Skip to content
CrowdStrike Developer Center

Firewall Management

The Firewall Management service collection provides operations for managing firewall policies, rule groups, rules, network locations, and related entities. Aggregate event and rule data, manage policy containers, create and update rule groups, and query firewall configuration.

LanguageLast Update
Pythonv1.4.6
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

Table of Contents

Section titled “Table of Contents”
OperationDescription
aggregate_events
aggregate_events		Aggregate events for customer
aggregate_policy_rules
aggregate_policy_rules		Aggregate rules within a policy for customer
aggregate_rule_groups
aggregate_rule_groups		Aggregate rule groups for customer
aggregate_rules
aggregate_rules		Aggregate rules for customer
get_events
get_events		Get events entities by ID and optionally version
get_firewall_fields
get_firewall_fields		Get the firewall field specifications by ID
get_network_locations_details
get_network_locations_details		Get network locations entities by ID
update_network_locations_metadata
update_network_locations_metadata		Updates the network locations metadata such as polling_intervals for the cid
update_network_locations_precedence
update_network_locations_precedence		Updates the network locations precedence according to the list of ids provided.
get_network_locations
get_network_locations		Get a summary of network locations entities by ID
upsert_network_locations
upsert_network_locations		Updates the network locations provided, and return the ID.
create_network_locations
create_network_locations		Create new network locations provided, and return the ID.
delete_network_locations
delete_network_locations		Delete network location entities by ID.
update_network_locations
update_network_locations		Updates the network locations provided, and return the ID.
get_platforms
get_platforms		Get platforms by ID, e.g., windows or mac or droid
get_policy_containers
get_policy_containers		Get policy container entities by policy ID
update_policy_container_v1
update_policy_container_v1		Update an identified policy container
deprecated
update_policy_container
update_policy_container		Update an identified policy container
get_rule_groups
get_rule_groups		Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
create_rule_group
create_rule_group		Create new rule group on a platform for a customer with a name and description, and return the ID
delete_rule_groups
delete_rule_groups		Delete rule group entities by ID
update_rule_group
update_rule_group		Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
create_rule_group_validation
create_rule_group_validation		Validates the request of creating a new rule group on a platform for a customer with a name and description
update_rule_group_validation
update_rule_group_validation		Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
get_rules
get_rules		Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
validate_filepath_pattern
validate_filepath_pattern		Validates that the test pattern matches the executable filepath glob pattern.
query_events
query_events		Find all event IDs matching the query with filter
query_firewall_fields
query_firewall_fields		Get the firewall field specification IDs for the provided platform
query_network_locations
query_network_locations		Get a list of network location IDs
query_platforms
query_platforms		Get the list of platform names
query_policy_rules
query_policy_rules		Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groups
query_rule_groups		Find all rule group IDs matching the query with filter
query_rules
query_rules		Find all rule IDs matching the query with filter

aggregate_events

Section titled “aggregate_events”

Aggregate events for customer

POST /fwmgr/aggregates/events/GET/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 aggregate_events

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute.
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. _count - sort by document count; _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values include: date_histogram (aggregates counts on a specified time interval, requires use of “interval” field), date_range (aggregates counts on custom defined date range buckets), terms (buckets alerts by the value of a specified field), range (buckets alerts by specified numeric ranges of a specified field), cardinality (returns the count of distinct values in a specified field), max (returns the maximum value of a specified field), min (returns the minimum value of a specified field), avg (returns the average value of the specified field), sum (returns the total sum of all values for the specified field), percentiles (returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99).

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_events(date_ranges="string",
                                   exclude="string",
                                   field="string",
                                   filter="string",
                                   from=integer,
                                   include="string",
                                   interval="string",
                                   max_doc_count=integer,
                                   min_doc_count=integer,
                                   missing="string",
                                   name="string",
                                   q="string",
                                   ranges=ranges,
                                   size=integer,
                                   sort="string",
                                   sub_aggregates=["string"],
                                   time_zone="string",
                                   type="string")
print(response)

aggregate_policy_rules

Section titled “aggregate_policy_rules”

Aggregate rules within a policy for customer

POST /fwmgr/aggregates/policy-rules/GET/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 aggregate_policy_rules

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute.
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. _count - sort by document count; _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values include: date_histogram (aggregates counts on a specified time interval, requires use of “interval” field), date_range (aggregates counts on custom defined date range buckets), terms (buckets alerts by the value of a specified field), range (buckets alerts by specified numeric ranges of a specified field), cardinality (returns the count of distinct values in a specified field), max (returns the maximum value of a specified field), min (returns the minimum value of a specified field), avg (returns the average value of the specified field), sum (returns the total sum of all values for the specified field), percentiles (returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99).

