From 4df3a47a3c2969c41279231a28c2ba3da0602a7b Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 23 Nov 2023 03:02:28 -0500 Subject: [PATCH 01/37] Add OS filter to stale sensors sample. Closes #1024. --- samples/hosts/stale_sensors.py | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/samples/hosts/stale_sensors.py b/samples/hosts/stale_sensors.py index eaeca1b63..be9dca774 100644 --- a/samples/hosts/stale_sensors.py +++ b/samples/hosts/stale_sensors.py @@ -122,6 +122,14 @@ def parse_command_line() -> object: default=False, action="store_true" ) + parser.add_argument( + "-f", "--filter-by-os", + help="OS filter (windows, macos, linux)", + default=None, + choices=["windows", "mac", "linux", "k8s"], + required=False, + dest="osfilter" + ) return parser.parse_args() @@ -138,12 +146,16 @@ def get_host_details(id_list: list) -> list: return returned -def get_hosts(date_filter: str, tag_filter: str) -> list: +def get_hosts(date_filter: str, tag_filter: str, os_filter: str) -> list: """Retrieve a list of hosts IDs that match the last_seen date filter.""" filter_string = f"last_seen:<='{date_filter}Z'" if tag_filter: filter_string = f"{filter_string} + tags:*'*{tag_filter}*'" - + if os_filter: + os_filter = os_filter.title() + if os_filter == "K8s": + os_filter = "K8S" + filter_string = f"{filter_string} + platform_name:'{os_filter}'" return falcon.query_devices_by_filter_scroll( limit=5000, filter=filter_string @@ -161,7 +173,7 @@ def parse_host_detail(detail: dict, found: list): now = datetime.now(timezone.utc) then = dparser.parse(detail["last_seen"]) distance = (now - then).days - tagname = detail.get("tags", "Not Found") + tagname = detail.get("tags", "") newtag = "\n".join(tagname) found.append([ detail.get("hostname", "Unknown"), @@ -201,7 +213,7 @@ def hide_hosts(id_list: list) -> dict: stale = [] # For each stale host identified try: - for host in get_host_details(get_hosts(STALE_DATE, args.tag)): + for host in get_host_details(get_hosts(STALE_DATE, args.tag, args.osfilter)): # Retrieve host detail stale = parse_host_detail(host, stale) except KeyError as api_error: From 302a692ef0222d745b07a333c00e5b25c394480f Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 23 Nov 2023 03:05:14 -0500 Subject: [PATCH 02/37] Add trace_id property --- src/falconpy/_result/_headers.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/falconpy/_result/_headers.py b/src/falconpy/_result/_headers.py index 32509dcde..c9b24ef25 100644 --- a/src/falconpy/_result/_headers.py +++ b/src/falconpy/_result/_headers.py @@ -76,3 +76,8 @@ def ratelimit_limit(self) -> Optional[int]: def ratelimit_remaining(self) -> Optional[int]: """Return the contents of the X-Ratelimit-Remaining key.""" return self.get_property("X-Ratelimit-Remaining", None) + + @property + def trace_id(self) -> Optional[str]: + """Return the contents of the X-Cs-Traceid key.""" + return self.get_property("X-Cs-Traceid", None) From 267250bd32ddc5a0c4e35ecc6c54d5697634a975 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 23 Nov 2023 03:10:20 -0500 Subject: [PATCH 03/37] Result object adjustments for unusual API responses --- src/falconpy/_result/_result.py | 41 +++++++++++++-------------------- 1 file changed, 16 insertions(+), 25 deletions(-) diff --git a/src/falconpy/_result/_result.py b/src/falconpy/_result/_result.py index 6fdeac295..7fc198b23 100644 --- a/src/falconpy/_result/_result.py +++ b/src/falconpy/_result/_result.py @@ -40,7 +40,7 @@ from ._meta import Meta from ._errors import Errors from ._headers import Headers -from ._resources import Resources, BinaryFile, RawBody +from ._resources import Resources, BinaryFile, RawBody, ResponseComponent class BaseResult: @@ -66,6 +66,9 @@ def __init__(self, self.resources = Resources([]) self.errors = Errors() self.raw = RawBody() + # RTR Batch session init and batch responses only + self.batch_id = None + self.batch_get_cmd_req_id = None if status_code and headers and body: self.status_code = status_code @@ -103,18 +106,20 @@ def __init__(self, self.errors = Errors(body.get("errors", [])) # RTR Batch responses if body.get("batch_id", {}): - # Batch session init + # Batch session init returns as a dictionary self.raw = RawBody(body) - self.resources = Resources(body.get("resources", [])) + self.batch_id = body.get("batch_id") + self.resources = ResponseComponent(body.get("resources")) elif body.get("combined", {}): - # Batch session results have to be handled as RawBody - # due to the combined response format. + # Batch session results return as a dictionary. + self.batch_get_cmd_req_id = body.get("batch_get_cmd_req_id", None) self.raw = RawBody(body) + self.resources = ResponseComponent(body.get("combined")) elif body.get("data", {}): # pragma: no cover - # GraphQL uses a custom response payload, we will - # use RawBody for this return for now. Due to + # GraphQL uses a custom response payload. Due to # environment constraints, this is manually tested. self.raw = RawBody(body) + self.resources = ResponseComponent(body) elif body.get("resources", None) is None: # No resources, this must be a raw dictionary # Probably came from the container API @@ -122,6 +127,7 @@ def __init__(self, elif isinstance(body.get("resources", []), dict): # Catch unusual response payloads not explicitly handled self.raw = RawBody(body) + self.resources = ResponseComponent(body.get("resources")) else: # Standard API responses self.resources = Resources(body.get("resources", [])) @@ -300,10 +306,12 @@ def powered_by(self) -> Optional[str]: @property