Skip to content
CrowdStrike Developer Center

FileVantage

The FileVantage service collection provides operations for managing CrowdStrike Falcon FileVantage configurations. Monitor and detect changes to files, directories, and registry settings. Manage policies, scheduled exclusions, rule groups, and rules. Retrieve and initiate actions on changes, get file change content, initiate workflows for change IDs, and query action, change, policy, scheduled exclusion, and rule group IDs.

LanguageLast Update
Pythonv1.6.1
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

Table of Contents

Section titled “Table of Contents”
OperationDescription
getActionsMixin0
get_actions		Retrieves the processing results for one or more actions.
startActions
start_actions		Initiates the specified action on the provided change IDs.
getContents
get_contents		Retrieves the content captured for the provided change ID.
getChanges
get_changes		Retrieve information on changes.
updatePolicyHostGroups
update_policy_host_groups		Manage host groups assigned to a policy.
updatePolicyPrecedence
update_policy_precedence		Updates the policy precedence for all policies of a specific type.
updatePolicyRuleGroups
update_policy_rule_groups		Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy.
getPolicies
get_policies		Retrieves the configuration for 1 or more policies.
createPolicies
create_policy		Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type.
deletePolicies
delete_policies		Deletes 1 or more policies.
updatePolicies
update_policies		Updates the general information of the provided policy.
getScheduledExclusions
get_scheduled_exclusions		Retrieves the configuration of 1 or more scheduled exclusions from the provided policy id.
createScheduledExclusions
create_scheduled_exclusions		Creates a new scheduled exclusion configuration for the provided policy id.
deleteScheduledExclusions
delete_scheduled_exclusions		Deletes 1 or more scheduled exclusions from the provided policy id.
updateScheduledExclusions
update_scheduled_exclusions		Updates the provided scheduled exclusion configuration within the provided policy.
updateRuleGroupPrecedence
update_rule_group_precedence		Updates the rule precedence for all rules in the identified rule group.
getRules
get_rules		Retrieves the configuration for 1 or more rules.
createRules
create_rule		Creates a new rule configuration within the specified rule group.
deleteRules
delete_rules		Deletes 1 or more rules from the specified rule group.
updateRules
update_rule		Updates the provided rule configuration within the specified rule group.
getRuleGroups
get_rule_groups		Retrieves the rule group details for 1 or more rule groups.
createRuleGroups
create_rule_group		Creates a new rule group of the specified type.
deleteRuleGroups
delete_rule_groups		Deletes 1 or more rule groups.
updateRuleGroups
update_rule_group		Updates the provided rule group.
signalChangesExternal
signal_changes		Initiates workflows for the provided change IDs.
queryActionsMixin0
query_actions		Returns one or more action IDs.
queryChanges
query_changes		Returns 1 or more change ids.
highVolumeQueryChanges
query_changes_scroll		Returns 1 or more change ids.
queryPolicies
query_policies		Retrieve the ids of all policies that are assigned the provided policy type.
queryScheduledExclusions
query_scheduled_exclusions		Retrieve the ids of all scheduled exclusions contained within the provided policy id.
queryRuleGroups
query_rule_groups		Retrieve the ids of all rule groups that are of the provided rule group type.

getActionsMixin0

Section titled “getActionsMixin0”

Retrieves the processing results for one or more actions.

GET /filevantage/entities/actions/v1
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 get_actions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsOne or more change ids. The maximum number of ids that can be requested at once is 500.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_actions(ids=id_list)
print(response)

startActions

Section titled “startActions”

Initiates the specified action on the provided change IDs.

POST /filevantage/entities/actions/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 start_actions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
change_idsbodystring or list of stringsThe IDs of the changes the operation will perform. Maximum of 100 IDs per action.
commentbodystringOptional comment to describe reason for action.
operationbodystringOperation to perform. Must be one of: suppress, unsuppress, purge.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.start_actions(change_ids=id_list,
                                comment="string",
                                operation="string")
print(response)

getContents

Section titled “getContents”

Retrieves the content captured for the provided change ID.