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_policy_rules(date_ranges="string",
                                         exclude="string",
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=ranges,
                                         size=integer,
                                         sort="string",
                                         sub_aggregates=["string"],
                                         time_zone="string",
                                         type="string")
print(response)

aggregate_rule_groups

Section titled “aggregate_rule_groups”

Aggregate rule groups for customer

POST /fwmgr/aggregates/rule-groups/GET/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 aggregate_rule_groups

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute.
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. _count - sort by document count; _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values include: date_histogram (aggregates counts on a specified time interval, requires use of “interval” field), date_range (aggregates counts on custom defined date range buckets), terms (buckets alerts by the value of a specified field), range (buckets alerts by specified numeric ranges of a specified field), cardinality (returns the count of distinct values in a specified field), max (returns the maximum value of a specified field), min (returns the minimum value of a specified field), avg (returns the average value of the specified field), sum (returns the total sum of all values for the specified field), percentiles (returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99).

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_rule_groups(date_ranges="string",
                                        exclude="string",
                                        field="string",
                                        filter="string",
                                        from=integer,
                                        include="string",
                                        interval="string",
                                        max_doc_count=integer,
                                        min_doc_count=integer,
                                        missing="string",
                                        name="string",
                                        q="string",
                                        ranges=ranges,
                                        size=integer,
                                        sort="string",
                                        sub_aggregates=["string"],
                                        time_zone="string",
                                        type="string")
print(response)

aggregate_rules

Section titled “aggregate_rules”

Aggregate rules for customer

POST /fwmgr/aggregates/rules/GET/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 aggregate_rules

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute.
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. _count - sort by document count; _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values include: date_histogram (aggregates counts on a specified time interval, requires use of “interval” field), date_range (aggregates counts on custom defined date range buckets), terms (buckets alerts by the value of a specified field), range (buckets alerts by specified numeric ranges of a specified field), cardinality (returns the count of distinct values in a specified field), max (returns the maximum value of a specified field), min (returns the minimum value of a specified field), avg (returns the average value of the specified field), sum (returns the total sum of all values for the specified field), percentiles (returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99).

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_rules(date_ranges="string",
                                  exclude="string",
                                  field="string",
                                  filter="string",
                                  from=integer,
                                  include="string",
                                  interval="string",
                                  max_doc_count=integer,
                                  min_doc_count=integer,
                                  missing="string",
                                  name="string",
                                  q="string",
                                  ranges=ranges,
                                  size=integer,
                                  sort="string",
                                  sub_aggregates=["string"],
                                  time_zone="string",
                                  type="string")
print(response)

get_events

Section titled “get_events”

Get events entities by ID and optionally version

GET /fwmgr/entities/events/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 get_events

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe events to retrieve, identified by ID.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_events(ids=id_list)
print(response)

get_firewall_fields

Section titled “get_firewall_fields”

Get the firewall field specifications by ID

GET /fwmgr/entities/firewall-fields/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 get_firewall_fields

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe rule types to retrieve, identified by ID.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_firewall_fields(ids=id_list)
print(response)

get_network_locations_details

Section titled “get_network_locations_details”

Get network locations entities by ID

GET /fwmgr/entities/network-locations-details/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 get_network_locations_details

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe ID of the network location to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format, not required if using ids keyword.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_network_locations_details(ids=id_list)
print(response)

update_network_locations_metadata

Section titled “update_network_locations_metadata”

Updates the network locations metadata such as polling_intervals for the cid

POST /fwmgr/entities/network-locations-metadata/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 update_network_locations_metadata

