Skip to content
CrowdStrike Developer Center

Real Time Response Admin

The Real Time Response Admin service collection provides operations for managing RTR administrator commands, scripts, and put-files. Execute admin commands on single hosts or in batch, manage custom scripts and put-files for RTR sessions.

LanguageLast Update
Pythonv1.6.1
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

This service collection has code examples posted to the repository.

Table of Contents

Section titled “Table of Contents”
OperationDescription
BatchAdminCmd
batch_admin_command		Batch executes a RTR administrator command across the hosts mapped to the given batch ID.
RTR_CheckAdminCommandStatus
check_admin_command_status		Get status of an executed RTR administrator command on a single host.
RTR_ExecuteAdminCommand
execute_admin_command		Execute a RTR administrator command on a single host.
RTR_GetFalconScripts
get_falcon_scripts		Get Falcon scripts with metadata and content of script
RTR_GetPut_Files
get_put_files		Get put-files based on the ID’s given. These are used for the RTR put command.
RTR_GetPut_FilesV2
get_put_files_v2		Get put-files based on the ID’s given. These are used for the RTR put command.
RTR_GetPutFileContents
get_put_file_contents		Get the contents of a put-file based on the ID given.
RTR_CreatePut_Files
create_put_files		Upload a new put-file to use for the RTR put command.
RTR_CreatePut_FilesV2
create_put_files_v2		Upload a new put-file to use for the RTR put command.
RTR_DeletePut_Files
delete_put_files		Delete a put-file based on the ID given. Can only delete one file at a time.
RTR_GetScripts
get_scripts		Get custom-scripts based on the ID’s given. These are used for the RTR runscript command.
RTR_GetScriptsV2
get_scripts_v2		Get custom-scripts based on the ID’s given. These are used for the RTR runscript command.
RTR_ListFalconScripts
list_falcon_scripts		Get a list of Falcon script IDs available to the user to run
RTR_CreateScripts
create_scripts		Upload a new custom-script to use for the RTR runscript command.
RTR_CreateScriptsV2
create_scripts_v2		Upload a new custom-script to use for the RTR runscript command.
RTR_DeleteScripts
delete_scripts		Delete a custom-script based on the ID given. Can only delete one script at a time.
RTR_UpdateScripts
update_scripts		Upload a new scripts to replace an existing one.
RTR_UpdateScriptsV2
update_scripts_v2		Upload a new scripts to replace an existing one.
RTR_ListPut_Files
list_put_files		Get a list of put-file ID’s that are available to the user for the put command.
RTR_ListScripts
list_scripts		Get a list of custom-script ID’s that are available to the user for the runscript command.

BatchAdminCmd

Section titled “BatchAdminCmd”

Batch executes a RTR administrator command across the hosts mapped to the given batch ID.

POST /real-time-response/combined/batch-admin-command/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 batch_admin_command