GET /filevantage/entities/change-content/v1
Scope Falcon FileVantage Content: READ Consumes · Produces application/json
PEP 8 get_contents

Parameters

Section titled “Parameters”
NameTypeData typeDescription
compressquerybooleanCompress the response using gzip. Defaults to False.
idquerystringID of the change.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_contents(id=id_list, compress=boolean)
print(response)

getChanges

Section titled “getChanges”

Retrieve information on changes.

GET /filevantage/entities/changes/v2
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 get_changes

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsOne or more change ids. The maximum number of ids that can be requested at once is 500.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_changes(ids=id_list)
print(response)

updatePolicyHostGroups

Section titled “updatePolicyHostGroups”

Manage host groups assigned to a policy.

PATCH /filevantage/entities/policies-host-groups/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 update_policy_host_groups

Parameters

Section titled “Parameters”
NameTypeData typeDescription
policy_idquerystringThe id of the policy for which to perform the action.
actionquerystringThe action to perform with the provided ids, must be one of: assign or unassign.
idsquerystring or list of stringsOne or more host group ids.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.update_policy_host_groups(action="string",
                                            policy_id="string",
                                            ids=id_list)
print(response)

updatePolicyPrecedence

Section titled “updatePolicyPrecedence”

Updates the policy precedence for all policies of a specific type.

PATCH /filevantage/entities/policies-precedence/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 update_policy_precedence

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsPrecedence of the policies for the provided type. Precedence is determined by element position within the provided list.
typequerystringThe policy type for which to set the precedence order, must be one of Windows, Linux or Mac.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”

Examples coming soon.

updatePolicyRuleGroups

Section titled “updatePolicyRuleGroups”

Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy.

PATCH /filevantage/entities/policies-rule-groups/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 update_policy_rule_groups

Parameters

Section titled “Parameters”
NameTypeData typeDescription
policy_idquerystringThe id of the policy for which to perform the action.
actionquerystringThe action to perform with the provided ids, must be one of: assign, unassign, or precedence.
idsquerystring or list of stringsOne or more rule group ids. Note, for the precedence action, precedence is controlled by the order of the ids as they are specified in the request.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.update_policy_rule_groups(action="string",
                                            policy_id="string",
                                            ids=id_list)
print(response)

getPolicies

Section titled “getPolicies”

Retrieves the configuration for 1 or more policies.

GET /filevantage/entities/policies/v1
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 get_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsOne or more (up to 500) policy IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_policies(ids=id_list)
print(response)

createPolicies

Section titled “createPolicies”

Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type.

POST /filevantage/entities/policies/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 create_policy

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
descriptionbodystringThe policy description (Max: 500 characters)
namebodystringName of the policy (Max: 100 characters)
platformbodystringPolicy platform. Must be one of: Windows, Linux, Mac.

Code Examples

Section titled “Code Examples”

Examples coming soon.

deletePolicies

Section titled “deletePolicies”

Deletes 1 or more policies.

DELETE /filevantage/entities/policies/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 delete_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsOne or more (up to 500) policy IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_policies(ids=id_list)
print(response)

updatePolicies

Section titled “updatePolicies”

Updates the general information of the provided policy.

PATCH /filevantage/entities/policies/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 update_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
descriptionbodystringThe policy description (Max: 500 characters)
idbodystringThe ID of the policy to be updated.
namebodystringName of the policy (Max: 100 characters)
enabledbodybooleanPolicy enablement status.

Code Examples

Section titled “Code Examples”

Examples coming soon.

getScheduledExclusions

Section titled “getScheduledExclusions”

Retrieves the configuration of 1 or more scheduled exclusions from the provided policy id.