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
cidbodystringCID for the location.
commentquerystringAudit log comment for this action.
dns_resolution_targets_polling_intervalbodyintegerChange the DNS resolution target polling interval.
https_reachable_hosts_polling_intervalbodyintegerChange the HTTPS reachable hosts polling interval.
icmp_request_targets_polling_intervalbodyintegerChange the ICMP request targets polling interval.
location_precedencebodylist of stringsReorder location precedence of network locations based upon the order of the list of network location IDs provided.
parametersquerydictionaryFull query string parameters payload in JSON format, not required if using the comment keyword.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.update_network_locations_metadata(cid="string",
                                                    comment="string",
                                                    dns_resolution_targets_polling_interval=integer,
                                                    https_reachable_hsots_polling_interval=integer,
                                                    icmp_request_targets_polling_interval=integer,
                                                    location_precedencee=["string"])
print(response)

update_network_locations_precedence

Section titled “update_network_locations_precedence”

Updates the network locations precedence according to the list of ids provided.

POST /fwmgr/entities/network-locations-precedence/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 update_network_locations_precedence

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
cidbodystringCID for the location.
commentquerystringAudit log comment for this action.
location_precedencebodylist of stringsReorder location precedence of network locations based upon the order of the list of network location IDs provided.
parametersquerydictionaryFull query string parameters payload in JSON format, not required if using the comment keyword.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.update_network_locations_precedence(cid="string",
                                                      comment="string",
                                                      location_precedencee=["string"])
print(response)

get_network_locations

Section titled “get_network_locations”

Get a summary of network locations entities by ID

GET /fwmgr/entities/network-locations/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 get_network_locations

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe ID of the network location to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format, not required if using ids keyword.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_network_locations(ids=id_list)
print(response)

upsert_network_locations

Section titled “upsert_network_locations”

Updates the network locations provided, and return the ID.

PUT /fwmgr/entities/network-locations/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 upsert_network_locations

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
commentquerystringAudit log comment for this action.
connection_typesbodydictionaryConnections available at this location.
created_bybodystringUser UUID that created the change.
created_onbodystringDatetime formatted string reflecting the time of the change.
default_gatewaysbodylist of stringsList of available gateways at this location.
descriptionbodystringDescription for the location.
dhcp_serversbodylist of stringsList of available DHCP servers at this location.
dns_resolution_targetsbodydictionaryDictionary containing a list of DNS resolution targets for the location.
dns_serversbodylist of stringsList of available DNS servers at this location.
enabledbodybooleanFlag indicating if this location is enabled.
host_addressesbodylist of stringsList of available host address ranges for this location.
https_reachable_hostsbodydictionaryDictionary containing a list of hostnames reachable via HTTPS at this location.
icmp_request_targetsbodydictionaryDictionary containing targets for ICMP monitoring requests at this location.
idbodystringNetwork location ID to upsert.
modified_bybodystringUser UUID performing this change.
modified_onbodystringUTC formatted date string when this location was modified.
namebodystringName for this location.
parametersquerydictionaryFull query string parameters payload in JSON format, not required if using the comment keyword.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


connection_types = {
    "wired": true,
    "wireless": {
        "enabled": true,
        "require_encryption": true,
        "ssids": [
            "string"
        ]
    }
}


dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}


https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}


icmp_request_targets = {
    "targets": [
        "string"
    ]
}


response = falcon.upsert_network_locations(comment="string",
                                           connection_types=connection_types,
                                           created_on="string",
                                           created_by="string",
                                           default_gateways=["string"],
                                           description="string",
                                           dhcp_servers=["string"],
                                           dns_resolution_targets=dns_resolution_targets,
                                           dns_servers=["string"],
                                           enabled=boolean,
                                           host_addresses=["string"],
                                           https_reachable_hosts=https_reachable_hosts,
                                           icmp_request_targets=icmp_request_targets,
                                           id="string",
                                           modified_by="string",
                                           modified_on="string",
                                           name="string")
print(response)

create_network_locations

Section titled “create_network_locations”

Create new network locations provided, and return the ID.

