Quarantine
The Quarantine service collection provides operations for managing quarantined files. Get quarantine file metadata and aggregates, update quarantine states by ID or query, and search for quarantine file IDs using FQL filters.
| Language | Last Update |
|---|---|
| Python | v1.4.6 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
ActionUpdateCountaction_update_count | Returns count of potentially affected quarantined files for each action. |
GetAggregateFilesget_aggregate_files | Get quarantine file aggregates as specified via json in request body. |
GetQuarantineFilesget_quarantine_files | Get quarantine file metadata for specified ids. |
UpdateQuarantinedDetectsByIdsupdate_quarantined_detects_by_id | Apply action by quarantine file ids. |
QueryQuarantineFilesquery_quarantine_files | Get quarantine file ids that match the provided filter criteria. |
UpdateQfByQueryupdate_quarantined_detects_by_query | Apply quarantine file actions by query. |
ActionUpdateCount
Section titled “ActionUpdateCount”Returns count of potentially affected quarantined files for each action.
GET /quarantine/aggregates/action-update-count/v1
PEP 8
action_update_countParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | The filter expression that should be used to filter results. FQL syntax. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.action_update_count(filter="string")print(response)from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.ActionUpdateCount(filter="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("ActionUpdateCount", filter="string")print(response)Test-FalconQuarantineAction -Filter "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/quarantine")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.Quarantine.ActionUpdateCount( &quarantine.ActionUpdateCountParams{ Filter: "string", Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.quarantine.actionUpdateCount("string"); // filter
console.log(response);use rusty_falcon::apis::quarantine_api::action_update_count;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = action_update_count( &falcon.cfg, // configuration "string", // filter ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Quarantine.new
response = api.action_update_count('string')
puts responseGetAggregateFiles
Section titled “GetAggregateFiles”Get quarantine file aggregates as specified via json in request body.
POST /quarantine/aggregates/quarantined-files/GET/v1
PEP 8
get_aggregate_filesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | list of dictionaries | Full body payload in JSON format. |
| date_ranges | body | list of dictionaries | Applies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}] |
| exclude | body | string | Elements to exclude. |
| field | body | string | The field on which to compute the aggregation. |
| filter | body | string | FQL syntax formatted string to use to filter the results. |
| from | body | integer | Starting position. |
| include | body | string | Elements to include. |
| interval | body | string | Time interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute. |
| max_doc_count | body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | body | string | Full text search across all metadata fields. |
| ranges | body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}] |
| size | body | integer | The max number of term buckets to be returned. |
| sub_aggregates | body | list of dictionaries | A nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request. |
| sort | body | string | FQL syntax string to sort bucket results. _count - sort by document count; _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc |
| time_zone | body | string | Time zone for bucket results. |
| type | body | string | Type of aggregation. Valid values include: date_histogram (aggregates counts on a specified time interval, requires use of “interval” field), date_range (aggregates counts on custom defined date range buckets), terms (buckets alerts by the value of a specified field), range (buckets alerts by specified numeric ranges of a specified field), cardinality (returns the count of distinct values in a specified field), max (returns the maximum value of a specified field), min (returns the minimum value of a specified field), avg (returns the average value of the specified field), sum (returns the total sum of all values for the specified field), percentiles (returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99). |
Code Examples
Section titled “Code Examples”from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
ranges = [ { "From": 0, "To": 0 }]
response = falcon.get_aggregate_files(date_ranges="string", exclude="string", field="string", filter="string", from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", q="string", ranges=ranges, size=integer, sort="string", sub_aggregates=["string"], time_zone="string", type="string")print(response)from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
ranges = [ { "From": 0, "To": 0 }]
response = falcon.GetAggregateFiles(date_ranges="string", exclude="string", field="string", filter="string", from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", q="string", ranges=ranges, size=integer, sort="string", sub_aggregates=["string"], time_zone="string", type="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "extended_bounds": { "max": "string", "min": "string" }, "field": "string", "filter": "string", "filters_spec": { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string" }, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": [ { "from": integer, "to": integer } ], "size": integer, "sort": "string", "sub_aggregates": [ { "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "extended_bounds": { "max": "string", "min": "string" }, "field": "string", "filter": "string", "filters_spec": { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string" }, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": [ { "from": integer, "to": integer } ], "size": integer, "sort": "string", "sub_aggregates": [ { "date_ranges": ["string"], "exclude": "string", "extended_bounds": {}, "field": "string", "filter": "string", "filters_spec": {}, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": ["string"], "size": integer, "sort": "string", "sub_aggregates": ["string"], "time_zone": "string", "type": "string" } ], "time_zone": "string", "type": "string" } ], "time_zone": "string", "type": "string"}
response = falcon.command("GetAggregateFiles", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/quarantine" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