GET /filevantage/entities/policy-scheduled-exclusions/v1
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 get_scheduled_exclusions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
policy_idquerystringThe id of the policy to retrieve the scheduled exclusion configurations.
idsquerystring or list of stringsOne or more (up to 500) scheduled exclusion IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_scheduled_exclusions(ids=id_list, policy_id="string")
print(response)

createScheduledExclusions

Section titled “createScheduledExclusions”

Creates a new scheduled exclusion configuration for the provided policy id.

POST /filevantage/entities/policy-scheduled-exclusions/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 create_scheduled_exclusions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
descriptionbodystringThe scheduled exclusion description (Max: 500 characters)
namebodystringName of the scheduled exclusion (Max: 100 characters)
policy_idbodystringID of the policy the schedule exclusion is assigned.
usersbodystringComma-delimited list of users to not monitor changes. (Max: 500 characters).

Example: admin* excludes changes made by all usernames that begin with admin.

Supports Falcon GLOB syntax
processesbodystringComma-delimited list of processes to not monitor changes. (Max: 500 characters).

Example: **\RunMe.exe or **/RunMe.sh excludes changes made by RunMe.exe or RunMe.sh in any location.
schedule_startbodystringIndicates the start of the schedule. (RFC3339 format)
schedule_endbodystringIndicates the end of the schedule. (RFC3339 format)

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.create_scheduled_exclusions(description="string",
                                              name="string",
                                              policy_id="string",
                                              users=["string"],
                                              processes=["string"],
                                              repeated="string",
                                              schedule_start="string",
                                              schedule_end="string",
                                              timezone="string")
print(response)

deleteScheduledExclusions

Section titled “deleteScheduledExclusions”

Deletes 1 or more scheduled exclusions from the provided policy id.

DELETE /filevantage/entities/policy-scheduled-exclusions/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 delete_scheduled_exclusions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
policy_idquerystringID of the policy to delete the scheduled exclusions from.
idsquerystring or list of stringsOne or more (up to 500) scheduled exclusion IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_scheduled_exclusions(ids=id_list, policy_id="string")
print(response)

updateScheduledExclusions

Section titled “updateScheduledExclusions”

Updates the provided scheduled exclusion configuration within the provided policy.

PATCH /filevantage/entities/policy-scheduled-exclusions/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 update_scheduled_exclusions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
descriptionbodystringThe scheduled exclusion description (Max: 500 characters)
idbodystringID of the scheduled exclusion to update.
namebodystringName of the scheduled exclusion (Max: 100 characters)
policy_idbodystringID of the policy the schedule exclusion is assigned.
usersbodystringComma-delimited list of users to not monitor changes. (Max: 500 characters).

Example: admin* excludes changes made by all usernames that begin with admin.

Supports Falcon GLOB syntax
processesbodystringComma-delimited list of processes to not monitor changes. (Max: 500 characters).

Example: **\RunMe.exe or **/RunMe.sh excludes changes made by RunMe.exe or RunMe.sh in any location.
schedule_startbodystringIndicates the start of the schedule. (RFC3339 format)
schedule_endbodystringIndicates the end of the schedule. (RFC3339 format)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.update_scheduled_exclusions(description="string",
                                              id="string",
                                              name="string",
                                              policy_id="string",
                                              users=["string"])
print(response)

updateRuleGroupPrecedence

Section titled “updateRuleGroupPrecedence”

Updates the rule precedence for all rules in the identified rule group.

PATCH /filevantage/entities/rule-groups-rule-precedence/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 update_rule_group_precedence

Parameters

Section titled “Parameters”
NameTypeData typeDescription
rule_group_idquerystringRule group from which to set the precedence.
idsquerystring or list of stringsOne or more (up to 500) rule group IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.update_rule_group_precedence(ids=id_list,
                                               rule_group_id="string")
print(response)

getRules

Section titled “getRules”

Retrieves the configuration for 1 or more rules.

GET /filevantage/entities/rule-groups-rules/v1
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 get_rules

Parameters

Section titled “Parameters”
NameTypeData typeDescription
rule_group_idquerystringRule group from which to retrieve the rule configuration.
idsquerystring or list of stringsOne or more (up to 500) rule IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_rules(ids=id_list, rule_group_id="string")
print(response)

createRules

Section titled “createRules”

Creates a new rule configuration within the specified rule group.