POST /fwmgr/entities/network-locations/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 create_network_locations

Parameters

Section titled “Parameters”
NameTypeData typeDescription
add_fw_rulesquerybooleanFlag to indicate that the cloned location needs to be added to the same firewall rules that encompass the original location.
bodybodydictionaryFull body payload in JSON format.
clone_idquerystringA rule group ID from which to copy rules. If this keyword is provided then all other keywords excluding add_fw_rules and comment are ignored.
commentquerystringAudit log comment for this action.
connection_typesbodydictionaryConnections available at this location.
default_gatewaysbodylist of stringsList of available gateways at this location.
descriptionbodystringDescription for the location.
dhcp_serversbodylist of stringsList of available DHCP servers at this location.
dns_resolution_targetsbodydictionaryDictionary containing a list of DNS resolution targets for the location.
dns_serversbodylist of stringsList of available DNS servers at this location.
enabledbodybooleanFlag indicating if this location is enabled.
host_addressesbodylist of stringsList of available host address ranges for this location.
https_reachable_hostsbodydictionaryDictionary containing a list of hostnames reachable via HTTPS at this location.
icmp_request_targetsbodydictionaryDictionary containing targets for ICMP monitoring requests at this location.
namebodystringName for this location.
parametersquerydictionaryFull query string parameters payload in JSON format, not required if using the add_fw_rules, clone_id or comment keywords.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


connection_types = {
    "wired": true,
    "wireless": {
        "enabled": true,
        "require_encryption": true,
        "ssids": [
            "string"
        ]
    }
}


dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}


https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}


icmp_request_targets = {
    "targets": [
        "string"
    ]
}


response = falcon.create_network_locations(add_fw_rules="string",
                                           clone_id="string",
                                           comment="string",
                                           connection_types=connection_types,
                                           default_gateways=["string"],
                                           description="string",
                                           dhcp_servers=["string"],
                                           dns_resolution_targets=dns_resolution_targets,
                                           dns_servers=["string"],
                                           enabled=boolean,
                                           host_addresses=["string"],
                                           https_reachable_hosts=https_reachable_hosts,
                                           icmp_request_targets=icmp_request_targets,
                                           name="string")
print(response)

delete_network_locations

Section titled “delete_network_locations”

Delete network location entities by ID.

DELETE /fwmgr/entities/network-locations/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 delete_network_locations

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe ID of the network location to delete.
parametersquerydictionaryFull query string parameters payload in JSON format, not required if using ids keyword.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_network_locations(ids=id_list)
print(response)

update_network_locations

Section titled “update_network_locations”

Updates the network locations provided, and return the ID.

PATCH /fwmgr/entities/network-locations/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 update_network_locations

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
commentquerystringAudit log comment for this action.
connection_typesbodydictionaryConnections available at this location.
created_bybodystringUser UUID that created the change.
created_onbodystringDatetime formatted string reflecting the time of the change.
default_gatewaysbodylist of stringsList of available gateways at this location.
descriptionbodystringDescription for the location.
dhcp_serversbodylist of stringsList of available DHCP servers at this location.
dns_resolution_targetsbodydictionaryDictionary containing a list of DNS resolution targets for the location.
dns_serversbodylist of stringsList of available DNS servers at this location.
enabledbodybooleanFlag indicating if this location is enabled.
host_addressesbodylist of stringsList of available host address ranges for this location.
https_reachable_hostsbodydictionaryDictionary containing a list of hostnames reachable via HTTPS at this location.
icmp_request_targetsbodydictionaryDictionary containing targets for ICMP monitoring requests at this location.
idbodystringNetwork location ID to upsert.
modified_bybodystringUser UUID performing this change.
modified_onbodystringUTC formatted date string when this location was modified.
namebodystringName for this location.
parametersquerydictionaryFull query string parameters payload in JSON format, not required if using the comment keyword.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


connection_types = {
    "wired": true,
    "wireless": {
        "enabled": true,
        "require_encryption": true,
        "ssids": [
            "string"
        ]
    }
}


dns_resolution_targets = {
    "targets": [
        {
            "hostname": "string",
            "ip_match": [
                "string"
            ]
        }
    ]
}