from := "string" to := "string" exclude := "string" field := "string" filter := "string" from := integer include := "string" interval := "string" max_doc_count := integer min_doc_count := integer missing := "string" name := "string" q := "string" From := integer To := integer size := integer sort := "string" time_zone := "string" type := "string"
response, err := client.Quarantine.GetAggregateFiles( &quarantine.GetAggregateFilesParams{ Body: &models.MsaAggregateQueryRequest{ DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{}, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{}, Size: &size, Sort: &sort, SubAggregates: []interface{}{}, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.quarantine.getAggregateFiles( { dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [], exclude: "string", extendedBounds: {}, field: "string", filter: "string", filtersSpec: {}, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [], size: integer, sort: "string", subAggregates: [], timeZone: "string", type: "string" }], timeZone: "string", type: "string" }], timeZone: "string", type: "string"} // body);
console.log(response);use rusty_falcon::apis::quarantine_api::get_aggregate_files;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaAggregateQueryRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MsaAggregateQueryRequest { date_ranges: vec![DateRangeSpec { from: Some("string".to_string()), to: Some("string".to_string()), ..Default::default() }], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![RangeSpec { from: Some(integer), to: Some(integer), ..Default::default() }], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![AggregateQueryRequest { date_ranges: vec![DateRangeSpec { from: Some("string".to_string()), to: Some("string".to_string()), ..Default::default() }], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![RangeSpec { from: Some(integer), to: Some(integer), ..Default::default() }], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![AggregateQueryRequest { date_ranges: vec![], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() };
let response = get_aggregate_files( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Quarantine.new
body = Falcon::MsaAggregateQueryRequest.new( date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [], exclude: 'string', extended_bounds: {}, field: 'string', filter: 'string', filters_spec: {}, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [], size: integer, sort: 'string', sub_aggregates: [], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string')
response = api.get_aggregate_files(body)
puts responseGetQuarantineFiles
Section titled “GetQuarantineFiles”Get quarantine file metadata for specified ids.
POST /quarantine/entities/quarantined-files/GET/v1
PEP 8
get_quarantine_filesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| ids | body | string or list of strings | List of Quarantine IDs to retrieve. |
Code Examples
Section titled “Code Examples”from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_quarantine_files(ids=id_list)print(response)from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetQuarantineFiles(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "ids": ["string"]}
response = falcon.command("GetQuarantineFiles", body=body_payload)print(response)Get-FalconQuarantine -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/quarantine" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.Quarantine.GetQuarantineFiles( &quarantine.GetQuarantineFilesParams{ Body: &models.MsaIdsRequest{ Ids: []string{"string"}, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.quarantine.getQuarantineFiles( { ids: []} // body);
console.log(response);use rusty_falcon::apis::quarantine_api::get_quarantine_files;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaIdsRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MsaIdsRequest { ids: vec!["string".to_string()], ..Default::default() };
let response = get_quarantine_files( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Quarantine.new
body = Falcon::MsaIdsRequest.new( ids: [])
response = api.get_quarantine_files(body)
puts responseUpdateQuarantinedDetectsByIds
Section titled “UpdateQuarantinedDetectsByIds”Apply action by quarantine file ids.
PATCH /quarantine/entities/quarantined-files/v1
PEP 8
update_quarantined_detects_by_idParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| action | body | string | Action to perform against the quarantined file. Allowed values: delete, release, unrelease. |
| body | body | dictionary | Full body payload in JSON format. |
| comment | body | string | Comment to list along with action taken. |
| ids | body | string or list of strings | List of Quarantine IDs to update. |
Code Examples
Section titled “Code Examples”from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_quarantined_detects_by_id(action="string", comment=["string"], ids=id_list)print(response)from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.UpdateQuarantinedDetectsByIds(action="string", comment=["string"], ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "action": "string", "comment": "string", "ids": ["string"]}
response = falcon.command("UpdateQuarantinedDetectsByIds", body=body_payload)print(response)Invoke-FalconQuarantineAction -Action "string" -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/quarantine" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
action := "string" comment := "string"
response, err := client.Quarantine.UpdateQuarantinedDetectsByIds( &quarantine.UpdateQuarantinedDetectsByIdsParams{ Body: &models.DomainEntitiesPatchRequest{ Action: &action, Comment: &comment, Ids: []string{"string"}, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.quarantine.updateQuarantinedDetectsByIds( { action: "string", comment: "string", ids: []} // body);
console.log(response);use rusty_falcon::apis::quarantine_api::update_quarantined_detects_by_ids;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::DomainEntitiesPatchRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = DomainEntitiesPatchRequest { ..Default::default() };
let response = update_quarantined_detects_by_ids( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Quarantine.new
body = Falcon::DomainEntitiesPatchRequest.new( action: 'string', comment: 'string', ids: [])
response = api.update_quarantined_detects_by_ids(body)
puts responseQueryQuarantineFiles
Section titled “QueryQuarantineFiles”Get quarantine file ids that match the provided filter criteria.