POST /filevantage/entities/rule-groups-rules/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 create_rule

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
descriptionbodystringThe rule description (Max: 500 characters)
rule_group_idbodystringGroup ID containing the group configuration.
pathbodystringThe file system or registry path to monitor. (Max: 250 characters)

All paths must end with the path separator,
e.g. \ (Windows) or / (Linux/MacOS)
severitybodystringTo categorize change events produced by this rule. Allowed values: Low, Medium, High, Critical.
depthbodystringRecursion levels below the base path to monitor (1 - 5, or ANY).
precedencebodyintegerThe order in which rules will be evaluated starting with 1. Specifying a precedence value that is already set for another rule in the group will result in this rule being placed before the existing rule.
includebodystringThe files, directories, registry keys, or registry values that will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported
excludebodystringThe files, directories, registry keys, or registry values that will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported
include_usersbodystringThe changes performed by these specific users will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported

MacOS is not supported at this time
exclude_usersbodystringThe changes performed by these specific users will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported

MacOS is not supported at this time
include_processesbodystringThe changes performed by these specific processes will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported

MacOS is not supported at this time
exclude_processesbodystringThe changes performed by these specific processes will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported

MacOS is not supported at this time
content_filesbodystringThe files whose content will be monitored. Listed files must match the file include pattern and not match the file exclude pattern.
content_registry_valuesbodystringThe registry values whose content will be monitored. Listed registry values must match the registry include pattern and not match the registry exclude pattern.
enable_content_capturebodybooleanEnable content capturing.
enable_hash_capturebodybooleanEnable hash capturing.
watch_create_directory_changesbodybooleanFile system directory monitoring.
watch_delete_directory_changesbodybooleanFile system directory monitoring.
watch_rename_directory_changesbodybooleanFile system directory monitoring.
watch_attributes_directory_changesbodybooleanFile system directory monitoring.

MacOS is not supported at this time
watch_permissions_directory_changesbodybooleanFile system directory monitoring.

MacOS is not supported at this time
watch_create_file_changesbodybooleanFile system file monitoring.
watch_delete_file_changesbodybooleanFile system file monitoring.
watch_write_file_changesbodybooleanFile system file monitoring.
watch_rename_file_changesbodybooleanFile system file monitoring.
watch_attributes_file_changesbodybooleanFile system file monitoring.

MacOS is not supported at this time
watch_permissions_file_changesbodybooleanFile system file monitoring.

MacOS is not supported at this time
watch_create_key_changesbodybooleanWindows registry key and value monitoring.
watch_delete_key_changesbodybooleanWindows registry key and value monitoring.
watch_permissions_key_changesbodybooleanWindows registry key and value permissions monitoring.
watch_set_value_changesbodybooleanWindows registry key and value monitoring.
watch_delete_value_changesbodybooleanWindows registry key and value monitoring.
watch_rename_key_changesbodybooleanWindows registry key and value monitoring.
watch_create_file_changesbodybooleanWindows registry key and value monitoring.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.create_rule(description="string",
                              rule_group_id="string",
                              path="string",
                              severity="string",
                              depth="string",
                              precedence="string",
                              include="string",
                              exclude="string",
                              include_users="string",
                              exclude_users="string",
                              include_processes="string",
                              exclude_users="string",
                              exclude_processes="string",
                              content_files="string",
                              content_registry_values="string",
                              enable_content_capture=boolean,
                              enable_hash_capture=boolean,
                              watch_delete_directory_changes=boolean,
                              watch_create_directory_changes=boolean,
                              watch_rename_directory_changes=boolean,
                              watch_attributes_directory_changes=boolean,
                              watch_permissions_directory_changes=boolean,
                              watch_rename_file_changes=boolean,
                              watch_write_file_changes=boolean,
                              watch_create_file_changes=boolean,
                              watch_delete_file_changes=boolean,
                              watch_attributes_file_changes=boolean,
                              watch_permissions_file_changes=boolean,
                              watch_create_key_changes=boolean,
                              watch_delete_key_changes=boolean,
                              watch_permissions_key_changes=boolean,
                              watch_rename_key_changes=boolean,
                              watch_set_value_changes=boolean,
                              watch_delete_value_changes=boolean,
                              watch_create_file_changes=boolean)
print(response)

deleteRules

Section titled “deleteRules”

Deletes 1 or more rules from the specified rule group.