https_reachable_hosts = {
    "hostnames": [
        "string"
    ]
}


icmp_request_targets = {
    "targets": [
        "string"
    ]
}


response = falcon.update_network_locations(comment="string",
                                           connection_types=connection_types,
                                           created_on="string",
                                           created_by="string",
                                           default_gateways=["string"],
                                           description="string",
                                           dhcp_servers=["string"],
                                           dns_resolution_targets=dns_resolution_targets,
                                           dns_servers=["string"],
                                           enabled=boolean,
                                           host_addresses=["string"],
                                           https_reachable_hosts=https_reachable_hosts,
                                           icmp_request_targets=icmp_request_targets,
                                           id="string",
                                           modified_by="string",
                                           modified_on="string",
                                           name="string")
print(response)

get_platforms

Section titled “get_platforms”

Get platforms by ID, e.g., windows or mac or droid

GET /fwmgr/entities/platforms/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 get_platforms

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe platforms to retrieve, identified by ID.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_platforms(ids=id_list)
print(response)

get_policy_containers

Section titled “get_policy_containers”

Get policy container entities by policy ID

GET /fwmgr/entities/policies/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 get_policy_containers

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe policy container(s) to retrieve, identified by policy ID.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_policy_containers(ids=id_list)
print(response)

update_policy_container_v1

Section titled “update_policy_container_v1”

Update an identified policy container.

PLEASE NOTE: This endpoint is deprecated in favor of update_policy_container (also known as update_policy_container_v2). Using this legacy endpoint could potentially disable your local logging setting.

deprecated
PUT /fwmgr/entities/policies/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 update_policy_container_v1

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
default_inboundbodystringDefault inbound.
default_outboundbodystringDefault outbound.
enforcebodybooleanEnforcement flag.
is_default_policybodybooleanDefault policy flag.
local_loggingbodybooleanLocal logging flag.
platform_idbodystringID of the platform this policy container.
policy_idbodystringPolicy ID to apply to this container.
rule_group_idsbodystring or list of stringsRule group IDs to include in this container.
test_modebodybooleanFlag indicating if this container is in test mode.
trackingbodystringTracking.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.update_policy_container_v1(default_inbound="string",
                                             default_outbound="string",
                                             enforce=boolean,
                                             is_default_policy=boolean,
                                             local_logging=boolean,
                                             platform_id="string",
                                             policy_id="string",
                                             rule_group_ids=id_list,
                                             test_mode=boolean,
                                             tracking="string")
print(response)

update_policy_container

Section titled “update_policy_container”

Update an identified policy container

PUT /fwmgr/entities/policies/v2
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 update_policy_container

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
default_inboundbodystringDefault inbound.
default_outboundbodystringDefault outbound.
enforcebodybooleanEnforcement flag.
is_default_policybodybooleanDefault policy flag.
local_loggingbodybooleanLocal logging flag.
platform_idbodystringID of the platform this policy container.
policy_idbodystringPolicy ID to apply to this container.
rule_group_idsbodystring or list of stringsRule group IDs to include in this container.
test_modebodybooleanFlag indicating if this container is in test mode.
trackingbodystringTracking.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.update_policy_container(default_inbound="string",
                                          default_outbound="string",
                                          enforce=boolean,
                                          is_default_policy=boolean,
                                          local_logging=boolean,
                                          platform_id="string",
                                          policy_id="string",
                                          rule_group_ids=id_list,
                                          test_mode=boolean,
                                          tracking="string")
print(response)

get_rule_groups

Section titled “get_rule_groups”

Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.

