Identity Protection
The Identity Protection service collection provides operations for managing identity-based security across your environment. Retrieve sensor aggregates, get device details, search sensors by filter, execute GraphQL queries for entities and incidents, and manage identity protection policy rules.
| Language | Last Update |
|---|---|
| Python | v1.5.3 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
GetSensorAggregatesget_sensor_aggregates | Get sensor aggregates as specified via json in request body. |
GetSensorDetailsget_sensor_details | Get details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs. |
QuerySensorsByFilterquery_sensors | Search for sensors in your environment by hostname, IP, and other criteria. |
api_preempt_proxy_post_graphqlgraphql | Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents. |
get_policy_rulesget_policy_rules | Get policy rules. |
post_policy_rulescreate_policy_rule | Create policy rules. |
delete_policy_rulesdelete_policy_rules | Delete policy rules. |
get_policy_rules_queryquery_policy_rules | Query policy rule IDs. |
GetSensorAggregates
Section titled “GetSensorAggregates”Get sensor aggregates as specified via json in request body.
POST /identity-protection/aggregates/devices/GET/v1
PEP 8
get_sensor_aggregatesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | list of dictionaries | Full body payload in JSON format. |
| date_ranges | body | list of dictionaries | Applies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}] |
| exclude | body | string | Elements to exclude. |
| field | body | string | The field on which to compute the aggregation. |
| filter | body | string | FQL syntax formatted string to use to filter the results. |
| from | body | integer | Starting position. |
| include | body | string | Elements to include. |
| interval | body | string | Time interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute. |
| max_doc_count | body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | body | string | Full text search across all metadata fields. |
| ranges | body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}] |
| size | body | integer | The max number of term buckets to be returned. |
| sub_aggregates | body | list of dictionaries | A nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request. |
| sort | body | string | FQL syntax string to sort bucket results. _count - sort by document count. _term - sort by the string value alphabetically. Supports asc and desc using \| format. Example: _count\|desc |
| time_zone | body | string | Time zone for bucket results. |
| type | body | string | Type of aggregation. Valid values include: date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field. date_range - Aggregates counts on custom defined date range buckets. terms - Buckets alerts by the value of a specified field. range - Buckets alerts by specified (numeric) ranges of a specified field. cardinality - Returns the count of distinct values in a specified field. max - Returns the maximum value of a specified field. min - Returns the minimum value of a specified field. avg - Returns the average value of the specified field. sum - Returns the total sum of all values for the specified field. percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99. |
Code Examples
Section titled “Code Examples”from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
ranges = [ { "From": 0, "To": 0 }]
response = falcon.get_sensor_aggregates(date_ranges="string", exclude="string", field="string", filter="string", from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", q="string", ranges=ranges, size=integer, sort="string", sub_aggregates=["string"], time_zone="string", type="string")print(response)from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
ranges = [ { "From": 0, "To": 0 }]
response = falcon.GetSensorAggregates(date_ranges="string", exclude="string", field="string", filter="string", from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", q="string", ranges=ranges, size=integer, sort="string", sub_aggregates=["string"], time_zone="string", type="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "extended_bounds": { "max": "string", "min": "string" }, "field": "string", "filter": "string", "filters_spec": { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string" }, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": [ { "from": integer, "to": integer } ], "size": integer, "sort": "string", "sub_aggregates": [ { "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "extended_bounds": { "max": "string", "min": "string" }, "field": "string", "filter": "string", "filters_spec": { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string" }, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": [ { "from": integer, "to": integer } ], "size": integer, "sort": "string", "sub_aggregates": [ { "date_ranges": ["string"], "exclude": "string", "extended_bounds": {}, "field": "string", "filter": "string", "filters_spec": {}, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": ["string"], "size": integer, "sort": "string", "sub_aggregates": ["string"], "time_zone": "string", "type": "string" } ], "time_zone": "string", "type": "string" } ], "time_zone": "string", "type": "string"}
response = falcon.command("GetSensorAggregates", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/identity_entities" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
from := "string" to := "string" exclude := "string" field := "string" filter := "string" from := integer include := "string" interval := "string" max_doc_count := integer min_doc_count := integer missing := "string" name := "string" q := "string" From := integer To := integer size := integer sort := "string" time_zone := "string" type := "string"
