Skip to content
CrowdStrike Developer Center

Falcon Complete Dashboard

The Falcon Complete Dashboard service collection provides operations for retrieving aggregate and query data from the Falcon Complete managed detection and response service.

LanguageLast Update
Pythonv1.6.1
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

Table of Contents

Section titled “Table of Contents”
OperationDescription
AggregateAlerts
aggregate_alerts		Retrieve aggregate alerts values based on the matched filter
AggregateAllowList
aggregate_allow_list		Retrieve aggregate allowlist ticket values based on the matched filter
AggregateBlockList
aggregate_block_list		Retrieve aggregate blocklist ticket values based on the matched filter
AggregateDeviceCountCollection
aggregate_device_count_collection		Retrieve aggregate host/devices count based on the matched filter
AggregateEscalations
aggregate_escalations		Retrieve aggregate escalation ticket values based on the matched filter
AggregateFCIncidents
aggregate_fc_incidents		Retrieve aggregate incident values based on the matched filter
AggregateRemediations
aggregate_remediations		Retrieve aggregate remediation ticket values based on the matched filter
AggregatePreventionPolicy
aggregate_prevention_policy		Retrieve aggregate prevention policy values based on the matched filter
AggregateSensorUpdatePolicy
aggregate_sensor_update_policy		Retrieve aggregate sensor update policy values based on the matched filter
AggregateSupportIssues
aggregate_support_issues		Retrieve aggregate support issue values based on the matched filter
AggregateTotalDeviceCounts
aggregate_total_device_counts		Retrieve aggregate total host/devices based on the matched filter
QueryAlertIdsByFilter
query_alert_ids_by_filter_v1		Retrieve Alert IDs that match the provided FQL filter criteria with scrolling enabled
QueryAlertIdsByFilterV2
query_alert_ids_by_filter		Retrieve Alert IDs that match the provided FQL filter criteria with scrolling enabled
QueryAllowListFilter
query_allow_list_filter		Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled
QueryBlockListFilter
query_block_list_filter		Retrieve block listtickets that match the provided filter criteria with scrolling enabled
GetDeviceCountCollectionQueriesByFilter
get_device_count_collection_queries_by_filter		Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled
QueryEscalationsFilter
query_escalations_filter		Retrieve escalation tickets that match the provided filter criteria with scrolling enabled
QueryIncidentIdsByFilter
query_incident_ids_by_filter		Retrieve incidents that match the provided filter criteria with scrolling enabled
QueryRemediationsFilter
query_remediations_filter		Retrieve remediation tickets that match the provided filter criteria with scrolling enabled

AggregateAlerts

Section titled “AggregateAlerts”

Retrieve aggregate alerts values based on the matched filter

POST /falcon-complete-dashboards/aggregates/alerts/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_alerts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_alerts(date_ranges="string",
                                   field="string",
                                   filter="string",
                                   interval="string",
                                   min_doc_count=integer,
                                   missing="string",
                                   name="string",
                                   q="string",
                                   ranges=ranges,
                                   size=integer,
                                   sort="string",
                                   sub_aggregates=["string"],
                                   time_zone="string",
                                   type="string")
print(response)

AggregateAllowList

Section titled “AggregateAllowList”

Retrieve aggregate allowlist ticket values based on the matched filter

POST /falcon-complete-dashboards/aggregates/allowlist/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_allow_list

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_allow_list(date_ranges="string",
                                       field="string",
                                       filter="string",
                                       interval="string",
                                       min_doc_count=integer,
                                       missing="string",
                                       name="string",
                                       q="string",
                                       ranges=ranges,
                                       size=integer,
                                       sort="string",
                                       sub_aggregates=["string"],
                                       time_zone="string",
                                       type="string")
print(response)

AggregateBlockList

Section titled “AggregateBlockList”

Retrieve aggregate blocklist ticket values based on the matched filter

POST /falcon-complete-dashboards/aggregates/blocklist/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_block_list

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_block_list(date_ranges="string",
                                       exclude="string",
                                       field="string",
                                       filter="string",
                                       from=integer,
                                       include="string",
                                       interval="string",
                                       max_doc_count=integer,
                                       min_doc_count=integer,
                                       missing="string",
                                       name="string",
                                       q="string",
                                       ranges=ranges,
                                       size=integer,
                                       sort="string",
                                       sub_aggregates=["string"],
                                       time_zone="string",
                                       type="string")
print(response)