GET /quarantine/queries/quarantined-files/v1
PEP 8
query_quarantine_filesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. Special value * means to not filter on anything. Filter term criteria: status, adversary_id, device.device_id, device.country, device.hostname, behaviors.behavior_id, behaviors.ioc_type, behaviors.ioc_value, behaviors.username, behaviors.tree_root_hash. Filter range criteria: max_severity, max_confidence, first_behavior, last_behavior. |
| limit | query | integer | Maximum number of IDs to return. Max: 5000. |
| offset | query | string | Starting index of overall result set from which to return ids. |
| q | query | string | Match phrase_prefix query criteria, included fields: _all (all filter string fields), sha256, state, paths.path, paths.state, hostname, username, date_updated, date_created. |
| sort | query | string | Possible order by fields: hostname, username, date_updated, date_created, paths.path, state, paths.state. Example: date_created|asc. Sort order: asc or desc. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_quarantine_files(filter="string", q="string", limit=integer, offset="string", sort="string")print(response)from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.QueryQuarantineFiles(filter="string", q="string", limit=integer, offset="string", sort="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("QueryQuarantineFiles", offset="string", limit=integer, sort="string", filter="string", q="string")print(response)Get-FalconQuarantine -Filter "string" ` -Query "string" ` -Sort "string" ` -Limit integer ` -Offset integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/quarantine")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
offset := "string" limit := int64(0) sort := "string" filter := "string" q := "string"
response, err := client.Quarantine.QueryQuarantineFiles( &quarantine.QueryQuarantineFilesParams{ Offset: &offset, Limit: &limit, Sort: &sort, Filter: &filter, Q: &q, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.quarantine.queryQuarantineFiles( "string", // offset integer, // limit "string", // sort "string", // filter "string" // q);
console.log(response);use rusty_falcon::apis::quarantine_api::query_quarantine_files;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = query_quarantine_files( &falcon.cfg, // configuration Some("string"), // offset Some(integer), // limit Some("string"), // sort Some("string"), // filter Some("string"), // q ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Quarantine.new
response = api.query_quarantine_files(offset: 'string', limit: integer, sort: 'string', filter: 'string', q: 'string')
puts responseUpdateQfByQuery
Section titled “UpdateQfByQuery”Apply quarantine file actions by query.
PATCH /quarantine/queries/quarantined-files/v1
PEP 8
update_quarantined_detects_by_queryParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| action | body | string | Action to perform against the quarantined file. Allowed values: delete, release, unrelease. |
| body | body | dictionary | Full body payload in JSON format. |
| comment | body | string | Comment to list along with action taken. |
| filter | body | string or list of strings | Filter string to use to match to quarantine records. FQL syntax. |
| q | body | string | Match phrase_prefix query criteria, included fields: _all (all filter string fields), sha256, state, paths.path, paths.state, hostname, username, date_updated, date_created. |
Code Examples
Section titled “Code Examples”from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.update_quarantined_detects_by_query(action="string", comment=["string"], ids=id_list)print(response)from falconpy import Quarantine
falcon = Quarantine(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.UpdateQfByQuery(action="string", comment=["string"], ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "action": "string", "comment": "string", "filter": "string", "q": "string"}
response = falcon.command("UpdateQfByQuery", body=body_payload)print(response)Invoke-FalconQuarantineAction -Action "string" ` -Filter "string" ` -Query "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/quarantine" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
action := "string" comment := "string" filter := "string" q := "string"
response, err := client.Quarantine.UpdateQfByQuery( &quarantine.UpdateQfByQueryParams{ Body: &models.DomainQueriesPatchRequest{ Action: &action, Comment: &comment, Filter: &filter, Q: &q, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.quarantine.updateQfByQuery( { action: "string", comment: "string", filter: "string", q: "string"} // body);
console.log(response);use rusty_falcon::apis::quarantine_api::update_qf_by_query;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::DomainQueriesPatchRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = DomainQueriesPatchRequest { ..Default::default() };
let response = update_qf_by_query( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Quarantine.new
body = Falcon::DomainQueriesPatchRequest.new( action: 'string', comment: 'string', filter: 'string', q: 'string')
response = api.update_qf_by_query(body)
puts response