def trace_id(self) -> Optional[str]: - """Return the trace ID from the underlying Meta object.""" + """Return the trace ID from the underlying Meta or Headers object.""" _returned: Optional[str] = None if self.meta: _returned = self.meta.trace_id + elif self.headers: + _returned = self.headers.trace_id return _returned @property @@ -420,23 +428,6 @@ def full_return(self) -> dict: if "meta" in _body: _body = dict(_body) - # try: - # # Content is malformed JSON - # # No content returned, but a valid response - # _body = dict(_body) - # except ValueError: - # _body = _body - # _body = { - # "meta": {}, - # "resources": [], - # "errors": [ - # { - # "message": "Invalid JSON response received", - # "code": 500 - # } - # ] - # } - _returned = { "status_code": int(self.status_code), "headers": _headers, From 670e84d737e1b60b33eaee305e5d7566d01541bf Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Wed, 13 Dec 2023 09:37:50 -0500 Subject: [PATCH 04/37] Fix docstring typo. Closes #1089. --- src/falconpy/detects.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/falconpy/detects.py b/src/falconpy/detects.py index 859a6297d..58ab8d408 100644 --- a/src/falconpy/detects.py +++ b/src/falconpy/detects.py @@ -319,7 +319,7 @@ def query_detects(self: object, parameters: dict = None, **kwargs) -> Dict[str, https://falcon.crowdstrike.com/documentation/86/detections-monitoring-apis#find-detections limit -- The maximum number of detections to return in this response. - [Integer, default: 9999; max: 9999] + [Integer, default: 100; max: 9999] Use with the offset parameter to manage pagination of results. offset -- The first detection to return, where 0 is the latest detection. Use with the limit parameter to manage pagination of results. From 67b4cb3ec74478583540c99e48c11fd9db027a49 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 11:33:37 -0500 Subject: [PATCH 05/37] Endpoint module automation updates and alignment --- src/falconpy/_endpoint/_cloud_connect_aws.py | 12 +- src/falconpy/_endpoint/_cloud_snapshots.py | 18 +- src/falconpy/_endpoint/_cspm_registration.py | 66 ++-- src/falconpy/_endpoint/_custom_ioa.py | 44 ++- src/falconpy/_endpoint/_custom_storage.py | 116 +------ src/falconpy/_endpoint/_d4c_registration.py | 48 ++- src/falconpy/_endpoint/_detects.py | 55 ++-- .../_endpoint/_device_control_policies.py | 14 +- src/falconpy/_endpoint/_discover.py | 237 +++++++++----- .../_endpoint/_falcon_complete_dashboard.py | 83 +++-- src/falconpy/_endpoint/_falcon_container.py | 216 ++++++------- src/falconpy/_endpoint/_falconx_sandbox.py | 112 +++---- src/falconpy/_endpoint/_fdr.py | 46 +-- src/falconpy/_endpoint/_filevantage.py | 297 +++++++++--------- .../_endpoint/_firewall_management.py | 115 ++++--- src/falconpy/_endpoint/_firewall_policies.py | 22 +- src/falconpy/_endpoint/_host_group.py | 12 +- src/falconpy/_endpoint/_hosts.py | 42 ++- .../_endpoint/_identity_protection.py | 33 +- src/falconpy/_endpoint/_incidents.py | 50 +-- .../_endpoint/_installation_tokens.py | 28 +- src/falconpy/_endpoint/_intel.py | 137 ++++---- src/falconpy/_endpoint/_ioc.py | 34 +- src/falconpy/_endpoint/_iocs.py | 32 +- src/falconpy/_endpoint/_malquery.py | 23 +- src/falconpy/_endpoint/_message_center.py | 30 +- src/falconpy/_endpoint/_mssp.py | 147 +++++---- src/falconpy/_endpoint/_oauth2.py | 17 +- src/falconpy/_endpoint/_ods.py | 46 +-- .../_endpoint/_prevention_policies.py | 22 +- src/falconpy/_endpoint/_quarantine.py | 12 +- src/falconpy/_endpoint/_quick_scan.py | 22 +- src/falconpy/_endpoint/_real_time_response.py | 238 +++++++------- .../_endpoint/_real_time_response_admin.py | 85 +++-- .../_endpoint/_real_time_response_audit.py | 14 +- src/falconpy/_endpoint/_recon.py | 102 +++--- src/falconpy/_endpoint/_report_executions.py | 6 +- src/falconpy/_endpoint/_response_policies.py | 22 +- src/falconpy/_endpoint/_sample_uploads.py | 57 ++-- src/falconpy/_endpoint/_scheduled_reports.py | 7 +- src/falconpy/_endpoint/_sensor_download.py | 36 +-- .../_endpoint/_sensor_update_policies.py | 31 +- .../_endpoint/_spotlight_evaluation_logic.py | 20 +- .../_endpoint/_spotlight_vulnerabilities.py | 69 ++-- .../_endpoint/_tailored_intelligence.py | 4 +- src/falconpy/_endpoint/_user_management.py | 113 ++++--- src/falconpy/_endpoint/_workflows.py | 13 +- .../_endpoint/_zero_trust_assessment.py | 43 +-- .../_endpoint/deprecated/_custom_ioa.py | 46 ++- .../_endpoint/deprecated/_discover.py | 239 +++++++++----- src/falconpy/_endpoint/deprecated/_fdr.py | 48 +-- .../deprecated/_firewall_management.py | 63 ++-- src/falconpy/_endpoint/deprecated/_hosts.py | 19 +- .../deprecated/_identity_protection.py | 7 +- .../deprecated/_installation_tokens.py | 16 +- src/falconpy/_endpoint/deprecated/_ioc.py | 40 +-- src/falconpy/_endpoint/deprecated/_iocs.py | 2 +- src/falconpy/_endpoint/deprecated/_ods.py | 48 +-- .../deprecated/_real_time_response.py | 85 +++-- .../deprecated/_real_time_response_admin.py | 62 ++-- .../deprecated/_report_executions.py | 8 +- .../deprecated/_scheduled_reports.py | 9 +- 62 files changed, 1912 insertions(+), 1828 deletions(-) diff --git a/src/falconpy/_endpoint/_cloud_connect_aws.py b/src/falconpy/_endpoint/_cloud_connect_aws.py index b0681fda0..9429b8a48 100644 --- a/src/falconpy/_endpoint/_cloud_connect_aws.py +++ b/src/falconpy/_endpoint/_cloud_connect_aws.py @@ -41,8 +41,8 @@ "QueryAWSAccounts", "GET", "/cloud-connect-aws/combined/accounts/v1", - "Search for provisioned AWS Accounts by providing an FQL filter and paging details. " - "Returns