AggregateDeviceCountCollection

Section titled “AggregateDeviceCountCollection”

Retrieve aggregate host/devices count based on the matched filter

POST /falcon-complete-dashboards/aggregates/devicecount-collections/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_device_count_collection

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_device_count_collection(date_ranges="string",
                                                    exclude="string",
                                                    field="string",
                                                    filter="string",
                                                    from=integer,
                                                    include="string",
                                                    interval="string",
                                                    max_doc_count=integer,
                                                    min_doc_count=integer,
                                                    missing="string",
                                                    name="string",
                                                    q="string",
                                                    ranges=ranges,
                                                    size=integer,
                                                    sort="string",
                                                    sub_aggregates=["string"],
                                                    time_zone="string",
                                                    type="string")
print(response)

AggregateEscalations

Section titled “AggregateEscalations”

Retrieve aggregate escalation ticket values based on the matched filter

POST /falcon-complete-dashboards/aggregates/escalations/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_escalations

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_escalations(date_ranges="string",
                                        exclude="string",
                                        field="string",
                                        filter="string",
                                        from=integer,
                                        include="string",
                                        interval="string",
                                        max_doc_count=integer,
                                        min_doc_count=integer,
                                        missing="string",
                                        name="string",
                                        q="string",
                                        ranges=ranges,
                                        size=integer,
                                        sort="string",
                                        sub_aggregates=["string"],
                                        time_zone="string",
                                        type="string")
print(response)

AggregateFCIncidents

Section titled “AggregateFCIncidents”

Retrieve aggregate incident values based on the matched filter

POST /falcon-complete-dashboards/aggregates/incidents/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_fc_incidents

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”

Examples coming soon.

AggregateRemediations

Section titled “AggregateRemediations”

Retrieve aggregate remediation ticket values based on the matched filter

POST /falcon-complete-dashboards/aggregates/remediations/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_remediations

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_remediations(date_ranges="string",
                                         exclude="string",
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=ranges,
                                         size=integer,
                                         sort="string",
                                         sub_aggregates=["string"],
                                         time_zone="string",
                                         type="string")
print(response)

AggregatePreventionPolicy

Section titled “AggregatePreventionPolicy”

Retrieve aggregate prevention policy values based on the matched filter

POST /falcon-complete-dashboards/aggregates/prevention-policy/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_prevention_policy

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_prevention_policy(date_ranges="string",
                                              exclude="string",
                                              field="string",
                                              filter="string",
                                              from=integer,
                                              include="string",
                                              interval="string",
                                              max_doc_count=integer,
                                              min_doc_count=integer,
                                              missing="string",
                                              name="string",
                                              q="string",
                                              ranges=ranges,
                                              size=integer,
                                              sort="string",
                                              sub_aggregates=["string"],
                                              time_zone="string",
                                              type="string")
print(response)

AggregateSensorUpdatePolicy

Section titled “AggregateSensorUpdatePolicy”

Retrieve aggregate sensor update policy values based on the matched filter

POST /falcon-complete-dashboards/aggregates/sensor-update-policy/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_sensor_update_policy

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_sensor_update_policy(date_ranges="string",
                                                 exclude="string",
                                                 field="string",
                                                 filter="string",
                                                 from=integer,
                                                 include="string",
                                                 interval="string",
                                                 max_doc_count=integer,
                                                 min_doc_count=integer,
                                                 missing="string",
                                                 name="string",
                                                 q="string",
                                                 ranges=ranges,
                                                 size=integer,
                                                 sort="string",
                                                 sub_aggregates=["string"],
                                                 time_zone="string",
                                                 type="string")
print(response)

AggregateSupportIssues

Section titled “AggregateSupportIssues”

Retrieve aggregate support issue values based on the matched filter

POST /falcon-complete-dashboards/aggregates/support-issues/GET/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_support_issues

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_support_issues(date_ranges="string",
                                           exclude="string",
                                           field="string",
                                           filter="string",
                                           from=integer,
                                           include="string",
                                           interval="string",
                                           max_doc_count=integer,
                                           min_doc_count=integer,
                                           missing="string",
                                           name="string",
                                           q="string",
                                           ranges=ranges,
                                           size=integer,
                                           sort="string",
                                           sub_aggregates=["string"],
                                           time_zone="string",
                                           type="string")
print(response)