response, err := client.IdentityEntities.GetSensorAggregates( &identity_entities.GetSensorAggregatesParams{ Body: &models.MsaAggregateQueryRequest{ DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{}, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{}, Size: &size, Sort: &sort, SubAggregates: []interface{}{}, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.identityEntities.getSensorAggregates( { dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [], exclude: "string", extendedBounds: {}, field: "string", filter: "string", filtersSpec: {}, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [], size: integer, sort: "string", subAggregates: [], timeZone: "string", type: "string" }], timeZone: "string", type: "string" }], timeZone: "string", type: "string"} // body);
console.log(response);use rusty_falcon::apis::identity_entities_api::get_sensor_aggregates;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaAggregateQueryRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MsaAggregateQueryRequest { date_ranges: vec![DateRangeSpec { from: Some("string".to_string()), to: Some("string".to_string()), ..Default::default() }], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![RangeSpec { from: Some(integer), to: Some(integer), ..Default::default() }], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![AggregateQueryRequest { date_ranges: vec![DateRangeSpec { from: Some("string".to_string()), to: Some("string".to_string()), ..Default::default() }], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![RangeSpec { from: Some(integer), to: Some(integer), ..Default::default() }], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![AggregateQueryRequest { date_ranges: vec![], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() };
let response = get_sensor_aggregates( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::IdentityEntities.new
body = Falcon::MsaAggregateQueryRequest.new( date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [], exclude: 'string', extended_bounds: {}, field: 'string', filter: 'string', filters_spec: {}, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [], size: integer, sort: 'string', sub_aggregates: [], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string')
response = api.get_sensor_aggregates(body)
puts responseGetSensorDetails
Section titled “GetSensorDetails”Get details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs.
POST /identity-protection/entities/devices/GET/v1
PEP 8
get_sensor_detailsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| ids | body | string or list of strings | The host agent IDs used to get details on. Maximum: 5000 |
Code Examples
Section titled “Code Examples”from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_sensor_details(ids=id_list)print(response)from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetSensorDetails(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "ids": ["string"]}
response = falcon.command("GetSensorDetails", body=body_payload)print(response)Get-FalconIdentityHost -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/identity_entities" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.IdentityEntities.GetSensorDetails( &identity_entities.GetSensorDetailsParams{ Body: &models.MsaIdsRequest{ Ids: []string{"string"}, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.identityEntities.getSensorDetails( { ids: []} // body);
console.log(response);use rusty_falcon::apis::identity_entities_api::get_sensor_details;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaIdsRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MsaIdsRequest { ids: vec!["string".to_string()], ..Default::default() };
let response = get_sensor_details( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::IdentityEntities.new
body = Falcon::MsaIdsRequest.new( ids: [])
response = api.get_sensor_details(body)
puts responseQuerySensorsByFilter
Section titled “QuerySensorsByFilter”Search for sensors in your environment by hostname, IP, and other criteria.
GET /identity-protection/queries/devices/v1
PEP 8
query_sensorsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| offset | query | integer | The offset to start retrieving records from |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
| limit | query | integer | The maximum records to return. [1-200] |
| sort | query | string | The property to sort by (e.g. status.desc or hostname.asc) |
| filter | query | string | The filter expression that should be used to limit the results. |
Code Examples
Section titled “Code Examples”from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_sensors(filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.QuerySensorsByFilter(filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("QuerySensorsByFilter", offset=integer, limit=integer, sort="string", filter="string")print(response)Get-FalconIdentityHost -Filter "string" ` -Sort "string" ` -Limit integer ` -Offset integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/identity_entities")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
offset := int64(0) limit := int64(0) sort := "string" filter := "string"
response, err := client.IdentityEntities.QuerySensorsByFilter( &identity_entities.QuerySensorsByFilterParams{ Offset: &offset, Limit: &limit, Sort: &sort, Filter: &filter, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.identityEntities.querySensorsByFilter( integer, // offset integer, // limit "string", // sort "string" // filter);
console.log(response);use rusty_falcon::apis::identity_entities_api::query_sensors_by_filter;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = query_sensors_by_filter( &falcon.cfg, // configuration Some(integer), // offset Some(integer), // limit Some("string"), // sort Some("string"), // filter ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::IdentityEntities.new
response = api.query_sensors_by_filter(offset: integer, limit: integer, sort: 'string', filter: 'string')
puts responseapi_preempt_proxy_post_graphql
Section titled “api_preempt_proxy_post_graphql”Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.