GET /fwmgr/entities/rule-groups/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 get_rule_groups

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe ID(s) of the rule group to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”

Examples coming soon.

create_rule_group

Section titled “create_rule_group”

Create new rule group on a platform for a customer with a name and description, and return the ID

POST /fwmgr/entities/rule-groups/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 create_rule_group

Parameters

Section titled “Parameters”
NameTypeData typeDescription
actionbody (rules)stringRule action to perform. String. Overridden if rules keyword is provided.
address_familybody (rules)stringAddress type, String. Either IP4, IP6 or NONE. Overridden if rules keyword is provided.
bodybodydictionaryFull body payload in JSON format.
clone_idquerystringA rule group ID from which to copy rules. If this is provided then the ‘rules’ property of the body is ignored.
commentquerystringComment for this rule group.
descriptionbodystringRule group description.
directionbody (rules)stringTraffic direction for created rule. String. Either IN, OUT or BOTH. Overridden if rules keyword is provided.
enabledbodybooleanFlag indicating if the rule group is enabled.
fieldsbody (rules)dictionary or list of dictionariesFields to impact. Dictionary or list of dictionaries. Overridden if rules keyword is provided.
icmpbody (rules)dictionaryICMP protocol options. Overridden if rules keyword is provided.
libraryquerystringIf this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewal Rule Groups Library.
local_addressbody (rules)dictionary or list of dictionariesLocal address and netmask detail. Overridden if rules keyword is provided.
local_portbody (rules)dictionary or list of dictionariesLocal port range. Overridden if rules keyword is provided.
logbody (rules)booleanLog rule matches. Overridden if rules keyword is provided.
namebodystringRule group name.
monitorbody (rules)dictionaryMonitor count / period. Overridden if rules keyword is provided.
parametersquerydictionaryFull query string parameters payload in JSON format.
platformquerystringCommon name for the OS platform this rule applies to. Should be provided instead of platform_ids.
platform_idsbody (rules)string or list of stringsOS platform(s) covered by rule. Supports comma delimited strings. Overridden if rules keyword is provided.
protocolbody (rules)integerProtocol specified by rule (Integer identifier). Overridden if rules keyword is provided.
remote_addressbody (rules)dictionary or list of dictionariesRemote address and netmask detail. Overridden if rules keyword is provided.
remote_portbody (rules)dictionary or list of dictionariesRemote port range. Overridden if rules keyword is provided.
rule_descriptionbody (rules)stringRule description. Overridden if rules keyword is provided.
rule_enabledbody (rules)booleanEnablement status for the new rule. Overridden if rules keyword is provided.
rule_namebody (rules)stringRule name. Overridden if rules keyword is provided.
rulesbodydictionary or list of dictionariesRule(s) in JSON format.
temp_idbody (rules)stringString to use for temporary rule ID. Overridden if rules keyword is provided.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.create_rule_group(action="string",
                                    address_family="string",
                                    clone_id="string",
                                    comment="string",
                                    description="string",
                                    direction="string",
                                    enabled=boolean,
                                    fields=[{"key": "value"}],
                                    icmp={},
                                    library="string",
                                    local_address=[{"key": "value"}],
                                    local_port=[{"key": "value"}],
                                    log=boolean,
                                    name="string",
                                    monitor={},
                                    platform="string",
                                    protocol=integer,
                                    remote_address=[{"key": "value"}],
                                    remote_port=[{"key": "value"}],
                                    rule_description="string",
                                    rule_enabled=boolean,
                                    rule_name="string",
                                    temp_id="string")
print(response)

delete_rule_groups

Section titled “delete_rule_groups”

Delete rule group entities by ID

DELETE /fwmgr/entities/rule-groups/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 delete_rule_groups

Parameters

Section titled “Parameters”
NameTypeData typeDescription
commentquerystring or list of stringsAudit log comment for this operation.
idsquerystring or list of stringsThe rules to retrieve, identified by ID.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”

Examples coming soon.

update_rule_group

Section titled “update_rule_group”

Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules

PATCH /fwmgr/entities/rule-groups/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 update_rule_group

