Zero Trust Assessment

The Zero Trust Assessment service collection provides operations for retrieving Zero Trust Assessment data across your environment. Query assessment scores by host, retrieve audit reports, search assessments by score ranges, and perform combined queries with FQL filtering and pagination.

Language	Last Update
Python	v1.4.6
PowerShell	v2.2.9
Go	v0.20.0
TypeScript	v0.6.0
Rust	v0.7.0
Ruby	v1.2.0

Operation	Description
getAssessmentV1 `get_assessment`	Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).
getAuditV1 `get_audit`	Get the Zero Trust Assessment audit report for one customer ID (CID).
getAssessmentsByScoreV1 `get_assessments_by_score`	Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores.
getCombinedAssessmentsQuery `query_combined_assessments`	Search for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria

getAssessmentV1

Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).

GET /zero-trust-assessment/entities/assessments/v1

Scope Zero Trust Assessment: READ Consumes · Produces application/json

PEP 8 get_assessment

Parameters

Name	Type	Data type	Description
ids	query	string or list of strings	One or more agent IDs, which you can find in the data.zta file, or the Falcon console.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import ZeroTrustAssessment

falcon = ZeroTrustAssessment(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_assessment(ids=id_list)
print(response)

from falconpy import ZeroTrustAssessment

falcon = ZeroTrustAssessment(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.getAssessmentV1(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("getAssessmentV1",
                          ids=id_list)
print(response)

Get-FalconZta -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/zero_trust_assessment"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.ZeroTrustAssessment.GetAssessmentV1(
    &zero_trust_assessment.GetAssessmentV1Params{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.zeroTrustAssessment.getAssessmentV1(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

use rusty_falcon::apis::zero_trust_assessment_api::get_assessment_v1;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_assessment_v1(
        &falcon.cfg,  // configuration
        vec!["string".to_string()],  // ids
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::ZeroTrustAssessment.new

response = api.get_assessment_v1(['ID1', 'ID2', 'ID3'])

puts response

getAuditV1

Get the Zero Trust Assessment audit report for one customer ID (CID).

This operation ID has recently been changed.

FalconPy supports deprecated IDs and method names via aliases. Developers should consider moving code to leverage the updated ID and method name for this operation whenever possible.

Legacy Operation ID: getComplianceV1
Legacy PEP8 method name: get_compliance

GET /zero-trust-assessment/entities/audit/v1

Scope Zero Trust Assessment: READ Consumes · Produces application/json

PEP 8 get_audit

Parameters

No keywords or arguments accepted.

Code Examples

from falconpy import ZeroTrustAssessment

falcon = ZeroTrustAssessment(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.get_audit()
print(response)

from falconpy import ZeroTrustAssessment

falcon = ZeroTrustAssessment(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.getAuditV1()
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("getAuditV1")
print(response)

Get-FalconZta

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/zero_trust_assessment"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.ZeroTrustAssessment.GetAuditV1(
    &zero_trust_assessment.GetAuditV1Params{
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.zeroTrustAssessment.getAuditV1();

console.log(response);

use rusty_falcon::apis::zero_trust_assessment_api::get_audit_v1;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_audit_v1(&falcon.cfg).await.expect("API call failed");  // configuration

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::ZeroTrustAssessment.new

response = api.get_audit_v1

puts response

getAssessmentsByScoreV1

Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores.

GET /zero-trust-assessment/queries/assessments/v1

Scope Zero Trust Assessment: READ Consumes · Produces application/json

PEP 8 get_assessments_by_score

Parameters

Name	Type	Data type	Description
filter	query	string	FQL formatted string containing the filter to use to limit results.
limit	query	integer	The number of scores to return in this response. (Min: 1, Max: 1,000, Default: 100). Use in conjuction with the `after` parameter to limit results.
after	query	string	A pagination token used with the `limit` parameter to manage pagination of results. On your first request, do not provided an `after` token. On subsequent requests, provide the `after` token from the previous response to continue from that place in the results.
sort	query	string	FQL formatted string containing the sort specification. A single sort field is allowed `score`, which can be sorted ascending or descending. (Defaults to `desc`, Example: `score\\|asc` or `score\\|desc`).
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import ZeroTrustAssessment

falcon = ZeroTrustAssessment(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.get_assessments_by_score(filter="string",
                                           limit=integer,
                                           after="string",
                                           sort="string")
print(response)

from falconpy import ZeroTrustAssessment

falcon = ZeroTrustAssessment(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.getAssessmentsByScoreV1(filter="string",
                                          limit=integer,
                                          after="string",
                                          sort="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("getAssessmentsByScoreV1",
                          filter="string",
                          limit=integer,
                          after="string",
                          sort="string")
print(response)