POST /identity-protection/combined/graphql/v1
PEP 8
graphqlParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| query | body | string | JSON-similar formatted query to perform. |
| variables | body | dictionary | Dictionary of variables to provide to the query. |
Code Examples
Section titled “Code Examples”from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.graphql(query="string", variables={})print(response)from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.api_preempt_proxy_post_graphql(query="string", variables={})print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "query": "string"}
response = falcon.command("api_preempt_proxy_post_graphql", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/identity_protection" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
query := "string"
response, err := client.IdentityProtection.APIPreemptProxyPostGraphql( &identity_protection.APIPreemptProxyPostGraphqlParams{ Body: &models.SwaggerGraphQLQuery{ Query: &query, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.identityProtection.apiPreemptProxyPostGraphql( { query: "string"} // body);
console.log(response);Examples coming soon.
Examples coming soon.
get_policy_rules
Section titled “get_policy_rules”Get policy rules.
GET /identity-protection/entities/policy-rules/v1
PEP 8
get_policy_rulesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| parameters | query | dictionary | Full query string payload in JSON format. |
| ids | query | string or list of strings | The policy rule IDs used to get details on. |
Code Examples
Section titled “Code Examples”from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_policy_rules(ids=id_list)print(response)from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_policy_rules(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_policy_rules", ids=id_list)print(response)Get-FalconIdentityRule -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/identity_protection")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.IdentityProtection.APIPreemptProxyGetPolicyRules( &identity_protection.APIPreemptProxyGetPolicyRulesParams{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.identityProtection.apiPreemptProxyGetPolicyRules("string"); // ids
console.log(response);use rusty_falcon::apis::identity_protection_api::api_preempt_proxy_get_policy_rules;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = api_preempt_proxy_get_policy_rules( &falcon.cfg, // configuration vec!["string".to_string()], // ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::IdentityProtection.new
response = api.api_preempt_proxy_get_policy_rules(['ID1', 'ID2', 'ID3'])
puts responsepost_policy_rules
Section titled “post_policy_rules”Create policy rules.
POST /identity-protection/entities/policy-rules/v1
PEP 8
create_policy_ruleParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| destination | query | dictionary | Activity destination. |
| enabled | query | boolean | Flag indicating if the policy rule is enabled. |
| name | query | string | Name of the policy rule. |
| simulation_mode | query | boolean | Simulate the policy action instead of actually taking action. |
| source_endpoint | query | dictionary | Source endpoint details. |
| source_user | query | dictionary | Source user details. |
| trigger | query | string | Policy rule trigger. |
Code Examples
Section titled “Code Examples”from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.create_policy_rule(action="string", activity={}, destination={}, enabled=boolean, name="string", simulation_mode=boolean, source_endpoint={}, source_user={}, trigger="string")print(response)from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.post_policy_rules(action="string", activity={}, destination={}, enabled=boolean, name="string", simulation_mode=boolean, source_endpoint={}, source_user={}, trigger="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "action": "string", "activity": { "access_type": { "exclude": ["string"], "include": ["string"] }, "access_type_custom": { "exclude": ["string"], "include": ["string"] } }, "destination": { "entity_id": { "exclude": ["string"], "include": ["string"] }, "group_membership": { "exclude": ["string"], "include": ["string"] } }, "enabled": boolean, "name": "string", "simulation_mode": boolean, "source_endpoint": { "entity_id": { "exclude": ["string"], "include": ["string"] }, "group_membership": { "exclude": ["string"], "include": ["string"] } }, "source_user": { "entity_id": { "exclude": ["string"], "include": ["string"] }, "group_membership": { "exclude": ["string"], "include": ["string"] } }, "trigger": "string"}
response = falcon.command("post_policy_rules", body=body_payload)print(response)New-FalconIdentityRule -Name "string" ` -Action "string" ` -Trigger "string" ` -Enabled $boolean ` -SimulationMode $booleanpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/identity_protection" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
action := "string" enabled := boolean name := "string" simulationMode := boolean trigger := "string"
