Container Detections
The Container Detections service collection provides operations for querying and aggregating container security detections. Retrieve runtime detections, aggregate counts by severity and type, and search detection entities using FQL filters.
| Language | Last Update |
|---|---|
| Python | v1.4.6 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
GetRuntimeDetectionsCombinedV2search_runtime_detections | Retrieve image assessment detections identified by the provided filter criteria. |
ReadDetectionsCountBySeverityread_detection_counts_by_severity | Aggregate counts of detections by severity. |
ReadDetectionsCountByTyperead_detections_count_by_type | Aggregate counts of detections by detection type. |
ReadDetectionsCountread_detections_count | Aggregate count of detections. |
ReadCombinedDetectionsread_combined_detections | Retrieve image assessment detections identified by the provided filter criteria. |
ReadDetectionsread_detections | Retrieve image assessment detection entities identified by the provided filter criteria. |
SearchDetectionssearch_detections | Retrieve image assessment detection entities identified by the provided filter criteria. |
GetRuntimeDetectionsCombinedV2
Section titled “GetRuntimeDetectionsCombinedV2”Retrieve image assessment detections identified by the provided filter criteria.
GET /container-security/combined/runtime-detections/v2
PEP 8
search_runtime_detectionsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | Filter container runtime detections using a query in Falcon Query Language (FQL). Supported filters: action_taken, aid, cid, cloud, cluster_name, command_line, computer_name, container_id, detect_timestamp, detection_description, detection_id, file_name, file_path, host_id, host_type, image_id, name, namespace, pod_name, severity, tactic. |
| limit | query | integer | The upper-bound on the number of records to retrieve. |
| offset | query | integer | The offset from where to begin. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required if using other keywords. |
| sort | query | string | The fields to sort the records on. Supported fields: containers_impacted, detection_name, detection_severity, detection_type, images_impacted, last_detected. |
Code Examples
Section titled “Code Examples”from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.search_runtime_detections(filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.GetRuntimeDetectionsCombinedV2(filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("GetRuntimeDetectionsCombinedV2", filter="string", sort="string", limit=integer, offset=integer)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/runtime_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" sort := "string" limit := int64(0) offset := int64(0)
response, err := client.RuntimeDetections.GetRuntimeDetectionsCombinedV2( &runtime_detections.GetRuntimeDetectionsCombinedV2Params{ Filter: &filter, Sort: &sort, Limit: &limit, Offset: &offset, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.runtimeDetections.getRuntimeDetectionsCombinedV2( "string", // filter "string", // sort integer, // limit integer // offset);
console.log(response);use rusty_falcon::apis::runtime_detections_api::get_runtime_detections_combined_v2;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = get_runtime_detections_combined_v2( &falcon.cfg, // configuration Some("string"), // filter Some("string"), // sort Some(integer), // limit Some(integer), // offset ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::RuntimeDetections.new
response = api.get_runtime_detections_combined_v2(filter: 'string', sort: 'string', limit: integer, offset: integer)
puts responseReadDetectionsCountBySeverity
Section titled “ReadDetectionsCountBySeverity”Aggregate counts of detections by severity.
GET /container-security/aggregates/detections/count-by-severity/v1
PEP 8
read_detection_counts_by_severityParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | Filter images using a query in Falcon Query Language (FQL). Supported filters: cid, container_id, detection_type, id, image_digest, image_id, image_registry, image_repository, image_tag, name, severity. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required if using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.read_detection_counts_by_severity(filter="string")print(response)from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.ReadDetectionsCountBySeverity(filter="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("ReadDetectionsCountBySeverity", filter="string")print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/container_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string"
response, err := client.ContainerDetections.ReadDetectionsCountBySeverity( &container_detections.ReadDetectionsCountBySeverityParams{ Filter: &filter, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.containerDetections.readDetectionsCountBySeverity("string"); // filter
console.log(response);use rusty_falcon::apis::container_detections_api::read_detections_count_by_severity;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = read_detections_count_by_severity( &falcon.cfg, // configuration Some("string"), // filter ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::ContainerDetections.new
response = api.read_detections_count_by_severity(filter: 'string')
puts responseReadDetectionsCountByType
Section titled “ReadDetectionsCountByType”Aggregate counts of detections by detection type.
GET /container-security/aggregates/detections/count-by-type/v1
PEP 8
read_detections_count_by_typeParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | Filter images using a query in Falcon Query Language (FQL). Supported filters: cid, container_id, detection_type, id, image_digest, image_id, image_registry, image_repository, image_tag, name, severity. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required if using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.read_detections_count_by_type(filter="string")print(response)from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.ReadDetectionsCountByType(filter="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("ReadDetectionsCountByType", filter="string")print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/container_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string"
response, err := client.ContainerDetections.ReadDetectionsCountByType( &container_detections.ReadDetectionsCountByTypeParams{ Filter: &filter, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.containerDetections.readDetectionsCountByType("string"); // filter
console.log(response);use rusty_falcon::apis::container_detections_api::read_detections_count_by_type;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = read_detections_count_by_type( &falcon.cfg, // configuration Some("string"), // filter ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::ContainerDetections.new
response = api.read_detections_count_by_type(filter: 'string')
puts responseReadDetectionsCount
Section titled “ReadDetectionsCount”Aggregate count of detections.