a set of AWS accounts which match the filter criteria", + "Search for provisioned AWS Accounts by providing an FQL filter and paging details. Returns a set of AWS " + "accounts which match the filter criteria", "cloud_connect_aws", [ { @@ -117,8 +117,8 @@ ], "type": "string", "default": "manual", - "description": "Mode for provisioning. Allowed values are `manual` or `cloudformation`. " - "Defaults to manual if not defined.", + "description": "Mode for provisioning. Allowed values are `manual` or `cloudformation`. Defaults to " + "manual if not defined.", "name": "mode", "in": "query" }, @@ -201,8 +201,8 @@ "QueryAWSAccountsForIDs", "GET", "/cloud-connect-aws/queries/accounts/v1", - "Search for provisioned AWS Accounts by providing an FQL filter and paging details. " - "Returns a set of AWS account IDs which match the filter criteria", + "Search for provisioned AWS Accounts by providing an FQL filter and paging details. Returns a set of AWS " + "account IDs which match the filter criteria", "cloud_connect_aws", [ { diff --git a/src/falconpy/_endpoint/_cloud_snapshots.py b/src/falconpy/_endpoint/_cloud_snapshots.py index 351de7352..82073131f 100644 --- a/src/falconpy/_endpoint/_cloud_snapshots.py +++ b/src/falconpy/_endpoint/_cloud_snapshots.py @@ -38,11 +38,11 @@ _cloud_snapshot_endpoints = [ [ - "CreateInventory", + "RegisterCspmSnapshotAccount", "POST", - "/snapshots/entities/inventories/v1", - "Create inventory from data received from snapshot", - "inventories", + "/snapshots/entities/accounts/v1", + "Register customer cloud account for snapshot scanning", + "cloud_snapshots", [ { "name": "body", @@ -56,15 +56,15 @@ "GET", "/snapshots/entities/image-registry-credentials/v1", "Gets the registry credentials", - "provision", + "cloud_snapshots", [] ], [ - "RegisterCspmSnapshotAccount", + "CreateInventory", "POST", - "/snapshots/entities/accounts/v1", - "Register customer cloud account for snapshot scanning", - "registration", + "/snapshots/entities/inventories/v1", + "Create inventory from data received from snapshot", + "cloud_snapshots", [ { "name": "body", diff --git a/src/falconpy/_endpoint/_cspm_registration.py b/src/falconpy/_endpoint/_cspm_registration.py index 933232d07..52f580d94 100644 --- a/src/falconpy/_endpoint/_cspm_registration.py +++ b/src/falconpy/_endpoint/_cspm_registration.py @@ -132,8 +132,8 @@ "CreateCSPMAwsAccount", "POST", "/cloud-connect-cspm-aws/entities/account/v1", - "Creates a new account in our system for a customer and generates a script for " - "them to run in their AWS cloud environment to grant us access.", + "Creates a new account in our system for a customer and generates a script for them to run in their AWS " + "cloud environment to grant us access.", "cspm_registration", [ { @@ -167,8 +167,6 @@ { "type": "array", "items": { - "maxLength": 12, - "minLength": 12, "type": "string" }, "collectionFormat": "multi", @@ -179,7 +177,6 @@ { "type": "array", "items": { - "pattern": "^o-[0-9a-z]{10,32}$", "type": "string" }, "collectionFormat": "multi", @@ -229,8 +226,8 @@ "GetCSPMAwsAccountScriptsAttachment", "GET", "/cloud-connect-cspm-aws/entities/user-scripts-download/v1", - "Return a script for customer to run in their cloud environment to grant us " - "access to their AWS environment as a downloadable attachment.", + "Return a script for customer to run in their cloud environment to grant us access to their AWS " + "environment as a downloadable attachment.", "cspm_registration", [ { @@ -255,14 +252,11 @@ { "type": "array", "items": { - "maxLength": 36, - "minLength": 36, - "pattern": "^[0-9a-z-]{36}$", "type": "string" }, "collectionFormat": "multi", - "description": "SubscriptionIDs of accounts to select for this status operation. " - "If this is empty then all accounts are returned.", + "description": "SubscriptionIDs of accounts to select for this status operation. If this is empty then " + "all accounts are returned.", "name": "ids", "in": "query" }, @@ -313,8 +307,8 @@ "CreateCSPMAzureAccount", "POST", "/cloud-connect-cspm-azure/entities/account/v1", - "Creates a new account in our system for a customer and generates a script for them " - "to run in their cloud environment to grant us access.", + "Creates a new account in our system for a customer and generates a script for them to run in their cloud " + "environment to grant us access.", "cspm_registration", [ { @@ -365,8 +359,8 @@ "UpdateCSPMAzureAccountClientID", "PATCH", "/cloud-connect-cspm-azure/entities/client-id/v1", - "Update an Azure service account in our system by with the user-created client_id " - "created with the public key we've provided", + "Update an Azure service account in our system by with the user-created client_id created with the public " + "key we've provided", "cspm_registration", [ { @@ -458,8 +452,8 @@ "GetCSPMAzureUserScriptsAttachment", "GET", "/cloud-connect-cspm-azure/entities/user-scripts-download/v1", - "Return a script for customer to run in their cloud environment to grant us access to " - "their Azure environment as a downloadable attachment", + "Return a script for customer to run in their cloud environment to grant us access to their Azure " + "environment as a downloadable attachment", "cspm_registration", [ { @@ -640,8 +634,8 @@ }, { "type": "string", - "description": "String to get next page of results, is associated with a previous execution " - "of GetBehaviorDetections. Must include all filters from previous execution.", + "description": "String to get next page of results, is associated