Section titled “cloud_security_assets_combined_compliance_by_account”Gets combined compliance data aggregated by account and region. Results can be filtered and sorted.
GET /cloud-security-assets/combined/compliance-controls/by-account-region-and-resource-type/v1
PEP 8
get_combined_compliance_by_accountParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL string to filter on asset contents. Filterable fields include: account_id, account_name, assessment_id, business_impact, cloud_group, cloud_label, cloud_label_id, cloud_provider, cloud_scope, compliant, control.benchmark.name, control.benchmark.version, control.extension.status, control.framework, control.name, control.type, control.version, environment, last_evaluated, region, resource_provider, resource_type, resource_type_name, service, service_category, severities, tag_key, tag_value, and tags_string. |
| sort | query | string | Sort expression in format: field|direction (e.g., last_evaluated|desc). Allowed sort fields: account_id, account_name, assessment_id, cloud_provider, control.benchmark.name, control.benchmark.version, control.framework, control.name, control.type, control.version, last_evaluated, region, resource_counts.compliant, resource_counts.non_compliant, resource_counts.total, resource_provider, resource_type, resource_type_name, service, and service_category. |
| limit | query | integer | The maximum number of items to return. When not specified or 0, 20 is used. When larger than 10000, 10000 is used. |
| offset | query | integer | Offset returned controls. Use only one of ‘offset’ and ‘after’ parameter for paginating. ‘offset’ can only be used on offsets < 10,000. For paginating through the entire result set, use ‘after’ parameter |
| after | query | string | token-based pagination. use for paginating through an entire result set. Use only one of ‘offset’ and ‘after’ parameters for paginating |
| include_failing_iom_severity_counts | query | boolean | Include counts of failing IOMs by severity level |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import CloudSecurityAssets
falcon = CloudSecurityAssets(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.get_combined_compliance_by_account(filter="string", sort="string", limit=integer, offset=integer, after="string", include_failing_iom_severity_counts=boolean)print(response)from falconpy import CloudSecurityAssets
falcon = CloudSecurityAssets(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.cloud_security_assets_combined_compliance_by_account(filter="string", sort="string", limit=integer, offset=integer, after="string", include_failing_iom_severity_counts=boolean)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("cloud_security_assets_combined_compliance_by_account", filter="string", sort="string", limit=integer, offset=integer, after="string", include_failing_iom_severity_counts=boolean)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cloud_security_assets")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" sort := "string" limit := int64(0) offset := int64(0) after := "string" includeFailingIomSeverityCounts := boolean
response, err := client.CloudSecurityAssets.CloudSecurityAssetsCombinedComplianceByAccount( &cloud_security_assets.CloudSecurityAssetsCombinedComplianceByAccountParams{ Filter: &filter, Sort: &sort, Limit: &limit, Offset: &offset, After: &after, IncludeFailingIomSeverityCounts: &includeFailingIomSeverityCounts, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.cloudSecurityAssets.cloudSecurityAssetsCombinedComplianceByAccount( "string", // filter "string", // sort integer, // limit integer, // offset "string", // after boolean // includeFailingIomSeverityCounts);
console.log(response);use rusty_falcon::apis::cloud_security_assets_api::cloud_security_assets_combined_compliance_by_account;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = cloud_security_assets_combined_compliance_by_account( &falcon.cfg, // configuration Some("string"), // filter Some("string"), // sort Some(integer), // limit Some(integer), // offset Some("string"), // after Some(boolean), // include_failing_iom_severity_counts ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CloudSecurityAssets.new
response = api.cloud_security_assets_combined_compliance_by_account(filter: 'string', sort: 'string', limit: integer, offset: integer, after: 'string', include_failing_iom_severity_counts: boolean)
puts responsecloud_security_assets_entities_get
Section titled “cloud_security_assets_entities_get”Gets raw resources based on the provided IDs param. Maximum of 100 resources can be requested with this method.
GET /cloud-security-assets/entities/resources/v1
PEP 8
get_assetsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | List of assets to return (maximum 100 IDs allowed). |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import CloudSecurityAssets
falcon = CloudSecurityAssets(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_assets(ids=id_list)print(response)from falconpy import CloudSecurityAssets
falcon = CloudSecurityAssets(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.cloud_security_assets_entities_get(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("cloud_security_assets_entities_get", ids=id_list)print(response)Get-FalconCloudAsset -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cloud_security_assets")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CloudSecurityAssets.CloudSecurityAssetsEntitiesGet( &cloud_security_assets.CloudSecurityAssetsEntitiesGetParams{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.cloudSecurityAssets.cloudSecurityAssetsEntitiesGet(["ID1", "ID2", "ID3"]); // ids
console.log(response);use rusty_falcon::apis::cloud_security_assets_api::cloud_security_assets_entities_get;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = cloud_security_assets_entities_get( &falcon.cfg, // configuration Some(vec!["string".to_string()]), // ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CloudSecurityAssets.new
response = api.cloud_security_assets_entities_get(ids: ['ID1', 'ID2', 'ID3'])
puts responsecloud_security_assets_queries
Section titled “cloud_security_assets_queries”Gets a list of resource IDs for the given parameters, filters and sort criteria.