response, err := client.IdentityProtection.APIPreemptProxyPostPolicyRules( &identity_protection.APIPreemptProxyPostPolicyRulesParams{ Body: &models.TypesPolicyRulesCreateBody{ Action: &action, Activity: &struct{}{}, Destination: &struct{}{}, Enabled: &enabled, Name: &name, Simulationmode: &simulationMode, Sourceendpoint: &struct{}{}, Sourceuser: &struct{}{}, Trigger: &trigger, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.identityProtection.apiPreemptProxyPostPolicyRules( { action: "string", activity: { accessType: { exclude: [], include: [] }, accessTypeCustom: { exclude: [], include: [] } }, destination: { entityId: { exclude: [], include: [] }, groupMembership: { exclude: [], include: [] } }, enabled: boolean, name: "string", simulationMode: boolean, sourceEndpoint: { entityId: { exclude: [], include: [] }, groupMembership: { exclude: [], include: [] } }, sourceUser: { entityId: { exclude: [], include: [] }, groupMembership: { exclude: [], include: [] } }, trigger: "string"} // body);
console.log(response);use rusty_falcon::apis::identity_protection_api::api_preempt_proxy_post_policy_rules;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::TypesPolicyRulesCreateBody;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = TypesPolicyRulesCreateBody { action: Some("string".to_string()), enabled: Some(boolean), name: Some("string".to_string()), simulation_mode: Some(boolean), trigger: Some("string".to_string()), ..Default::default() };
let response = api_preempt_proxy_post_policy_rules( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::IdentityProtection.new
body = Falcon::TypesPolicyRulesCreateBody.new( action: 'string', activity: { accessType: { exclude: [], include: [] }, accessTypeCustom: { exclude: [], include: [] } }, destination: { entityId: { exclude: [], include: [] }, groupMembership: { exclude: [], include: [] } }, enabled: boolean, name: 'string', simulationMode: boolean, sourceEndpoint: { entityId: { exclude: [], include: [] }, groupMembership: { exclude: [], include: [] } }, sourceUser: { entityId: { exclude: [], include: [] }, groupMembership: { exclude: [], include: [] } }, trigger: 'string')
response = api.api_preempt_proxy_post_policy_rules(body)
puts responsedelete_policy_rules
Section titled “delete_policy_rules”Delete policy rules.
DELETE /identity-protection/entities/policy-rules/v1
PEP 8
delete_policy_rulesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| parameters | query | dictionary | Full query string payload in JSON format. |
| ids | query | string or list of strings | The policy rule IDs to delete. |
Code Examples
Section titled “Code Examples”from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_policy_rules(ids=id_list)print(response)from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_policy_rules(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("delete_policy_rules", ids=id_list)print(response)Remove-FalconIdentityRule -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/identity_protection")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.IdentityProtection.APIPreemptProxyDeletePolicyRules( &identity_protection.APIPreemptProxyDeletePolicyRulesParams{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.identityProtection.apiPreemptProxyDeletePolicyRules("string"); // ids
console.log(response);use rusty_falcon::apis::identity_protection_api::api_preempt_proxy_delete_policy_rules;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = api_preempt_proxy_delete_policy_rules( &falcon.cfg, // configuration vec!["string".to_string()], // ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::IdentityProtection.new
response = api.api_preempt_proxy_delete_policy_rules(['ID1', 'ID2', 'ID3'])
puts responseget_policy_rules_query
Section titled “get_policy_rules_query”Query policy rule IDs.
GET /identity-protection/entities/policy-rules/v1
PEP 8
query_policy_rulesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| enabled | query | boolean | Flag indicating if the rule is enabled. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
| simulation_mode | query | boolean | Flag indicating if the rule is in simulation mode. |
| name | query | string | Rule name |
Code Examples
Section titled “Code Examples”from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_policy_rules(enabled=boolean, simulation_mode=boolean, name="string")print(response)from falconpy import IdentityProtection
falcon = IdentityProtection(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.get_policy_rules_query(enabled=boolean, simulation_mode=boolean, name="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("get_policy_rules_query", enabled=boolean, simulation_mode=boolean, name="string")print(response)Get-FalconIdentityRulepackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/identity_protection")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
enabled := boolean simulationMode := boolean name := "string"
response, err := client.IdentityProtection.APIPreemptProxyGetPolicyRulesQuery( &identity_protection.APIPreemptProxyGetPolicyRulesQueryParams{ Enabled: &enabled, SimulationMode: &simulationMode, Name: &name, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.identityProtection.apiPreemptProxyGetPolicyRulesQuery( boolean, // enabled boolean, // simulationMode "string" // name);
console.log(response);use rusty_falcon::apis::identity_protection_api::api_preempt_proxy_get_policy_rules_query;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = api_preempt_proxy_get_policy_rules_query( &falcon.cfg, // configuration Some(boolean), // enabled Some(boolean), // simulation_mode Some("string"), // name ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::IdentityProtection.new
response = api.api_preempt_proxy_get_policy_rules_query(enabled: boolean, simulation_mode: boolean, name: 'string')
puts response