with a previous execution of " + "GetBehaviorDetections. Must include all filters from previous execution.", "name": "next_token", "in": "query" }, @@ -722,7 +716,7 @@ "in": "query" }, { - "pattern": "^[0-9a-z-]{2,}$", + "pattern": "^[0-9a-z-_]{2,}$", "type": "string", "description": "Cloud Provider Region", "name": "region", @@ -730,12 +724,13 @@ }, { "enum": [ + "Critical", "High", "Informational", "Medium" ], "type": "string", - "description": "Severity (e.g.: High | Medium | Informational)", + "description": "Policy Severity", "name": "severity", "in": "query" }, @@ -846,18 +841,19 @@ [ { "type": "string", - "description": "use_current_scan_ids - *use this to get records for latest scans*\naccount_name\naccount_id\n" - "agent_id\nattack_types\nazure_subscription_id\ncloud_provider\ncloud_service_keyword\ncustom_policy_id\n" - "is_managed\npolicy_id\npolicy_type\nresource_id\nregion\nstatus\nscan_time\nseverity\nseverity_string\n", + "description": "Available filters: use_current_scan_ids - *use this to get records for latest scans*\n " + "account_name\naccount_id\nagent_id\nattack_types\nazure_subscription_id\ncloud_provider\ncloud_service_keyword " + "\ncustom_policy_id\nis_managed\npolicy_id\npolicy_type\nresource_id\nregion\nstatus\nscan_time\nseverity\nseve " + "rity_string\n", "name": "filter", "in": "query" }, { "type": "string", "default": "timestamp|desc", - "description": "account_name\naccount_id\nattack_types\nazure_subscription_id\ncloud_provider\n" - "cloud_service_keyword\nstatus\nis_managed\npolicy_id\npolicy_type\nresource_id\nregion\nscan_time\n" - "severity\nseverity_string\ntimestamp", + "description": "account_name\naccount_id\nattack_types\nazure_subscription_id\ncloud_provider\ncloud_s " + "ervice_keyword\nstatus\nis_managed\npolicy_id\npolicy_type\nresource_id\nregion\nscan_time\nseverity\nseverity " + "_string\ntimestamp", "name": "sort", "in": "query" }, @@ -873,7 +869,7 @@ { "minimum": 0, "type": "integer", - "description": "Offset returned detections", + "description": "Offset returned detections. Cannot be combined with next_token filter", "name": "offset", "in": "query" } @@ -1059,11 +1055,19 @@ "enum": [ "ACM", "ACR", + "Any", + "App Engine", "AppService", + "BigQuery", + "Cloud Load Balancing", + "Cloud Logging", + "Cloud SQL", + "Cloud Storage", "CloudFormation", "CloudTrail", "CloudWatch Logs", "Cloudfront", + "Compute Engine", "Config", "Disk", "DynamoDB", @@ -1100,6 +1104,7 @@ "Serverless Application Repository", "StorageAccount", "Subscriptions", + "VPC", "VirtualMachine", "VirtualNetwork" ], @@ -1153,9 +1158,6 @@ { "type": "array", "items": { - "maxLength": 5, - "minLength": 3, - "pattern": "^(aws|azure|gcp)$", "type": "string" }, "collectionFormat": "multi", diff --git a/src/falconpy/_endpoint/_custom_ioa.py b/src/falconpy/_endpoint/_custom_ioa.py index 57d09a4f0..55ab0073f 100644 --- a/src/falconpy/_endpoint/_custom_ioa.py +++ b/src/falconpy/_endpoint/_custom_ioa.py @@ -175,7 +175,7 @@ "get_rules_get", "POST", "/ioarules/entities/rules/GET/v1", - "Get rules by ID and optionally version in the following format: `ID[:version]`.", + "Get rules by ID and optionally with cid and/or version in the following format: `[cid:]ID[:version]`.", "custom_ioa", [ { @@ -190,8 +190,8 @@ "get_rulesMixin0", "GET", "/ioarules/entities/rules/v1", - "Get rules by ID and optionally version in the following format: `ID[:version]`. " - "The max number of IDs is constrained by URL size.", + "Get rules by ID and optionally with cid and/or version in the following format: `[cid:]ID[:version]`. The " + "max number of IDs is constrained by URL size.", "custom_ioa", [ { @@ -341,17 +341,16 @@ "name" ], "type": "string", - "description": "Possible order by fields: {created_by, created_on, modified_by, " - "modified_on, enabled, name}", + "description": "Possible order by fields: {name, created_by, created_on, modified_by, modified_on, enabled}", "name": "sort", "in": "query" }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: " - "[enabled platform name description rules.action_label rules.name rules.description " - "rules.pattern_severity rules.ruletype_name rules.enabled]. Filter range criteria: created_on, " - "modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: [enabled platform " + "name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name " + "rules.enabled]. Filter range criteria: created_on, modified_on; use any common date format, such as " + "'2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -392,17 +391,16 @@ "name" ], "type": "string", - "description": "Possible order by fields: {created_by, created_on, modified_by, " - "modified_on, enabled, name}", + "description": "Possible order by fields: {name, created_by, created_on, modified_by, modified_on, enabled}", "name": "sort", "in": "query" }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: " - "[enabled platform name description rules.action_label rules.name rules.description " - "rules.pattern_severity rules.ruletype_name rules.enabled]. Filter range criteria: " - "created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: [enabled platform " + "name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name " + "rules.enabled]. Filter range criteria: created_on, modified_on; use any common date format, such as " + "'2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -468,19 +466,19 @@ "rules.ruletype_name" ], "type": "string", - "description": "Possible order by fields: {rules.ruletype_name, rules.enabled, " - "rules.created_by, rules.current_version.name, rules.current_version.modified_by, " - "rules.created_on, rules.current_version.description, rules.current_version.pattern_severity, " - "rules.current_version.action_label, rules.current_version.modified_on}", + "description": "Possible order by fields: {rules.created_on, rules.current_version.action_label, " + "rules.current_version.modified_by, rules.current_version.modified_on, rules.ruletype_name, rules.enabled, " + "rules.current_version.description, rules.current_version.pattern_severity, rules.created_by, " + "rules.current_version.name}", "name": "sort", "in": "query" }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: " - "[enabled platform name description rules.action_label rules.name rules.description " - "rules.pattern_severity rules.ruletype_name rules.enabled]. Filter range criteria: " - "created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: [enabled platform " + "name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name " + "rules.enabled]. Filter range criteria: created_on, modified_on; use any common date format, such as " + "'2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_custom_storage.py b/src/falconpy/_endpoint/_custom_storage.py index d950ca61a..9620f27d6 100644 --- a/src/falconpy/_endpoint/_custom_storage.py +++ b/src/falconpy/_endpoint/_custom_storage.py @@ -44,15 +44,6 @@ "List the object keys in the specified collection in alphabetical order", "custom_storage", [ - { - "maxLength": 32, - "minLength": 32, - "type": "string", - "description": "The id of the app the collection belongs to. " - "This will map to the namespace of the collection", - "name": "X-CS-APP-ID", - "in": "header" - }, { "maxLength": 255, "minLength": 1, @@ -78,15 +69,6 @@ "in": "query", "allowEmptyValue": True }, - { - "maxLength": 255, - "minLength": 1, - "type": "string", - "description": "The name of the namespace the collection belongs to", - "name": "X-CS-ADB-NAMESPACE", - "in": "header", - "required": True - }, { "maxLength": 1000, "minLength": 1, @@ -105,14 +87,6 @@ "Search for objects that match the specified filter criteria (returns metadata, not actual objects)", "custom_storage", [ - { - "maxLength": 32, - "minLength": 32, - "type": "string", - "description": "The id of the app the collection belongs to. This will map to the namespace of the collection", - "name": "X-CS-APP-ID", - "in": "header" - }, { "maxLength": 255, "minLength": 1, @@ -138,15 +112,6 @@ "in": "query", "allowEmptyValue": True }, - { - "maxLength": 255, - "minLength": 1, - "type": "string", - "description": "The name of the namespace the collection belongs to", - "name": "X-CS-ADB-NAMESPACE", - "in": "header", - "required": True - }, { "type": "integer", "description": "The offset of results to return", @@ -171,14 +136,6 @@ "Get the bytes for the specified object", "custom_storage", [ - { - "maxLength": 32, - "minLength": 32, - "type": "string", - "description": "The id of the app the collection belongs to. This will map to the namespace of the collection", - "name": "X-CS-APP-ID", - "in": "header" - }, { "maxLength": 255, "minLength": 1, @@ -188,15 +145,6 @@ "in": "path", "required": True }, - { - "maxLength": 255, - "minLength": 1, - "type": "string", - "description": "The name of the namespace the collection belongs to", - "name": "X-CS-ADB-NAMESPACE", - "in": "header", - "required": True - }, { "maxLength": 1000, "minLength": 1, @@ -220,14 +168,6 @@ "in": "body", "required": True }, - { - "maxLength": 32, - "minLength": 32, - "type": "string", - "description": "The id of the app the collection belongs to. This will map to the namespace of the collection", - "name": "X-CS-APP-ID", - "in": "header" - }, { "maxLength": 255, "minLength": 1, @@ -239,21 +179,12 @@ }, { "type": "boolean", - "description": "If false, run the operation as normal. " - "If true, validate that the request *would* succeed, but don't execute it.", + "description": "If false, run the operation as normal. If true, validate that the request *would* " + "succeed, but don't execute it.", "name": "dry_run", "in": "query", "allowEmptyValue": True }, - { - "maxLength": 255, - "minLength": 1, - "type": "string", - "description": "The name of the namespace the collection belongs to", - "name": "X-CS-ADB-NAMESPACE", - "in": "header", - "required": True - }, { "maxLength": 1000, "minLength": 1, @@ -268,8 +199,7 @@ "type": "string", "description": "The version of the collection schema", "name": "schema_version", - "in": "query", - "required": True + "in": "query" } ] ], @@ -280,15 +210,6 @@ "Delete the specified object", "custom_storage", [ - { - "maxLength": 32, - "minLength": 32, - "type": "string", - "description": "The id of the app the collection belongs to. " - "This will map to the namespace of the collection", - "name": "X-CS-APP-ID", - "in": "header" - }, { "maxLength": 255, "minLength": 1, @@ -300,21 +221,12 @@ }, { "type": "boolean", - "description": "If false, run the operation as normal. " - "If true, validate that the request *would* succeed, but don't execute it.", + "description": "If false, run the operation as normal. If true, validate that the request *would* " + "succeed, but don't execute it.", "name": "dry_run", "in": "query", "allowEmptyValue": True }, - { - "maxLength": 255, - "minLength": 1, - "type": "string", - "description": "The name of the namespace the collection belongs to", - "name": "X-CS-ADB-NAMESPACE", - "in": "header", - "required": True - }, { "maxLength": 1000, "minLength": 1, @@ -333,15 +245,6 @@ "Get the metadata for the specified object", "custom_storage", [ - { - "maxLength": 32, - "minLength": 32, - "type": "string", - "description": "The id of the app the collection belongs to. " - "This will map to the namespace of the collection", - "name": "X-CS-APP-ID", - "in": "header" - }, { "maxLength": 255, "minLength": 1, @@ -351,15 +254,6 @@ "in": "path", "required": True }, - { - "maxLength": 255, - "minLength": 1, - "type": "string", - "description": "The name of the namespace the collection belongs to", - "name": "X-CS-ADB-NAMESPACE", - "in": "header", - "required": True - }, { "maxLength": 1000, "minLength": 1, diff --git a/src/falconpy/_endpoint/_d4c_registration.py b/src/falconpy/_endpoint/_d4c_registration.py index d9bad465f..53326a1ea 100644 --- a/src/falconpy/_endpoint/_d4c_registration.py +++ b/src/falconpy/_endpoint/_d4c_registration.py @@ -112,8 +112,8 @@ "CreateD4CAwsAccount", "POST", "/cloud-connect-aws/entities/account/v2", - "Creates a new account in our system for a customer and generates a script " - "for them to run in their AWS cloud environment to grant us access.", + "Creates a new account in our system for a customer and generates a script for them to run in their AWS " + "cloud environment to grant us access.", "d4c_registration", [ { @@ -156,8 +156,7 @@ "GetD4CAwsConsoleSetupURLs", "GET", "/cloud-connect-aws/entities/console-setup-urls/v1", - "Return a URL for customer to visit in their cloud environment to grant " - "us access to their AWS environment.", + "Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.", "d4c_registration", [ { @@ -173,8 +172,8 @@ "GetD4CAWSAccountScriptsAttachment", "GET", "/cloud-connect-aws/entities/user-scripts-download/v1", - "Return a script for customer to run in their cloud environment to grant " - "us access to their AWS environment as a downloadable attachment.", + "Return a script for customer to run in their cloud environment to grant us access to their AWS " + "environment as a downloadable attachment.", "d4c_registration", [ { @@ -202,8 +201,8 @@ "type": "string" }, "collectionFormat": "multi", - "description": "SubscriptionIDs of accounts to select for this status operation. " - "If this is empty then all accounts are returned.", + "description": "SubscriptionIDs of accounts to select for this status operation. If this is empty then " + "all accounts are returned.", "name": "ids", "in": "query" }, @@ -254,8 +253,8 @@ "CreateDiscoverCloudAzureAccount", "POST", "/cloud-connect-azure/entities/account/v1", - "Creates a new account in our system for a customer and generates a script for them to run " - "in their cloud environment to grant us access.", + "Creates a new account in our system for a customer and generates a script for them to run in their cloud " + "environment to grant us access.", "d4c_registration", [ { @@ -269,8 +268,8 @@ "UpdateDiscoverCloudAzureAccountClientID", "PATCH", "/cloud-connect-azure/entities/client-id/v1", - "Update an Azure service account in our system by with the user-created client_id " - "created with the public key we've provided", + "Update an Azure service account in our system by with the user-created client_id created with the public " + "key we've provided", "d4c_registration", [ { @@ -313,9 +312,6 @@ { "type": "array", "items": { - "maxLength": 36, - "minLength": 36, - "pattern": "^[0-9a-z-]{36}$", "type": "string" }, "collectionFormat": "multi", @@ -354,8 +350,8 @@ "GetDiscoverCloudAzureUserScriptsAttachment", "GET", "/cloud-connect-azure/entities/user-scripts-download/v1", - "Return a script for customer to run in their cloud environment to grant us access to their " - "Azure environment as a downloadable attachment", + "Return a script for customer to run in their cloud environment to grant us access to their Azure " + "environment as a downloadable attachment", "d4c_registration", [ { @@ -391,8 +387,7 @@ "GetDiscoverCloudAzureUserScripts", "GET", "/cloud-connect-azure/entities/user-scripts/v1", - "Return a script for customer to run in their cloud environment to grant us access to their " - "Azure environment", + "Return a script for customer to run in their cloud environment to grant us access to their Azure environment", "d4c_registration", [] ], @@ -471,8 +466,8 @@ "CreateD4CGCPAccount", "POST", "/cloud-connect-gcp/entities/account/v1", - "Creates a new account in our system for a customer and generates a new service account for them " - "to add access to in their GCP environment to grant us access.", + "Creates a new account in our system for a customer and generates a new service account for them to add " + "access to in their GCP environment to grant us access.", "d4c_registration", [ { @@ -486,8 +481,8 @@ "GetCSPMGCPUserScriptsAttachment", "GET", "/cloud-connect-gcp/entities/user-scripts-download/v1", - "Return a script for customer to run in their cloud environment to grant us access to their " - "GCP environment as a downloadable attachment", + "Return a script for customer to run in their cloud environment to grant us access to their GCP " + "environment as a downloadable attachment", "d4c_registration", [] ], @@ -495,8 +490,7 @@ "GetD4CGCPUserScripts", "GET", "/cloud-connect-gcp/entities/user-scripts/v1", - "Return a script for customer to run in their cloud environment to grant us access to their " - "GCP environment", + "Return a script for customer to run in their cloud environment to grant us access to their GCP environment", "d4c_registration", [ { @@ -554,8 +548,8 @@ "gov" ], "type": "string", - "description": "Account type (e.g.: commercial,gov) Only applicable when " - "registering AWS commercial account in a Gov environment", + "description": "Account type (e.g.: commercial,gov) Only applicable when registering AWS commercial " + "account in a Gov environment", "name": "account_type", "in": "query" } diff --git a/src/falconpy/_endpoint/_detects.py b/src/falconpy/_endpoint/_detects.py index c3669368b..14a6641fd 100644 --- a/src/falconpy/_endpoint/_detects.py +++ b/src/falconpy/_endpoint/_detects.py @@ -60,18 +60,17 @@ "detects", [ { - "description": "This endpoint modifies attributes (state and assignee) of detections. \n\n" - "This endpoint accepts a query formatted as a JSON array of key-value pairs. " - "You can update one or more attributes one or more detections with a single request.