GET /cloud-security-assets/queries/resources/v1
PEP 8
query_assetsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| after | query | string | token-based pagination. use for paginating through an entire result set. Use only one of ‘offset’ and ‘after’ parameters for paginating |
| filter | query | string | FQL string to filter on asset contents. Filterable fields include: account_id, account_name, active, aspm.deployment_cloud_resource_id, aspm.deployment_provider, aspm.deployment_type, aspm.technologies, azure.vm_id, business_impact, cloud_group, cloud_label, cloud_label_id, cloud_provider, cloud_risks.rule, cloud_risks.severity, cloud_risks.status, cloud_scope, cluster_id, cluster_name, compartment_ocid, compliant.benchmark_name, compliant.benchmark_version, compliant.framework, compliant.policy_id, compliant.requirement, compliant.rule, compliant.section, configuration.id, control.benchmark.name, control.benchmark.version, control.framework, control.requirement, control.type, control.version, creation_time, cve_ids, data_classifications.found, data_classifications.label, data_classifications.label_id, data_classifications.scanned, data_classifications.tag, data_classifications.tag_id, environment, exprt_ratings, first_seen, highest_severity, id, insights.boolean_value, insights.date_value, insights.id, insights.integer_value, insights.string_list_value, insights.string_value, instance_id, instance_state, ioa_count, iom_count, legacy_resource_id, legacy_uuid, managed_by, non_compliant.benchmark_name, non_compliant.benchmark_version, non_compliant.framework, non_compliant.policy_id, non_compliant.requirement, non_compliant.rule, non_compliant.rule_name, non_compliant.section, non_compliant.severity, organization_Id, os_version, platform_name, publicly_exposed, region, resource_id, resource_name, resource_parent, resource_type, resource_type_name, sensor_priority, service, service_category, severity, snapshot_detections, ssm_managed, status, tag_key, tag_value, tags, tags_string, tenant_id, updated_at, vmware.guest_os_id, vmware.guest_os_version, vmware.host_system_name, vmware.host_type, vmware.instance_uuid, vmware.vm_host_name, vmware.vm_tools_status, and zone |
| sort | query | string | The field to sort on. Sortable fields include: account_id, account_name, active, aspm.deployment_cloud_resource_id, aspm.deployment_provider, aspm.deployment_type, aspm.technologies, cloud_provider, cloud_risks.open_risk_count, cluster_id, cluster_name, compartment_name, compartment_ocid, compartment_path, creation_time, data_classifications.found, data_classifications.scanned, first_seen, id, instance_id, instance_state, ioa_count, iom_count, managed_by, organization_Id, os_version, platform_name, publicly_exposed, publiclyExposedAccessRange, publiclyExposedExposureMethod, publiclyExposedToTheInternet, region, resource_id, resource_name, resource_parent, resource_type, resource_type_name, service, service_category, ssm_managed, status, tenancy_name, tenancy_ocid, tenancy_type, tenant_id, updated_at, vmware.guest_os_id, vmware.guest_os_version, vmware.host_system_name, vmware.host_type, vmware.instance_uuid, vmware.vm_host_name, vmware.vm_tools_status, and zone. |
| limit | query | integer | The maximum number of items to return. When not specified or 0, 500 is used. When larger than 1000, 1000 is used. |
| offset | query | integer | Offset returned assets. Use only one of ‘offset’ and ‘after’ parameter for paginating. ‘offset’ can only be used on offsets < 10,000. For paginating through the entire result set, use ‘after’ parameter |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import CloudSecurityAssets
falcon = CloudSecurityAssets(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_assets(after="string", filter="string", sort="string", limit=integer, offset=integer)print(response)from falconpy import CloudSecurityAssets
falcon = CloudSecurityAssets(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.cloud_security_assets_queries(after="string", filter="string", sort="string", limit=integer, offset=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("cloud_security_assets_queries", after="string", filter="string", sort="string", limit=integer, offset=integer)print(response)Get-FalconCloudAsset -Filter "string" ` -Sort "string" ` -Limit integer ` -Offset "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cloud_security_assets")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
after := "string" filter := "string" sort := "string" limit := int64(0) offset := int64(0)
response, err := client.CloudSecurityAssets.CloudSecurityAssetsQueries( &cloud_security_assets.CloudSecurityAssetsQueriesParams{ After: &after, Filter: &filter, Sort: &sort, Limit: &limit, Offset: &offset, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.cloudSecurityAssets.cloudSecurityAssetsQueries( "string", // after "string", // filter "string", // sort integer, // limit integer // offset);
console.log(response);use rusty_falcon::apis::cloud_security_assets_api::cloud_security_assets_queries;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = cloud_security_assets_queries( &falcon.cfg, // configuration Some("string"), // after Some("string"), // filter Some("string"), // sort Some(integer), // limit Some(integer), // offset ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CloudSecurityAssets.new
response = api.cloud_security_assets_queries(after: 'string', filter: 'string', sort: 'string', limit: integer, offset: integer)
puts response