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
commentquerystringAudit log comment for this action.
diff_frombody (diff_operations)stringFrom value for the diff. Overridden if diff_operations keyword is provided.
diff_opbody (diff_operations)stringOperation for the diff. Overridden if diff_operations keyword is provided.
diff_operationsbodydictionary or list of dictionariesDifferential operations to perform against the rule group.
diff_pathbody (diff_operations)stringPath for the diff. Overridden if diff_operations keyword is provided.
diff_typebodystringType of diff to apply.
idbodystringID of the rule group to update.
parametersquerydictionaryFull query string parameters payload in JSON format.
rule_idsbodylist of stringsRule ID(s) to add to the rule group.
rule_versionsbodylist of integersRule group versions.
trackingbodystringTracking.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.update_rule_group(comment="string",
                                    diff_from="string",
                                    diff_op="string",
                                    diff_operations="string",
                                    diff_path="string",
                                    diff_type="string",
                                    id="string",
                                    rule_ids=id_list,
                                    rule_versions=integer,
                                    tracking="string")
print(response)

create_rule_group_validation

Section titled “create_rule_group_validation”

Validates the request of creating a new rule group on a platform for a customer with a name and description

POST /fwmgr/entities/rule-groups/validation/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 create_rule_group_validation

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format, not required if using other keywords.
clone_idquerystringA rule group validation ID from which to copy rules. If this is provided then the ‘rules’ property of the body is ignored.
commentquerystringAudit log comment for this action.
descriptionbodystringRule group validation description.
enabledbodybooleanFlag indicating if this validation is enabled.
libraryquerybooleanIf this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewall Rule Groups Library.
namebodystringName for this rule group validation.
parametersquerydictionaryFull parameters payload in JSON format. Not required if using the clone_id and comment keywords.
platformbodystringName of the platform this rule group validation is associated with.
rulesbodylist of dictionariesJSON formatted list of rules to validate.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


rules = [
    {
        "action": "string",
        "address_family": "string",
        "description": "string",
        "direction": "string",
        "enabled": true,
        "fields": [
            {
                "final_value": "string",
                "label": "string",
                "name": "string",
                "type": "string",
                "value": "string",
                "values": [
                    "string"
                ]
            }
        ],
        "fqdn": "string",
        "fqdn_enabled": true,
        "icmp": {
            "icmp_code": "string",
            "icmp_type": "string"
        },
        "local_address": [
            {
                "address": "string",
                "netmask": 0
            }
        ],
        "local_port": [
            {
                "end": 0,
                "start": 0
            }
        ],
        "log": true,
        "monitor": {
            "count": "string",
            "period_ms": "string"
        },
        "name": "string",
        "protocol": "string",
        "remote_address": [
            {
                "address": "string",
                "netmask": 0
            }
        ],
        "remote_port": [
            {
                "end": 0,
                "start": 0
            }
        ],
        "temp_id": "string"
    }
]


response = falcon.create_rule_group_validation(clone_id="string",
                                               comment="string",
                                               description="string",
                                               enabled=boolean,
                                               library="string",
                                               name="string",
                                               platform="string",
                                               rules=rules)
print(response)

update_rule_group_validation

Section titled “update_rule_group_validation”

Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules

PATCH /fwmgr/entities/rule-groups/validation/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 update_rule_group_validation

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
commentquerystringAudit log comment for this action.
diff_frombody (diff_operations)stringFrom value for the diff. Overridden if diff_operations keyword is provided.
diff_opbody (diff_operations)stringOperation for the diff. Overridden if diff_operations keyword is provided.
diff_operationsbodydictionary or list of dictionariesDifferential operations to perform against the rule group.
diff_pathbody (diff_operations)stringPath for the diff. Overridden if diff_operations keyword is provided.
diff_typebodystringType of diff to apply.
idbodystringID of the rule group to update.
parametersquerydictionaryFull query string parameters payload in JSON format.
rule_idsbodylist of stringsRule ID(s) to add to the rule group.
rule_versionsbodylist of integersRule group versions.
trackingbodystringTracking.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.update_rule_group_validation(comment="string",
                                               diff_from="string",
                                               diff_op="string",
                                               diff_operations="string",
                                               diff_path="string",
                                               diff_type="string",
                                               id="string",
                                               rule_ids=id_list,
                                               rule_versions=integer,
                                               tracking="string")
print(response)

get_rules

Section titled “get_rules”

Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)

GET /fwmgr/entities/rules/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 get_rules

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe rules to retrieve, identified by ID.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”

Examples coming soon.

validate_filepath_pattern

Section titled “validate_filepath_pattern”

Validates that the test pattern matches the executable filepath glob pattern.

