Configuration Assessment

The Configuration Assessment service collection provides operations for searching assessments in your environment and retrieving rule details. Use FQL filters to query HostFinding entities and retrieve compliance rule information.

Language	Last Update
Python	v1.4.6
PowerShell	v2.2.9
Go	v0.20.0
TypeScript	v0.6.0
Rust	v0.7.0
Ruby	v1.2.0

Operation	Description
getCombinedAssessmentsQuery `query_combined_assessments`	Search for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria
getRuleDetails `get_rule_details`	Get rules details for provided one or more rule IDs

getCombinedAssessmentsQuery

Search for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria

GET /configuration-assessment/combined/assessments/v1

Scope Configuration Assessment: READ Consumes · Produces application/json

PEP 8 query_combined_assessments

Parameters

Name	Type	Data type	Description
after	query	string	A pagination token used with the `limit` parameter to manage pagination of results. On your first request, don’t provide an `after` token. On subsequent requests, provide the `after` token from the previous response to continue from that place in the results.
limit	query	integer	The number of items to return in this response (default: 100, max: 5000). Use with the after parameter to manage pagination of results.
sort	query	string	Sort assessment by their properties. Common sort options include: created_timestamp\|desc, updated_timestamp\|asc
filter	query	string	Filter items using a query in Falcon Query Language (FQL). Wildcards * are unsupported. Common filter options include: created_timestamp:>‘2019-11-25T22:36:12Z’, updated_timestamp:>‘2019-11-25T22:36:12Z’, aid:‘8e7656b27d8c49a34a1af416424d6231’
facet	query	list of strings	Select various details blocks to be returned for each assessment entity. Supported values: host, finding.rule, finding.evaluation_logic
parameters	query	dictionary	Full query string parameters payload in JSON format. Not required if using other keywords.

Code Examples

from falconpy import ConfigurationAssessment

falcon = ConfigurationAssessment(client_id=CLIENT_ID,
                                 client_secret=CLIENT_SECRET
                                 )

response = falcon.query_combined_assessments(after="string",
                                             limit="string",
                                             sort="string",
                                             filter="string",
                                             facet="string")
print(response)

from falconpy import ConfigurationAssessment

falcon = ConfigurationAssessment(client_id=CLIENT_ID,
                                 client_secret=CLIENT_SECRET
                                 )

response = falcon.getCombinedAssessmentsQuery(after="string",
                                              limit="string",
                                              sort="string",
                                              filter="string",
                                              facet="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("getCombinedAssessmentsQuery",
                          after="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          facet=id_list)
print(response)

Get-FalconConfigAssessment -Filter "string" `
  -Sort "string" `
  -Limit integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/configuration_assessment"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  after := "string"
  limit := int64(0)
  sort := "string"

  response, err := client.ConfigurationAssessment.GetCombinedAssessmentsQuery(
    &configuration_assessment.GetCombinedAssessmentsQueryParams{
      After: &after,
      Limit: &limit,
      Sort: &sort,
      Filter: "string",
      Facet: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.configurationAssessment.getCombinedAssessmentsQuery(
  "string",  // filter
  "string",  // after
  integer,  // limit
  "string",  // sort
  ["ID1", "ID2", "ID3"]  // facet
);

console.log(response);

use rusty_falcon::apis::configuration_assessment_api::get_combined_assessments_query;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_combined_assessments_query(
        &falcon.cfg,  // configuration
        "string",  // filter
        Some("string"),  // after
        Some(integer),  // limit
        Some("string"),  // sort
        Some(vec!["string".to_string()]),  // facet
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::ConfigurationAssessment.new

response = api.get_combined_assessments_query('string')

puts response

getRuleDetails

Get rules details for provided one or more rule IDs

GET /configuration-assessment/entities/rule-details/v1

Scope Configuration Assessment: READ Consumes · Produces application/json

PEP 8 get_rule_details

Parameters

Name	Type	Data type	Description
ids	query	string or list of strings	One or more rules IDs (max: 400)
parameters	query	dictionary	Full query string parameters payload in JSON format. Not required if using other keywords.

Code Examples

from falconpy import ConfigurationAssessment

falcon = ConfigurationAssessment(client_id=CLIENT_ID,
                                 client_secret=CLIENT_SECRET
                                 )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_details(ids=id_list)
print(response)

from falconpy import ConfigurationAssessment

falcon = ConfigurationAssessment(client_id=CLIENT_ID,
                                 client_secret=CLIENT_SECRET
                                 )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.getRuleDetails(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("getRuleDetails",
                          ids=id_list)
print(response)

Get-FalconConfigAssessmentRule -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/configuration_assessment"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.ConfigurationAssessment.GetRuleDetails(
    &configuration_assessment.GetRuleDetailsParams{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.configurationAssessment.getRuleDetails(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

use rusty_falcon::apis::configuration_assessment_api::get_rule_details;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_rule_details(
        &falcon.cfg,  // configuration
        vec!["string".to_string()],  // ids
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::ConfigurationAssessment.new

response = api.get_rule_details(['ID1', 'ID2', 'ID3'])

puts response

Configuration Assessment

Table of Contents

getCombinedAssessmentsQuery

Parameters

Code Examples

getRuleDetails

Parameters

Code Examples