FDR

The Falcon Data Replicator (FDR) service collection provides operations for accessing event and field schema data. Fetch combined schemas, retrieve event or field entities by ID, and query event or field IDs using FQL filter criteria.

Language	Last Update
Python	v1.4.6
PowerShell	v2.2.9
Go	v0.20.0
TypeScript	v0.6.0
Rust	v0.7.0
Ruby	v1.2.0

Operation	Description
fdrschema_combined_event_get `get_event_combined`	Fetches the combined schema.
fdrschema_entities_event_get `get_event_entities`	Fetch event schema by ID.
fdrschema_queries_event_get `query_event_entities`	Get list of event IDs given a particular query.
fdrschema_entities_field_get `get_field_entities`	Fetch field schema by ID.
fdrschema_queries_field_get `query_field_entities`	Get list of field IDs given a particular query.

fdrschema_combined_event_get

Fetch the combined schema.

GET /fdr/combined/schema-members/v1

Scope Falcon Data Replicator: READ Consumes · Produces application/json

PEP 8 get_event_combined

Parameters

No keywords or arguments accepted.

Code Examples

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.get_event_combined()
print(response)

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.fdrschema_combined_event_get()
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("fdrschema_combined_event_get")
print(response)

Get-FalconReplicatorSchema

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/event_schema"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.EventSchema.FdrschemaCombinedEventGet(
    &event_schema.FdrschemaCombinedEventGetParams{
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.eventSchema.fdrschemaCombinedEventGet();

console.log(response);

fdrschema_entities_event_get

Fetch event schema by ID.

GET /fdr/entities/schema-events/v1

Scope Falcon Data Replicator: READ Consumes · Produces application/json

PEP 8 get_event_entities

Parameters

Name	Type	Data type	Description
ids	query	string or list of strings	Feed IDs to fetch.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_event_entities(ids=id_list)
print(response)

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.fdrschema_entities_event_get(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("fdrschema_entities_event_get",
                          ids=id_list)
print(response)

Get-FalconReplicatorEvent -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/event_schema"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.EventSchema.FdrschemaEntitiesEventGet(
    &event_schema.FdrschemaEntitiesEventGetParams{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.eventSchema.fdrschemaEntitiesEventGet(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

fdrschema_queries_event_get

Get a list of event IDs given a particular query.

GET /fdr/queries/schema-events/v1

Scope Falcon Data Replicator: READ Consumes · Produces application/json

PEP 8 query_event_entities

Parameters

Name	Type	Data type	Description
offset	query	integer	The offset to start retrieving records from.
parameters	query	dictionary	Full query string parameters payload in JSON format.
limit	query	integer	The maximum records to return.
sort	query	string	FQL formatted sort directive.
filter	query	string	The FQL filter expression that should be used to limit the results.

Code Examples

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.query_event_entities(limit=integer,
                                       offset=integer,
                                       filter="string",
                                       sort="string")
print(response)

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.fdrschema_queries_event_get(limit=integer,
                                              offset=integer,
                                              filter="string",
                                              sort="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("fdrschema_queries_event_get",
                          limit=integer,
                          offset=integer,
                          filter="string",
                          sort="string")
print(response)

Get-FalconReplicatorEvent -Filter "string" `
  -Sort "string" `
  -Limit integer `
  -Offset integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/event_schema"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  limit := int64(0)
  offset := int64(0)
  filter := "string"
  sort := "string"

  response, err := client.EventSchema.FdrschemaQueriesEventGet(
    &event_schema.FdrschemaQueriesEventGetParams{
      Limit: &limit,
      Offset: &offset,
      Filter: &filter,
      Sort: &sort,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.eventSchema.fdrschemaQueriesEventGet(
  integer,  // limit
  integer,  // offset
  "string",  // filter
  "string"  // sort
);

console.log(response);

fdrschema_entities_field_get

Fetch field schema by ID.

GET /fdr/entities/schema-fields/v1

Scope Falcon Data Replicator: READ Consumes · Produces application/json

PEP 8 get_field_entities

Parameters

Name	Type	Data type	Description
ids	query	string or list of strings	Feed IDs to fetch.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_field_entities(ids=id_list)
print(response)

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.fdrschema_entities_field_get(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("fdrschema_entities_field_get",
                          ids=id_list)
print(response)

Get-FalconReplicatorField -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/field_schema"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.FieldSchema.FdrschemaEntitiesFieldGet(
    &field_schema.FdrschemaEntitiesFieldGetParams{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.fieldSchema.fdrschemaEntitiesFieldGet(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

fdrschema_queries_field_get

Get a list of field IDs given a particular query.

GET /fdr/queries/schema-fields/v1

Scope Falcon Data Replicator: READ Consumes · Produces application/json

PEP 8 query_field_entities

Parameters

Name	Type	Data type	Description
offset	query	integer	The offset to start retrieving records from.
parameters	query	dictionary	Full query string parameters payload in JSON format.
limit	query	integer	The maximum records to return.
sort	query	string	FQL formatted sort directive.
filter	query	string	The FQL filter expression that should be used to limit the results.

Code Examples

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.query_field_entities(limit=integer,
                                       offset=integer,
                                       filter="string",
                                       sort="string")
print(response)

from falconpy import FDR

falcon = FDR(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.fdrschema_queries_field_get(limit=integer,
                                              offset=integer,
                                              filter="string",
                                              sort="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("fdrschema_queries_field_get",
                          limit=integer,
                          offset=integer,
                          filter="string",
                          sort="string")
print(response)

Get-FalconReplicatorField -Filter "string" `
  -Sort "string" `
  -Limit integer `
  -Offset integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/field_schema"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  limit := int64(0)
  offset := int64(0)
  filter := "string"
  sort := "string"

  response, err := client.FieldSchema.FdrschemaQueriesFieldGet(
    &field_schema.FdrschemaQueriesFieldGetParams{
      Limit: &limit,
      Offset: &offset,
      Filter: &filter,
      Sort: &sort,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.fieldSchema.fdrschemaQueriesFieldGet(
  integer,  // limit
  integer,  // offset
  "string",  // filter
  "string"  // sort
);

console.log(response);

FDR

Table of Contents

fdrschema_combined_event_get

Parameters

Code Examples

fdrschema_entities_event_get

Parameters

Code Examples

fdrschema_queries_event_get

Parameters

Code Examples

fdrschema_entities_field_get

Parameters

Code Examples

fdrschema_queries_field_get

Parameters

Code Examples