DELETE /filevantage/entities/rule-groups-rules/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 delete_rules

Parameters

Section titled “Parameters”
NameTypeData typeDescription
rule_group_idquerystringThe id of the rule group from which the rules will be deleted.
idsquerystring or list of stringsOne or more (up to 500) rule IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_rules(ids=id_list, rule_group_id="string")
print(response)

updateRules

Section titled “updateRules”

Updates the provided rule configuration within the specified rule group.

PATCH /filevantage/entities/rule-groups-rules/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 update_rule

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
descriptionbodystringThe rule description (Max: 500 characters)
rule_group_idbodystringGroup ID containing the group configuration.
pathbodystringThe file system or registry path to monitor. (Max: 250 characters)

All paths must end with the path separator,
e.g. \ (Windows) or / (Linux/MacOS)
severitybodystringTo categorize change events produced by this rule. Allowed values: Low, Medium, High, Critical.
depthbodystringRecursion levels below the base path to monitor (1 - 5, or ANY).
precedencebodyintegerThe order in which rules will be evaluated starting with 1. Specifying a precedence value that is already set for another rule in the group will result in this rule being placed before the existing rule.
includebodystringThe files, directories, registry keys, or registry values that will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported
excludebodystringThe files, directories, registry keys, or registry values that will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported
include_usersbodystringThe changes performed by these specific users will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported

MacOS is not supported at this time
exclude_usersbodystringThe changes performed by these specific users will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported

MacOS is not supported at this time
include_processesbodystringThe changes performed by these specific processes will be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported

MacOS is not supported at this time
exclude_processesbodystringThe changes performed by these specific processes will not be monitored. Allowed rule group configuration is based on the type of rule the rule group is added to.

Falcon GLOB syntax is supported

MacOS is not supported at this time
content_filesbodystringThe files whose content will be monitored. Listed files must match the file include pattern and not match the file exclude pattern.
content_registry_valuesbodystringThe registry values whose content will be monitored. Listed registry values must match the registry include pattern and not match the registry exclude pattern.
enable_content_capturebodybooleanEnable content capturing.
enable_hash_capturebodybooleanEnable hash capturing.
watch_create_directory_changesbodybooleanFile system directory monitoring.
watch_delete_directory_changesbodybooleanFile system directory monitoring.
watch_rename_directory_changesbodybooleanFile system directory monitoring.
watch_attributes_directory_changesbodybooleanFile system directory monitoring.

MacOS is not supported at this time
watch_permissions_directory_changesbodybooleanFile system directory monitoring.

MacOS is not supported at this time
watch_create_file_changesbodybooleanFile system file monitoring.
watch_delete_file_changesbodybooleanFile system file monitoring.
watch_write_file_changesbodybooleanFile system file monitoring.
watch_rename_file_changesbodybooleanFile system file monitoring.
watch_attributes_file_changesbodybooleanFile system file monitoring.

MacOS is not supported at this time
watch_permissions_file_changesbodybooleanFile system file monitoring.