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
base_commandbodystringActive Responder base command to perform. For example: get or cp. Refer to this list for a complete listing of available commands.
batch_idbodystringRTR Batch ID to execute the command against. Received from batch_init_session.
command_stringbodystringFull command line of the command to execute. Example: get some_file.txt.
host_timeout_durationquerystringTimeout duration for for how long a host has to complete processing in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 5 minutes.
optional_hostsbodystring or list of stringsList of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch.
persist_allbodybooleanFlag indicating if this command should be executed when the host returns to service.
timeoutqueryintegerTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes.
timeout_durationquerystringTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 5 minutes.
parametersquerydictionaryFull query string parameters payload in JSON format.
Available base commands
Section titled “Available base commands”
CommandDescriptionOperating System
catView file contentsAll supported
cdChange directoryAll supported
clearClear the screenAll supported
cpCopy a fileAll supported
csrutilGet system integrity protection statusMacOS
encryptEncrypt a fileAll supported
envDisplay environment variablesAll supported
eventlogInspect the event log. Subcommands: list, view, export, backup. eventlog backup is the recommended solution as it is faster and follows industry-standard file format.Windows
filehashCalculate a file hash (MD5 or SHA256)All supported
getRetrieve a fileAll supported
getsidRetrieve the current SIDWindows, MacOS
helpAccess help for a specific command or sub-commandAll supported
historyReview command history for the current userAll supported
ifconfigReview TCP configurationLinux, MacOS
ipconfigReview TCP configurationWindows
killKill a running processAll supported
lsList the contents of a directoryAll supported
mapMap a UNC (SMB) path to a drive letterWindows
memdumpDump memory of a running processWindows
mkdirCreate a directoryAll supported
mountMount a file system (MacOS, Linux) or list available drives (Windows)All supported
mvMove a fileAll supported
netstatRetrieve network connection detailAll supported
psList running processesAll supported
putPut a file onto a remote hostWindows, MacOS
put-and-runPut a file onto a remote host and then execute it. The put-and-run command reduces the potential for user error in file selection by ensuring that the file ‘put’ on the host is the same file that is ‘run’ on the host.Windows, Linux, MacOS
regRegistry operations. Subcommands: query, set, delete, load, unload.Windows
restartRestart the systemAll supported
rmRemove a fileAll supported
runRun an executableAll supported
runscriptRun a scriptAll supported
shutdownShutdown the systemAll supported
tarCompress a file or directory into a tar fileLinux
unmapUnmap a UNC (SMB) path from a drive letterWindows
unmountUnmount a file systemLinux, MacOS
updateInstall patches through Windows Update. Subcommands: history, install, list, query.Windows
usersGet details about local usersLinux, MacOS
xmemdumpDump complete memory (kernel) for the systemWindows
zipCreate a zip archiveAll supported

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.batch_admin_command(base_command="string",
                                      batch_id="string",
                                      command_string="string",
                                      host_timeout_duration="string",
                                      optional_hosts=["string"],
                                      persist_all=boolean,
                                      timeout="string",
                                      timeout_duration="string")
print(response)

RTR_CheckAdminCommandStatus

Section titled “RTR_CheckAdminCommandStatus”

Get status of an executed RTR administrator command on a single host.

GET /real-time-response/entities/admin-command/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 check_admin_command_status

Parameters

Section titled “Parameters”
NameTypeData typeDescription
cloud_request_idquerystringCloud Request ID of the executed command to query.
parametersquerydictionaryFull query string parameters payload in JSON format.
sequence_idqueryintegerSequence ID that we want to retrieve. Command responses are chunked across sequences.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.check_admin_command_status(cloud_request_id="string",
                                             sequence_id="string")
print(response)

RTR_ExecuteAdminCommand

Section titled “RTR_ExecuteAdminCommand”

Execute a RTR administrator command on a single host.

POST /real-time-response/entities/admin-command/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 execute_admin_command