POST /fwmgr/entities/rules/validate-filepath/v1
Scope Firewall Management: WRITE Consumes · Produces application/json
PEP 8 validate_filepath_pattern

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
filepath_patternbodystringPattern to test against.
filepath_test_stringbodystringFile path string to be tested.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.validate_filepath_pattern(filepath_pattern="string",
                                            filepath_test_string="string")
print(response)

query_events

Section titled “query_events”

Find all event IDs matching the query with filter

GET /fwmgr/queries/events/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 query_events

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filterquerystringFQL Syntax formatted filter that should be used to limit the results.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parametersquerydictionaryFull query string parameters payload in JSON format.
qquerystringFree text search across all indexed fields.
sortquerystringFQL Syntax formatted sort filter.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_events(after="string",
                               filter="string",
                               limit=integer,
                               offset=integer,
                               q="string",
                               sort="string")
print(response)

query_firewall_fields

Section titled “query_firewall_fields”

Get the firewall field specification IDs for the provided platform

GET /fwmgr/queries/firewall-fields/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 query_firewall_fields

Parameters

Section titled “Parameters”
NameTypeData typeDescription
limitqueryintegerMaximum number of results to return.
offsetqueryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parametersquerydictionaryFull query string parameters payload in JSON format.
platform_idquerystringField configurations specific to this platform.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_firewall_fields(platform_id="string",
                                        limit=integer,
                                        offset=integer)
print(response)

query_network_locations

Section titled “query_network_locations”

Get a list of network location IDs

GET /fwmgr/queries/network-locations/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 query_network_locations

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filterquerystringFQL Syntax formatted filter that should be used to limit the results.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parametersquerydictionaryFull query string parameters payload in JSON format.
qquerystringFree text search across all indexed fields.
sortquerystringFQL Syntax formatted sort filter.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_network_locations(after="string",
                                          filter="string",
                                          limit=integer,
                                          offset=integer,
                                          q="string",
                                          sort="string")
print(response)

query_platforms

Section titled “query_platforms”

Get the list of platform names

GET /fwmgr/queries/platforms/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 query_platforms

Parameters

Section titled “Parameters”
NameTypeData typeDescription
limitqueryintegerMaximum number of results to return.
offsetqueryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_platforms(limit=integer, offset=integer)
print(response)

query_policy_rules

Section titled “query_policy_rules”

Find all firewall rule IDs matching the query with filter, and return them in precedence order

GET /fwmgr/queries/policy-rules/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 query_policy_rules

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filterquerystringFQL Syntax formatted filter that should be used to limit the results.
idquerystringThe ID of the policy container within which to query.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parametersquerydictionaryFull query string parameters payload in JSON format.
qquerystringFree text search across all indexed fields.
sortquerystringFQL Syntax formatted sort filter.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_policy_rules(after="string",
                                     filter="string",
                                     limit=integer,
                                     offset=integer,
                                     q="string",
                                     sort="string")
print(response)

query_rule_groups

Section titled “query_rule_groups”

Find all rule group IDs matching the query with filter

GET /fwmgr/queries/rule-groups/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 query_rule_groups

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filterquerystringFQL Syntax formatted filter that should be used to limit the results.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parametersquerydictionaryFull query string parameters payload in JSON format.
qquerystringFree text search across all indexed fields.
sortquerystringFQL Syntax formatted sort filter.

Code Examples

Section titled “Code Examples”

Examples coming soon.

query_rules

Section titled “query_rules”

Find all rule IDs matching the query with filter

GET /fwmgr/queries/rules/v1
Scope Firewall Management: READ Consumes · Produces application/json
PEP 8 query_rules

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filterquerystringFQL Syntax formatted filter that should be used to limit the results.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parametersquerydictionaryFull query string parameters payload in JSON format.
qquerystringFree text search across all indexed fields.
sortquerystringFQL Syntax formatted sort filter.

Code Examples

Section titled “Code Examples”
from falconpy import FirewallManagement


falcon = FirewallManagement(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_rules(after="string",
                              filter="string",
                              limit=integer,
                              offset=integer,
                              q="string",
                              sort="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use