MacOS is not supported at this time
watch_create_key_changesbodybooleanWindows registry key and value monitoring.
watch_delete_key_changesbodybooleanWindows registry key and value monitoring.
watch_set_value_changesbodybooleanWindows registry key and value monitoring.
watch_delete_value_changesbodybooleanWindows registry key and value monitoring.
watch_rename_key_changesbodybooleanWindows registry key and value monitoring.
watch_create_file_changesbodybooleanWindows registry key and value monitoring.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.update_rule(description="string",
                              id="string",
                              rule_group_id="string",
                              path="string",
                              severity="string",
                              depth="string",
                              precedence="string",
                              include="string",
                              exclude="string",
                              include_users="string",
                              exclude_users="string",
                              include_processes="string",
                              exclude_users="string",
                              exclude_processes="string",
                              content_files="string",
                              content_registry_values="string",
                              enable_content_capture=boolean,
                              enable_hash_capture=boolean,
                              watch_delete_directory_changes=boolean,
                              watch_create_directory_changes=boolean,
                              watch_rename_directory_changes=boolean,
                              watch_attributes_directory_changes=boolean,
                              watch_permissions_directory_changes=boolean,
                              watch_rename_file_changes=boolean,
                              watch_write_file_changes=boolean,
                              watch_create_file_changes=boolean,
                              watch_delete_file_changes=boolean,
                              watch_attributes_file_changes=boolean,
                              watch_permissions_file_changes=boolean,
                              watch_create_key_changes=boolean,
                              watch_delete_key_changes=boolean,
                              watch_rename_key_changes=boolean,
                              watch_set_value_changes=boolean,
                              watch_delete_value_changes=boolean,
                              watch_create_file_changes=boolean)
print(response)

getRuleGroups

Section titled “getRuleGroups”

Retrieves the rule group details for 1 or more rule groups.

GET /filevantage/entities/rule-groups/v1
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 get_rule_groups

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsOne or more (up to 500) rule group ids.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_rule_groups(ids=id_list)
print(response)

createRuleGroups

Section titled “createRuleGroups”

Creates a new rule group of the specified type.

POST /filevantage/entities/rule-groups/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 create_rule_group

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
descriptionbodystringThe policy description (Max: 500 characters)
namebodystringName of the policy (Max: 100 characters)
typebodystringRule group type. Must be one of: WindowsFiles, WindowsRegistry, LinuxFiles, MacFiles.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.create_rule_group(description="string",
                                    type="string",
                                    name="string")
print(response)

deleteRuleGroups

Section titled “deleteRuleGroups”

Deletes 1 or more rule groups.

DELETE /filevantage/entities/rule-groups/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 delete_rule_groups

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsOne or more (up to 500) rule group ids.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_rule_groups(ids=id_list)
print(response)

updateRuleGroups

Section titled “updateRuleGroups”

Updates the provided rule group.

PATCH /filevantage/entities/rule-groups/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 update_rule_group

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
descriptionbodystringThe policy description (Max: 500 characters)
namebodystringName of the policy (Max: 100 characters)
idbodystringRule group ID to update.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.update_rule_group(description="string",
                                    id="string",
                                    name="string")
print(response)

signalChangesExternal

Section titled “signalChangesExternal”

Initiates workflows for the provided change IDs.

POST /filevantage/entities/workflow/v1
Scope Falcon FileVantage: WRITE Consumes · Produces application/json
PEP 8 signal_changes

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsChange IDs to initiate the workflows, limited to 100 IDs per request.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.signal_changes(ids=id_list)
print(response)

queryActionsMixin0

Section titled “queryActionsMixin0”

Returns one or more action IDs.

GET /filevantage/queries/actions/v1
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 query_actions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
offsetqueryintegerThe offset to start retrieving records from. Defaults to 0 if not specified.
limitqueryintegerThe maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 500.
sortquerystringSort results using options like: - created_date (timestamp of the change occurrence) Sort either asc (ascending) or desc (descending). For example: created_date|asc. The full list of allowed sorting options can be reviewed in our API documentation.
filterquerystringFilter changes using a query in Falcon Query Language (FQL). Common filter options include: - status - operation_type The full list of allowed filter parameters can be reviewed in our API documentation.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.query_actions(filter="string",
                                limit=integer,
                                offset=integer,
                                sort="string")
print(response)

queryChanges

Section titled “queryChanges”

Returns 1 or more change ids.