\n\n" - "**`assigned_to_uuid` values**\n\nA user ID, such as `1234567891234567891`\n\n**`ids` values**\n\n" - "One or more detection IDs, which you can find with the `/detects/queries/detects/v1` endpoint, " - "the Falcon console, or the Streaming API.\n\n**`show_in_ui` values**\n\n- `true`: " - "This detection is displayed in Falcon\n- `false`: This detection is not displayed in Falcon. " - "Most commonly used together with the `status` key's `false_positive` value.\n\n**`status` " - "values**\n\n- `new`\n- `in_progress`\n- `true_positive`\n- `false_positive`\n- `ignored`\n\n**`comment` " - "values**\nOptional comment to add to the detection. Comments are displayed with the detection in " - "Falcon and usually used to provide context or notes for other Falcon users. " - "A detection can have multiple comments over time.", + "description": "This endpoint modifies attributes (state and assignee) of detections. \n\nThis " + "endpoint accepts a query formatted as a JSON array of key-value pairs. You can update one or more attributes " + "one or more detections with a single request.\n\n**`assigned_to_uuid` values**\n\nA user ID, such as " + "`1234567891234567891`\n\n**`ids` values**\n\nOne or more detection IDs, which you can find with the " + "`/detects/queries/detects/v1` endpoint, the Falcon console, or the Streaming API.\n\n**`show_in_ui` " + "values**\n\n- `true`: This detection is displayed in Falcon\n- `false`: This detection is not displayed in " + "Falcon. Most commonly used together with the `status` key's `false_positive` value.\n\n**`status` " + "values**\n\n- `new`\n- `in_progress`\n- `true_positive`\n- `false_positive`\n- `closed`\n- " + "`ignored`\n\n**`comment` values**\nOptional comment to add to the detection. Comments are displayed with the " + "detection in Falcon and usually used to provide context or notes for other Falcon users. A detection can have " + "multiple comments over time.", "name": "body", "in": "body", "required": True @@ -87,9 +86,10 @@ [ { "description": "View key attributes of detections, including the associated host, " - "[disposition](https://falcon.crowdstrike.com/support/documentation/2/query-api-reference#patterndispositionvalue), " - "objective/tactic/technique, adversary, and more. Specify one or more detection IDs (max 1000 per request). " - "Find detection IDs with the `/detects/queries/detects/v1` endpoint, the Falcon console, or the Streaming API.", + "[disposition](https://falcon.crowdstrike.com/documentation/86/detections-monitoring-apis#pattern-disposition-" + "value-descriptions), objective/tactic/technique, adversary, and more. Specify one or more detection IDs (max " + "1000 per request). Find detection IDs with the `/detects/queries/detects/v1` endpoint, the Falcon console, or " + "the Streaming API.", "name": "body", "in": "body", "required": True @@ -114,30 +114,29 @@ "maximum": 9999, "minimum": 0, "type": "integer", - "description": "The maximum number of detections to return in this response (default: 9999; max: 9999). " - "Use with the `offset` parameter to manage pagination of results.", + "description": "The maximum number of detections to return in this response (default: 9999; max: " + "9999). Use with the `offset` parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", "description": "Sort detections using these options:\n\n- `first_behavior`: Timestamp of the first " - "behavior associated with this detection\n- `last_behavior`: Timestamp of the last behavior associated " - "with this detection\n- `max_severity`: Highest severity of the behaviors associated with this detection\n" - "- `max_confidence`: Highest confidence of the behaviors associated with this detection\n- `adversary_id`: " - "ID of the adversary associated with this detection, if any\n- `devices.hostname`: Hostname of the host " - "where this detection was detected\n\nSort either `asc` (ascending) or `desc` (descending). " - "For example: `last_behavior|asc`", + "behavior associated with this detection\n- `last_behavior`: Timestamp of the last behavior associated with " + "this detection\n- `max_severity`: Highest severity of the behaviors associated with this detection\n- " + "`max_confidence`: Highest confidence of the behaviors associated with this detection\n- `adversary_id`: ID of " + "the adversary associated with this detection, if any\n- `device.hostname`: Hostname of the host where this " + "detection was detected\n\nSort either `asc` (ascending) or `desc` (descending). For example: " + "`last_behavior|asc`", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard `*` " - "includes all results. \n\nCommon filter options include:\n\n- `status`\n- `device.device_id`\n" - "- `max_severity`\n\nThe