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
base_commandbodystringActive Responder base command to perform. For example: get or cp. Refer to this list for a complete listing of available commands.
session_idbodystringRTR Session ID to execute the command against. Received from init_session.
command_stringbodystringFull command line of the command to execute. Example: get some_file.txt.
device_idbodystringID of the device to execute the command on.
idbodyintegerCommand sequence.
persistbodybooleanFlag indicating if this command should be executed when the host returns to service.
Available base commands
Section titled “Available base commands”
CommandDescriptionOperating System
catView file contentsAll supported
cdChange directoryAll supported
clearClear the screenAll supported
cpCopy a fileAll supported
csrutilGet system integrity protection statusMacOS
encryptEncrypt a fileAll supported
envDisplay environment variablesAll supported
eventlogInspect the event log. Subcommands: list, view, export, backup. eventlog backup is the recommended solution as it is faster and follows industry-standard file format.Windows
filehashCalculate a file hash (MD5 or SHA256)All supported
getRetrieve a fileAll supported
getsidRetrieve the current SIDWindows, MacOS
helpAccess help for a specific command or sub-commandAll supported
historyReview command history for the current userAll supported
ifconfigReview TCP configurationLinux, MacOS
ipconfigReview TCP configurationWindows
killKill a running processAll supported
lsList the contents of a directoryAll supported
mapMap a UNC (SMB) path to a drive letterWindows
memdumpDump memory of a running processWindows
mkdirCreate a directoryAll supported
mountMount a file system (MacOS, Linux) or list available drives (Windows)All supported
mvMove a fileAll supported
netstatRetrieve network connection detailAll supported
psList running processesAll supported
put-and-runPut a file onto a remote host and then execute it. The put-and-run command reduces the potential for user error in file selection by ensuring that the file ‘put’ on the host is the same file that is ‘run’ on the host.Windows, Linux, MacOS
regRegistry operations. Subcommands: query, set, delete, load, unload.Windows
restartRestart the systemAll supported
rmRemove a fileAll supported
runRun an executableAll supported
runscriptRun a scriptAll supported
shutdownShutdown the systemAll supported
tarCompress a file or directory into a tar fileLinux
unmapUnmap a UNC (SMB) path from a drive letterWindows
unmountUnmount a file systemLinux, MacOS
updateInstall patches through Windows Update. Subcommands: history, install, list, query.Windows
usersGet details about local usersLinux, MacOS
xmemdumpDump complete memory (kernel) for the systemWindows
zipCreate a zip archiveAll supported

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.execute_admin_command(base_command="string",
                                        command_string="string",
                                        device_id="string",
                                        id=integer,
                                        persist=boolean,
                                        session_id="string")
print(response)

RTR_GetFalconScripts

Section titled “RTR_GetFalconScripts”

Get Falcon scripts with metadata and content of script

GET /real-time-response/entities/falcon-scripts/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 get_falcon_scripts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsIDs of the Falcon scripts you want to retrieve
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_falcon_scripts(ids=id_list)
print(response)

RTR_GetPut_Files

Section titled “RTR_GetPut_Files”

Get put-files based on the ID’s given. These are used for the RTR put command.

GET /real-time-response/entities/put-files/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 get_put_files

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsFile IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_put_files(ids=id_list)
print(response)

RTR_GetPut_FilesV2

Section titled “RTR_GetPut_FilesV2”

Get put-files based on the ID’s given. These are used for the RTR put command.

GET /real-time-response/entities/put-files/v2
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 get_put_files_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsFile IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_put_files_v2(ids=id_list)
print(response)

RTR_GetPutFileContents

Section titled “RTR_GetPutFileContents”

Get the contents of a put-file based on the ID given.

GET /real-time-response/entities/put-file-contents/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 get_put_file_contents

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idquerystringID of the put-file to retrieve contents for.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


with open("output_file", "wb") as save_file:
    response = falcon.get_put_file_contents(id="string", stream=boolean)
    save_file.write(response)

RTR_CreatePut_Files

Section titled “RTR_CreatePut_Files”

Upload a new put-file to use for the RTR put command.

POST /real-time-response/entities/put-files/v1
Scope Real Time Response (Admin): WRITE Consumes multipart/form-data Produces application/json
PEP 8 create_put_files

Parameters

Section titled “Parameters”
NameTypeData typeDescription
comments_for_audit_logformDatastringA descriptive comment for the audit log.
dataformDatafileFull formData payload in JSON format.
descriptionformDatastringFile description.
nameformDatastringFile name (if different than actual file name).
filesquerylist of tuplesFile(s) to be uploaded.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.create_put_files(data="string",
                                   files=["string"],
                                   description="string",
                                   name="string",
                                   comments_for_audit_log="string")
print(response)

RTR_CreatePut_FilesV2

Section titled “RTR_CreatePut_FilesV2”

Upload a new put-file to use for the RTR put command.

