Skip to content

Real Time Response Audit

The Real Time Response Audit service collection provides operations for auditing RTR sessions created for a customer in a specified duration.

Language	Last Update
Python	v1.4.6
PowerShell	v2.2.9
Go	v0.20.0
TypeScript	v0.6.0
Rust	v0.7.0
Ruby	v1.2.0

Table of Contents

Operation	Description
RTRAuditSessions `audit_sessions`	Get all the RTR sessions created for a customer in a specified duration

RTRAuditSessions

Get all the RTR sessions created for a customer in a specified duration

GET /real-time-response-audit/combined/sessions/v1

Scope Real Time Response (Audit): READ Consumes · Produces application/json

PEP 8 audit_sessions

Parameters

Name	Type	Data type	Description
filter	query	string	Optional filter criteria in FQL format.
sort	query	string	Sort order in FQL format.
limit	query	string	Maximum number of sessions to be returned.
offset	query	string	Offset value to be used for paginating results.
with_command_info	query	boolean	Retrieve sessions with command info included; by default sessions are returned without command information which include `cloud_request_ids` and `logs` fields.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import RealTimeResponseAudit

falcon = RealTimeResponseAudit(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.audit_sessions(filter="string",
                                 limit=integer,
                                 offset="string",
                                 sort="string",
                                 with_command_info="string")
print(response)

from falconpy import RealTimeResponseAudit

falcon = RealTimeResponseAudit(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.RTRAuditSessions(filter="string",
                                   limit=integer,
                                   offset="string",
                                   sort="string",
                                   with_command_info="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("RTRAuditSessions",
                          filter="string",
                          sort="string",
                          limit="string",
                          offset="string",
                          with_command_info=boolean)
print(response)

Get-FalconSession -Filter "string" `
  -Sort "string" `
  -Limit integer `
  -Offset integer `
  -Cid $boolean

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/real_time_response_audit"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  filter := "string"
  sort := "string"
  limit := "string"
  offset := "string"
  withCommandInfo := boolean

  response, err := client.RealTimeResponseAudit.RTRAuditSessions(
    &real_time_response_audit.RTRAuditSessionsParams{
      Filter: &filter,
      Sort: &sort,
      Limit: &limit,
      Offset: &offset,
      WithCommandInfo: &withCommandInfo,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.realTimeResponseAudit.rTRAuditSessions(
  "string",  // filter
  "string",  // sort
  "string",  // limit
  "string",  // offset
  boolean  // withCommandInfo
);

console.log(response);

use rusty_falcon::apis::real_time_response_audit_api::r_tr_audit_sessions;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = r_tr_audit_sessions(
        &falcon.cfg,  // configuration
        Some("string"),  // filter
        Some("string"),  // sort
        Some("string"),  // limit
        Some("string"),  // offset
        Some(boolean),  // with_command_info
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::RealTimeResponseAudit.new

response = api.r_tr_audit_sessions(filter: 'string',
                                   sort: 'string',
                                   limit: 'string',
                                   offset: 'string',
                                   with_command_info: boolean)

puts response