AggregateTotalDeviceCounts

Section titled “AggregateTotalDeviceCounts”

Retrieve aggregate total host/devices based on the matched filter

POST /falcon-complete-dashboards/aggregates/total-device-counts/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 aggregate_total_device_counts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
    },
#125;,
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
    }
#125;
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
    },
#125;,
  {
    “From”: 70,
    “To”: 100
    }
#125;
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
    }
#125;
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_total_device_counts(date_ranges="string",
                                                exclude="string",
                                                field="string",
                                                filter="string",
                                                from=integer,
                                                include="string",
                                                interval="string",
                                                max_doc_count=integer,
                                                min_doc_count=integer,
                                                missing="string",
                                                name="string",
                                                q="string",
                                                ranges=ranges,
                                                size=integer,
                                                sort="string",
                                                sub_aggregates=["string"],
                                                time_zone="string",
                                                type="string")
print(response)

QueryAlertIdsByFilter

Section titled “QueryAlertIdsByFilter”

Retrieve Alert IDs that match the provided FQL filter criteria with scrolling enabled.

GET /falcon-complete-dashboards/queries/alerts/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 query_alert_ids_by_filter_v1

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 500).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


response = falcon.query_alert_ids_by_filter_v1(filter="string",
                                               limit=integer,
                                               offset="string",
                                               sort="string")
print(response)

QueryAlertIdsByFilterV2

Section titled “QueryAlertIdsByFilterV2”

Retrieve Alert IDs that match the provided FQL filter criteria with scrolling enabled.

GET /falcon-complete-dashboards/queries/alerts/v2
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 query_alert_ids_by_filter

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 500).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


response = falcon.query_alert_ids_by_filter(filter="string",
                                            limit=integer,
                                            offset="string",
                                            sort="string")
print(response)

QueryAllowListFilter

Section titled “QueryAllowListFilter”

Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled

GET /falcon-complete-dashboards/queries/allowlist/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 query_allow_list_filter

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 500).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


response = falcon.query_allow_list_filter(filter="string",
                                          limit=integer,
                                          offset="string",
                                          sort="string")
print(response)

QueryBlockListFilter

Section titled “QueryBlockListFilter”

Retrieve block listtickets that match the provided filter criteria with scrolling enabled

GET /falcon-complete-dashboards/queries/blocklist/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 query_block_list_filter

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 500).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


response = falcon.query_block_list_filter(filter="string",
                                          limit=integer,
                                          offset="string",
                                          sort="string")
print(response)

GetDeviceCountCollectionQueriesByFilter

Section titled “GetDeviceCountCollectionQueriesByFilter”

Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled

GET /falcon-complete-dashboards/queries/devicecount-collections/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 get_device_count_collection_queries_by_filter

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 500).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


response = falcon.get_device_count_collection_queries_by_filter(filter="string",
                                                                limit=integer,
                                                                offset="string",
                                                                sort="string")
print(response)

QueryEscalationsFilter

Section titled “QueryEscalationsFilter”

Retrieve escalation tickets that match the provided filter criteria with scrolling enabled

GET /falcon-complete-dashboards/queries/escalations/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 query_escalations_filter

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 500).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


response = falcon.query_escalations_filter(filter="string",
                                           limit=integer,
                                           offset="string",
                                           sort="string")
print(response)

QueryIncidentIdsByFilter

Section titled “QueryIncidentIdsByFilter”

Retrieve incidents that match the provided filter criteria with scrolling enabled

GET /falcon-complete-dashboards/queries/incidents/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 query_incident_ids_by_filter

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 500).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”

Examples coming soon.

QueryRemediationsFilter

Section titled “QueryRemediationsFilter”

Retrieve remediation tickets that match the provided filter criteria with scrolling enabled

GET /falcon-complete-dashboards/queries/remediations/v1
Scope Falcon Complete Dashboard: READ Consumes · Produces application/json
PEP 8 query_remediations_filter

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 500).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”
from falconpy import CompleteDashboard


falcon = CompleteDashboard(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )


response = falcon.query_remediations_filter(filter="string",
                                            limit=integer,
                                            offset="string",
                                            sort="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use