GET /container-security/aggregates/detections/count/v1
PEP 8
read_detections_countParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | Filter images using a query in Falcon Query Language (FQL). Supported filters: cid, container_id, detection_type, id, image_digest, image_id, image_registry, image_repository, image_tag, name, severity. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required if using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.read_detections_count(filter="string")print(response)from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.ReadDetectionsCount(filter="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("ReadDetectionsCount", filter="string")print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/container_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string"
response, err := client.ContainerDetections.ReadDetectionsCount( &container_detections.ReadDetectionsCountParams{ Filter: &filter, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.containerDetections.readDetectionsCount("string"); // filter
console.log(response);use rusty_falcon::apis::container_detections_api::read_detections_count;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = read_detections_count( &falcon.cfg, // configuration Some("string"), // filter ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::ContainerDetections.new
response = api.read_detections_count(filter: 'string')
puts responseReadCombinedDetections
Section titled “ReadCombinedDetections”Retrieve image assessment detections identified by the provided filter criteria.
GET /container-security/combined/detections/v1
PEP 8
read_combined_detectionsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | Filter images using a query in Falcon Query Language (FQL). Supported filters: cid, container_id, detection_type, id, image_digest, image_id, image_registry, image_repository, image_tag, name, severity. |
| limit | query | integer | The upper-bound on the number of records to retrieve. |
| offset | query | integer | The offset from where to begin. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required if using other keywords. |
| sort | query | string | The fields to sort the records on. Supported columns: containers_impacted, detection_name, detection_severity, detection_type, images_impacted, last_detected. |
Code Examples
Section titled “Code Examples”from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.read_combined_detections(filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.ReadCombinedDetections(filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("ReadCombinedDetections", filter="string", sort="string", limit=integer, offset=integer)print(response)Get-FalconContainerDetection -Filter "string" ` -Sort "string" ` -Limit integer ` -Offset integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/container_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" sort := "string" limit := int64(0) offset := int64(0)
response, err := client.ContainerDetections.ReadCombinedDetections( &container_detections.ReadCombinedDetectionsParams{ Filter: &filter, Sort: &sort, Limit: &limit, Offset: &offset, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.containerDetections.readCombinedDetections( "string", // filter "string", // sort integer, // limit integer // offset);
console.log(response);use rusty_falcon::apis::container_detections_api::read_combined_detections;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = read_combined_detections( &falcon.cfg, // configuration Some("string"), // filter Some("string"), // sort Some(integer), // limit Some(integer), // offset ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::ContainerDetections.new
response = api.read_combined_detections(filter: 'string', sort: 'string', limit: integer, offset: integer)
puts responseReadDetections
Section titled “ReadDetections”Retrieve image assessment detection entities identified by the provided filter criteria.
GET /container-security/entities/detections/v1
PEP 8
read_detectionsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | Filter images using a query in Falcon Query Language (FQL). Supported filters: cid, detection_type, image_registry, image_repository, image_tag. |
| limit | query | integer | The upper-bound on the number of records to retrieve. |
| offset | query | integer | The offset from where to begin. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required if using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.read_detections(filter="string", limit=integer, offset=integer)print(response)from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.ReadDetections(filter="string", limit=integer, offset=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("ReadDetections", filter="string", limit=integer, offset=integer)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/container_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" limit := int64(0) offset := int64(0)
response, err := client.ContainerDetections.ReadDetections( &container_detections.ReadDetectionsParams{ Filter: &filter, Limit: &limit, Offset: &offset, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.containerDetections.readDetections( "string", // filter integer, // limit integer // offset);
console.log(response);use rusty_falcon::apis::container_detections_api::read_detections;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = read_detections( &falcon.cfg, // configuration Some("string"), // filter Some(integer), // limit Some(integer), // offset ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::ContainerDetections.new
response = api.read_detections(filter: 'string', limit: integer, offset: integer)
puts responseSearchDetections
Section titled “SearchDetections”Retrieve image assessment detection entities identified by the provided filter criteria.
GET /container-security/queries/detections/v1
PEP 8
search_detectionsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | Filter images using a query in Falcon Query Language (FQL). Supported filters: cid, container_id, detection_type, id, image_digest, image_id, image_registry, image_repository, image_tag, name, severity. |
| limit | query | integer | The upper-bound on the number of records to retrieve. |
| offset | query | integer | The offset from where to begin. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required if using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.search_detections(filter="string", limit=integer, offset=integer)print(response)from falconpy import ContainerDetections
falcon = ContainerDetections(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.SearchDetections(filter="string", limit=integer, offset=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("SearchDetections", filter="string", limit=integer, offset=integer)print(response)Get-FalconContainerDetection -Filter "string" ` -Limit integer ` -Offset integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/container_detections")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" limit := int64(0) offset := int64(0)
response, err := client.ContainerDetections.SearchDetections( &container_detections.SearchDetectionsParams{ Filter: &filter, Limit: &limit, Offset: &offset, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.containerDetections.searchDetections( "string", // filter integer, // limit integer // offset);
console.log(response);use rusty_falcon::apis::container_detections_api::search_detections;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = search_detections( &falcon.cfg, // configuration Some("string"), // filter Some(integer), // limit Some(integer), // offset ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::ContainerDetections.new
response = api.search_detections(filter: 'string', limit: integer, offset: integer)
puts response