Get-FalconZta -Filter "string" `
  -Sort "string" `
  -Limit integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/zero_trust_assessment"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  limit := int64(0)
  after := "string"
  sort := "string"

  response, err := client.ZeroTrustAssessment.GetAssessmentsByScoreV1(
    &zero_trust_assessment.GetAssessmentsByScoreV1Params{
      Filter: "string",
      Limit: &limit,
      After: &after,
      Sort: &sort,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.zeroTrustAssessment.getAssessmentsByScoreV1(
  "string",  // filter
  integer,  // limit
  "string",  // after
  "string"  // sort
);

console.log(response);

use rusty_falcon::apis::zero_trust_assessment_api::get_assessments_by_score_v1;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_assessments_by_score_v1(
        &falcon.cfg,  // configuration
        "string",  // filter
        Some(integer),  // limit
        Some("string"),  // after
        Some("string"),  // sort
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::ZeroTrustAssessment.new

response = api.get_assessments_by_score_v1('string')

puts response

getCombinedAssessmentsQuery

Search for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria

GET /configuration-assessment/combined/assessments/v1

Scope Configvantage: READ Consumes · Produces application/json

PEP 8 query_combined_assessments

Parameters

Name	Type	Data type	Description
after	query	string	A pagination token used with the `limit` parameter to manage pagination of results. On your first request, don’t provide an `after` token. On subsequent requests, provide the `after` token from the previous response to continue from that place in the results.
limit	query	integer	The number of items to return in this response (default: 100, max: 5000). Use with the after parameter to manage pagination of results.
sort	query	string	Sort assessment by their properties. Common sort options include: created_timestamp\|desc, updated_timestamp\|asc.
filter	query	string	Filter items using a query in Falcon Query Language (FQL). Wildcards * are unsupported. Common filter options include: created_timestamp:>‘2019-11-25T22:36:12Z’, updated_timestamp:>‘2019-11-25T22:36:12Z’, aid:‘8e7656b27d8c49a34a1af416424d6231’.
facet	query	list	Select various details blocks to be returned for each assessment entity. Supported values: host, finding.rule.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import ConfigurationAssessment

falcon = ConfigurationAssessment(client_id=CLIENT_ID,
                                 client_secret=CLIENT_SECRET
                                 )

response = falcon.query_combined_assessments(after="string",
                                             limit="string",
                                             sort="string",
                                             filter="string",
                                             facet="string")
print(response)

from falconpy import ConfigurationAssessment

falcon = ConfigurationAssessment(client_id=CLIENT_ID,
                                 client_secret=CLIENT_SECRET
                                 )

response = falcon.getCombinedAssessmentsQuery(after="string",
                                              limit="string",
                                              sort="string",
                                              filter="string",
                                              facet="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("getCombinedAssessmentsQuery",
                          after="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          facet=id_list)
print(response)

Get-FalconConfigAssessment -Filter "string" `
  -Sort "string" `
  -Limit integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/configuration_assessment"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  after := "string"
  limit := int64(0)
  sort := "string"

  response, err := client.ConfigurationAssessment.GetCombinedAssessmentsQuery(
    &configuration_assessment.GetCombinedAssessmentsQueryParams{
      After: &after,
      Limit: &limit,
      Sort: &sort,
      Filter: "string",
      Facet: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.configurationAssessment.getCombinedAssessmentsQuery(
  "string",  // filter
  "string",  // after
  integer,  // limit
  "string",  // sort
  ["ID1", "ID2", "ID3"]  // facet
);

console.log(response);

use rusty_falcon::apis::configuration_assessment_api::get_combined_assessments_query;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_combined_assessments_query(
        &falcon.cfg,  // configuration
        "string",  // filter
        Some("string"),  // after
        Some(integer),  // limit
        Some("string"),  // sort
        Some(vec!["string".to_string()]),  // facet
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::ConfigurationAssessment.new

response = api.get_combined_assessments_query('string')

puts response

Zero Trust Assessment

Table of Contents

getAssessmentV1

Parameters

Code Examples

getAuditV1

Parameters

Code Examples

getAssessmentsByScoreV1

Parameters

Code Examples

getCombinedAssessmentsQuery

Parameters

Code Examples