POST /real-time-response/entities/put-files/v2
Scope Real Time Response (Admin): WRITE Consumes multipart/form-data Produces application/json
PEP 8 create_put_files_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
datadatadictionaryFull body payload in JSON format.
filesformDatalist of tuplesFile to be uploaded. List of tuples. Ex: [(‘file’, (‘file.ext’, open(‘file.ext’,‘rb’).read(), ‘application/script’))]
descriptionformDatastringFile description.
nameformDatastringFile name (if different than actual file name).
comments_for_audit_logformDatastringThe audit log comment.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.create_put_files_v2(data="string",
                                      files=["string"],
                                      description="string",
                                      name="string",
                                      comments_for_audit_log="string")
print(response)

RTR_DeletePut_Files

Section titled “RTR_DeletePut_Files”

Delete a put-file based on the ID given. Can only delete one file at a time.

DELETE /real-time-response/entities/put-files/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 delete_put_files

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsFile IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_put_files(ids=id_list)
print(response)

RTR_GetScripts

Section titled “RTR_GetScripts”

Get custom-scripts based on the ID’s given. These are used for the RTR runscript command.

GET /real-time-response/entities/scripts/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 get_scripts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsFile IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_scripts(ids=id_list)
print(response)

RTR_GetScriptsV2

Section titled “RTR_GetScriptsV2”

Get custom-scripts based on the ID’s given. These are used for the RTR runscript command.

GET /real-time-response/entities/scripts/v2
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 get_scripts_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsFile IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_scripts_v2(ids=id_list)
print(response)

RTR_ListFalconScripts

Section titled “RTR_ListFalconScripts”

Get a list of Falcon script IDs available to the user to run

GET /real-time-response/queries/falcon-scripts/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 list_falcon_scripts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.
offsetqueryintegerStarting index of overall result set from which to return ids.
limitqueryintegerNumber of ids to return.
sortquerystringSort by spec. Ex: created_at|asc.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.list_falcon_scripts(filter="string",
                                      limit=integer,
                                      offset=integer,
                                      sort="string")
print(response)

RTR_CreateScripts

Section titled “RTR_CreateScripts”

Upload a new custom-script to use for the RTR runscript command.

POST /real-time-response/entities/scripts/v1
Scope Real Time Response (Admin): WRITE Consumes multipart/form-data Produces application/json
PEP 8 create_scripts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
comments_for_audit_logformDatastringA descriptive comment for the audit log.
contentformDatastringThe text contents you want to use for the script. Takes place of a file upload.
dataformDatafileFull formData payload in JSON format.
descriptionformDatastringFile description.
nameformDatastringFile name (if different than actual file name).
permission_typeformDatastringPermissions for the custom-script. Valid permission values include: private - usable only by the user who upload it; group - usable by all RTR admins; public - usable by all active-responders and RTR admins
platformformDatalist of stringsPlatform for the script. Currently supports windows, mac, and linux. If no platform is provided, windows is assumed.
filesquerylist of tuplesFile(s) to be uploaded.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.create_scripts(data="string",
                                 files=["string"],
                                 description="string",
                                 name="string",
                                 comments_for_audit_log="string",
                                 permission_type="string",
                                 content="string",
                                 platform="string")
print(response)

RTR_CreateScriptsV2

Section titled “RTR_CreateScriptsV2”

Upload a new custom-script to use for the RTR runscript command.

POST /real-time-response/entities/scripts/v2
Scope Real Time Response (Admin): WRITE Consumes multipart/form-data Produces application/json
PEP 8 create_scripts_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
fileformDatastringCustom-script file to upload (Service class). These should be powershell scripts.
descriptionformDatastringRequired parameter.

File description.
nameformDatastringFile name (if different than actual file name).
comments_for_audit_logformDatastringThe audit log comment.
contentformDatastringThe script text that you want to use to upload.
platformformDatalist of stringsPlatforms for the file. Currently supports: windows, mac, linux.
permission_typeformDatastringPermission type for the custom-script. Valid permission types are private, group, public.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.create_scripts_v2(data="string",
                                    files=["string"],
                                    description="string",
                                    name="string",
                                    comments_for_audit_log="string",
                                    permission_type="string",
                                    content="string",
                                    platform="string")
print(response)

RTR_DeleteScripts

Section titled “RTR_DeleteScripts”

Delete a custom-script based on the ID given. Can only delete one script at a time.

