Cloud Security Detections
The Cloud Security Detections service collection provides operations for retrieving Indicators of Misconfiguration (IOMs) in cloud environments. Return IOMs grouped by rule, retrieve IOM entities by ID, or query for IOM IDs using FQL filters.
| Language | Last Update |
|---|---|
| Python | v1.5.5 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
cspm_evaluations_combined_iom_by_ruleget_combined_iom_by_rule | Return IOMs grouped by rule. |
cspm_evaluations_iom_entitiesget_iom_entities | Gets IOMs based on the provided IDs |
cspm_evaluations_iom_queriesquery_iom_entities | Gets a list of IOM IDs for the given parameters, filters and sort criteria. |
cspm_evaluations_combined_iom_by_rule
Section titled “cspm_evaluations_combined_iom_by_rule”Return IOMs grouped by rule.
GET /cloud-security-evaluations/combined/ioms-by-rule/v1
PEP 8
get_combined_iom_by_ruleParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL string to filter results in Falcon Query Language (FQL). Supported fields: account_id account_name applicable_profile attack_type benchmark_name benchmark_version business_impact cid cloud_group cloud_label cloud_label_id cloud_provider cloud_scope created_at environment extension_status first_detected framework last_detected policy_id policy_name region requirement resource_gcrn resource_id resource_parent resource_status resource_type resource_type_name rule_group rule_id rule_name rule_origin section service service_category severity status suppressed_by tactic_id tactic_name tag_key tag_value tags tags_string technique_id technique_name zone |
| limit | query | integer | The maximum number of items to return. When not specified or 0, 500 is used. When larger than 1000, 1000 is used. |
| offset | query | integer | Offset returned assets. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
| sort | query | string | The field to sort on. Sortable fields include: assessed_assets cloud_provider misconfigurations rule_id severity. Use |asc or |desc suffix to specify sort direction. |
Code Examples
Section titled “Code Examples”from falconpy import CloudSecurityDetections
falcon = CloudSecurityDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.get_combined_iom_by_rule(filter="string", sort="string", limit="string", offset=integer)print(response)from falconpy import CloudSecurityDetections
falcon = CloudSecurityDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.cspm_evaluations_combined_iom_by_rule(filter="string", sort="string", limit="string", offset=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("cspm_evaluations_combined_iom_by_rule", filter="string", sort="string", limit=integer, offset=integer)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cloud_security_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" sort := "string" limit := int64(0) offset := int64(0)
response, err := client.CloudSecurityDetections.CspmEvaluationsCombinedIomByRule( &cloud_security_detections.CspmEvaluationsCombinedIomByRuleParams{ Filter: &filter, Sort: &sort, Limit: &limit, Offset: &offset, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.cloudSecurityDetections.cspmEvaluationsCombinedIomByRule( "string", // filter "string", // sort integer, // limit integer // offset);
console.log(response);Examples coming soon.
require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CloudSecurityDetections.new
response = api.cspm_evaluations_combined_iom_by_rule(filter: 'string', sort: 'string', limit: integer, offset: integer)
puts responsecspm_evaluations_iom_entities
Section titled “cspm_evaluations_iom_entities”Gets IOMs based on the provided IDs
GET /cloud-security-evaluations/entities/ioms/v1
PEP 8
get_iom_entitiesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | array (string) | List of IOMs to return (maximum 100 IDs allowed). Use POST method with same path if more entities are required. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CloudSecurityDetections
falcon = CloudSecurityDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_iom_entities(ids=id_list)print(response)from falconpy import CloudSecurityDetections
falcon = CloudSecurityDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.cspm_evaluations_iom_entities(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("cspm_evaluations_iom_entities", ids=id_list)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cloud_security_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CloudSecurityDetections.CspmEvaluationsIomEntities( &cloud_security_detections.CspmEvaluationsIomEntitiesParams{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.cloudSecurityDetections.cspmEvaluationsIomEntities(["ID1", "ID2", "ID3"]); // ids
console.log(response);use rusty_falcon::apis::cloud_security_detections_api::cspm_evaluations_iom_entities;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = cspm_evaluations_iom_entities( &falcon.cfg, // configuration Some(vec!["string".to_string()]), // ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CloudSecurityDetections.new
response = api.cspm_evaluations_iom_entities(ids: ['ID1', 'ID2', 'ID3'])
puts responsecspm_evaluations_iom_queries
Section titled “cspm_evaluations_iom_queries”Gets a list of IOM IDs for the given parameters, filters and sort criteria.
GET /cloud-security-evaluations/queries/ioms/v1
PEP 8
query_iom_entitiesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| after | query | string | token-based pagination. Use for paginating through an entire result set. Use only one of ‘offset’ and ‘after’ parameters for paginating |
| filter | query | string | FQL string to filter results in Falcon Query Language (FQL). Supported fields: account_id account_name applicable_profile attack_type benchmark_name benchmark_version business_impact cid cloud_group cloud_label cloud_label_id cloud_provider cloud_scope created_at environment extension_status first_detected framework last_detected policy_id policy_name policy_uuid region requirement requirement_name resource_gcrn resource_id resource_parent resource_status resource_type resource_type_name rule_group rule_id rule_name rule_origin rule_remediation section service service_category severity status suppressed_by suppression_reason tactic_id tactic_name tag_key tag_value tags tags_string technique_id technique_name |
| limit | query | integer | The maximum number of items to return. When not specified or 0, 500 is used. When larger than 1000, 1000 is used. |
| offset | query | integer | Offset returned assets |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
| sort | query | string | The field to sort on. Use |asc or |desc suffix to specify sort direction. Supported fields: account_id account_name applicable_profile attack_type benchmark_name benchmark_version business_impact cid cloud_group cloud_label cloud_label_id cloud_provider cloud_scope created_at environment extension_status first_detected framework last_detected policy_id policy_name policy_uuid region requirement requirement_name resource_gcrn resource_id resource_parent resource_status resource_type resource_type_name rule_group rule_id rule_name rule_origin rule_remediation section service service_category severity status suppressed_by suppression_reason tactic_id tactic_name tag_key tag_value tags tags_string technique_id technique_name |
Code Examples
Section titled “Code Examples”from falconpy import CloudSecurityDetections
falcon = CloudSecurityDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_iom_entities(filter="string", sort="string", limit="string", offset=integer, after="string")print(response)from falconpy import CloudSecurityDetections
falcon = CloudSecurityDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.cspm_evaluations_iom_queries(filter="string", sort="string", limit="string", offset=integer, after="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("cspm_evaluations_iom_queries", filter="string", sort="string", limit=integer, offset=integer, after="string")print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cloud_security_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" sort := "string" limit := int64(0) offset := int64(0) after := "string"
response, err := client.CloudSecurityDetections.CspmEvaluationsIomQueries( &cloud_security_detections.CspmEvaluationsIomQueriesParams{ Filter: &filter, Sort: &sort, Limit: &limit, Offset: &offset, After: &after, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.cloudSecurityDetections.cspmEvaluationsIomQueries( "string", // filter "string", // sort integer, // limit integer, // offset "string" // after);
console.log(response);use rusty_falcon::apis::cloud_security_detections_api::cspm_evaluations_iom_queries;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = cspm_evaluations_iom_queries( &falcon.cfg, // configuration Some("string"), // filter Some("string"), // sort Some(integer), // limit Some(integer), // offset ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CloudSecurityDetections.new
response = api.cspm_evaluations_iom_queries(filter: 'string', sort: 'string', limit: integer, offset: integer, after: 'string')
puts response