GET /filevantage/queries/changes/v2
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 query_changes

Parameters

Section titled “Parameters”
NameTypeData typeDescription
offsetqueryintegerThe offset to start retrieving records from. Defaults to 0 if not specified.
limitqueryintegerThe maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 500.
sortquerystringSort results using options like: - action_timestamp (timestamp of the change occurrence) Sort either asc (ascending) or desc (descending). For example: action_timestamp|asc. The full list of allowed sorting options can be reviewed in our API documentation.
filterquerystringFilter changes using a query in Falcon Query Language (FQL). Common filter options include: - host.name - action_timestamp The full list of allowed filter parameters can be reviewed in our API documentation.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.query_changes(filter="string",
                                limit=integer,
                                offset=integer,
                                sort="string")
print(response)

highVolumeQueryChanges

Section titled “highVolumeQueryChanges”

Returns 1 or more change ids.

GET /filevantage/queries/changes/v3
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 query_changes_scroll

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request don’t provide a value for the after token. On subsequent requests provide the after token value from the previous response to continue pagination from where you left. If the response returns an empty after token it means there are no more results to return.
limitqueryintegerThe maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 5000.
sortquerystringSort results using options like: - action_timestamp (timestamp of the change occurrence) Sort either asc (ascending) or desc (descending). For example: action_timestamp|asc. Defaults to action_timestamp|desc no value is specified. The full list of allowed sorting options can be reviewed in our API documentation.
filterquerystringFilter changes using a query in Falcon Query Language (FQL). Common filter options include: - host.name - action_timestamp The full list of allowed filter parameters can be reviewed in our API documentation.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.query_changes_scroll(filter="string",
                                       limit=integer,
                                       after="string",
                                       sort="string")
print(response)

queryPolicies

Section titled “queryPolicies”

Retrieve the ids of all policies that are assigned the provided policy type.

GET /filevantage/queries/policies/v1
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 query_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
offsetqueryintegerThe offset to start retrieving records from. Defaults to 0 if not specified.
limitqueryintegerThe maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 500.
sortquerystringSort the returned ids based on one of the following properties: precedence, created_timestamp or modified_timestamp Sort either asc (ascending) or desc (descending); for example: precedence|asc.
typequerystringThe types of policies to retrieve. Allowed values are: Windows, Linux or Mac.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.query_policies(limit="string",
                                 offset=integer,
                                 sort="string",
                                 type="string")
print(response)

queryScheduledExclusions

Section titled “queryScheduledExclusions”

Retrieve the ids of all scheduled exclusions contained within the provided policy id.

GET /filevantage/queries/policy-scheduled-exclusions/v1
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 query_scheduled_exclusions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
policy_idquerystringThe id of the policy from which to retrieve the scheduled exclusion ids.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.query_scheduled_exclusions(policy_id=id_list)
print(response)

queryRuleGroups

Section titled “queryRuleGroups”

Retrieve the ids of all rule groups that are of the provided rule group type.

GET /filevantage/queries/rule-groups/v1
Scope Falcon FileVantage: READ Consumes · Produces application/json
PEP 8 query_rule_groups

Parameters

Section titled “Parameters”
NameTypeData typeDescription
offsetqueryintegerThe offset to start retrieving records from. Defaults to 0 if not specified.
limitqueryintegerThe maximum number of ids to return. Defaults to 100 if not specified. The maximum number of results that can be returned in a single call is 500.
sortquerystringSort the returned ids based on one of the following properties: created_timestamp or modified_timestamp Sort either asc (ascending) or desc (descending); for example: created_timestamp|asc.
typequerystringThe rule group type to retrieve the ids of. Allowed values are: WindowsFiles, WindowsRegistry, LinuxFiles or MacFiles.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FileVantage


falcon = FileVantage(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.query_rule_groups(limit="string",
                                    offset=integer,
                                    sort="string",
                                    type="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use