DELETE /real-time-response/entities/scripts/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 delete_scripts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsFile IDs.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_scripts(ids=id_list)
print(response)

RTR_UpdateScripts

Section titled “RTR_UpdateScripts”

Upload a new scripts to replace an existing one.

PATCH /real-time-response/entities/scripts/v1
Scope Real Time Response (Admin): WRITE Consumes multipart/form-data Produces application/json
PEP 8 update_scripts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
comments_for_audit_logformDatastringA descriptive comment for the audit log.
contentformDatastringThe text contents you want to use for the script. Takes place of a file upload.
dataformDatafileFull formData payload in JSON format.
descriptionformDatastringFile description.
idformDatastringThe ID of the script to be updated.
nameformDatastringFile name (if different than actual file name).
permission_typeformDatastringPermissions for the custom-script. Valid permission values include: private - usable only by the user who upload it; group - usable by all RTR admins; public - usable by all active-responders and RTR admins
platformformDatalist of stringsPlatform for the script. Currently supports windows, mac, and linux. If no platform is provided, windows is assumed.
filesquerylist of tuplesFile(s) to be uploaded.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.update_scripts(data="string",
                                 files=["string"],
                                 description="string",
                                 id="string",
                                 name="string",
                                 comments_for_audit_log="string",
                                 permission_type="string",
                                 content="string",
                                 platform="string")
print(response)

RTR_UpdateScriptsV2

Section titled “RTR_UpdateScriptsV2”

Upload a new scripts to replace an existing one.

PATCH /real-time-response/entities/scripts/v2
Scope Real Time Response (Admin): WRITE Consumes multipart/form-data Produces application/json
PEP 8 update_scripts_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
dataformDatadictionaryFull formData payload. Not required if using other keywords.
idformDatastringID of the script to update.
filesformDatalist of tuplesFile to be uploaded.
descriptionformDatastringFile description.
nameformDatastringFile name (if different than actual file name).
comments_for_audit_logformDatastringAudit log comment.
permission_typeformDatastringPermission for the custom-script. Valid permission values include: private - usable only by the user who uploaded it; group - usable by all RTR admins; public - usable by all active-responders and RTR admins
contentformDatastringThe script text that you want to use to upload.
platformformDatalist of stringsPlatforms for the file. Currently supports: windows, mac, linux.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.update_scripts_v2(data="string",
                                    files=["string"],
                                    description="string",
                                    id="string",
                                    name="string",
                                    comments_for_audit_log="string",
                                    permission_type="string",
                                    content="string",
                                    platform="string")
print(response)

RTR_ListPut_Files

Section titled “RTR_ListPut_Files”

Get a list of put-file ID’s that are available to the user for the put command.

GET /real-time-response/queries/put-files/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 list_put_files

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query expression that should be used to limit the results. user_id can accept a special value @me which will restrict results to records with current user’s ID.
limitqueryintegerMaximum number of records to return.
offsetquerystringStarting index of overall result set from which to return ids.
sortquerystringThe property to sort by.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.list_put_files(filter="string",
                                 limit=integer,
                                 offset=integer,
                                 sort="string")
print(response)

RTR_ListScripts

Section titled “RTR_ListScripts”

Get a list of custom-script ID’s that are available to the user for the runscript command.

GET /real-time-response/queries/scripts/v1
Scope Real Time Response (Admin): WRITE Consumes · Produces application/json
PEP 8 list_scripts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query expression that should be used to limit the results. user_id can accept a special value @me which will restrict results to records with current user’s ID.
limitqueryintegerMaximum number of records to return.
offsetquerystringStarting index of overall result set from which to return ids.
sortquerystringThe property to sort by.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponseAdmin


falcon = RealTimeResponseAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )


response = falcon.list_scripts(filter="string",
                               limit=integer,
                               offset=integer,
                               sort="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use