full list of valid filter options is extensive. " - "Review it in our [documentation inside the Falcon console]" - "(https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql).", + "description": "Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard " + "`*` includes all results. \n\nCommon filter options include:\n\n- `status`\n- `device.device_id`\n- " + "`max_severity`\n\nThe full list of valid filter options is extensive. Review it in our [documentation inside " + "the Falcon console](https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql).", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_device_control_policies.py b/src/falconpy/_endpoint/_device_control_policies.py index 8d754fa62..6188d6c1d 100644 --- a/src/falconpy/_endpoint/_device_control_policies.py +++ b/src/falconpy/_endpoint/_device_control_policies.py @@ -41,8 +41,8 @@ "queryCombinedDeviceControlPolicyMembers", "GET", "/policy/combined/device-control-members/v1", - "Search for members of a Device Control Policy in your environment by providing an FQL " - "filter and paging details. Returns a set of host details which match the filter criteria", + "Search for members of a Device Control Policy in your environment by providing an FQL filter and paging " + "details. Returns a set of host details which match the filter criteria", "device_control_policies", [ { @@ -190,9 +190,9 @@ "setDeviceControlPoliciesPrecedence", "POST", "/policy/entities/device-control-precedence/v1", - "Sets the precedence of Device Control Policies based on the order of IDs specified in the request. " - "The first ID specified will have the highest precedence and the last ID specified will have the lowest. " - "You must specify all non-Default Policies for a platform when updating precedence", + "Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The " + "first ID specified will have the highest precedence and the last ID specified will have the lowest. You must " + "specify all non-Default Policies for a platform when updating precedence", "device_control_policies", [ { @@ -274,8 +274,8 @@ "queryDeviceControlPolicyMembers", "GET", "/policy/queries/device-control-members/v1", - "Search for members of a Device Control Policy in your environment by providing an FQL filter and paging details. " - "Returns a set of Agent IDs which match the filter criteria", + "Search for members of a Device Control Policy in your environment by providing an FQL filter and paging " + "details. Returns a set of Agent IDs which match the filter criteria", "device_control_policies", [ { diff --git a/src/falconpy/_endpoint/_discover.py b/src/falconpy/_endpoint/_discover.py index 6d7c236f1..0d363469d 100644 --- a/src/falconpy/_endpoint/_discover.py +++ b/src/falconpy/_endpoint/_discover.py @@ -97,6 +97,26 @@ } ] ], + [ + "get_iot_hosts", + "GET", + "/discover/entities/iot-hosts/v1", + "Get details on IoT assets by providing one or more IDs.", + "discover", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "One or more asset IDs (max: 100). Find asset IDs with GET `/discover/queries/iot-hosts/v1`", + "name": "ids", + "in": "query", + "required": True + } + ] + ], [ "get_logins", "GET", @@ -121,16 +141,16 @@ "query_accounts", "GET", "/discover/queries/accounts/v1", - "Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. " - "Returns a set of account IDs which match the filter criteria.", + "Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging " + "details. Returns a set of account IDs which match the filter criteria.", "discover", [ { "minimum": 0, "type": "integer", - "description": "An offset used with the `limit` parameter to manage pagination of results. " - "On your first request, don’t provide an `offset`. On subsequent requests, provide the `offset` " - "from the previous response to continue from that place in the results.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -145,16 +165,27 @@ }, { "type": "string", - "description": "Sort accounts by their properties. A single sort field is allowed. " - "Common sort options include:\n\n
  • username|asc
  • last_failed_login_timestamp|desc
", + "description": "Sort accounts by their properties. A single sort field is allowed. Common sort options " + "include:\n\n
  • username|asc
  • last_failed_login_timestamp|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter accounts using an FQL query. Common filter options include:\n\n
    " - "
  • account_type:'Local'
  • admin_privileges:'Yes'
  • first_seen_timestamp:<'now-7d'
    • " - "
  • last_successful_login_type:'Terminal server'
", + "description": "Filter accounts using an FQL query. Common filter options include:
  • account_type " + ":'Local'
  • admin_privileges:'Yes'
  • first_seen_timestamp:<'now-" + "7d'
  • last_successful_login_type:'Terminal server'
\n\t\t\tAvailable filter fields that support " + " exact match: id, cid, user_sid, account_name, username, account_type, admin_privileges, first_seen_timestamp, " + " last_successful_login_type, last_successful_login_timestamp, last_successful_login_hostname, " + "last_successful_login_remote_ip, last_successful_login_host_country, last_successful_login_host_city, " + "login_domain, last_failed_login_type, last_failed_login_timestamp, last_failed_login_hostname, " + "password_last_set_timestamp, local_admin_privileges\n\t\t\tAvailable filter fields that supports wildcard (*): " + " id, cid, user_sid, account_name, username, account_type, admin_privileges, last_successful_login_type, " + "last_successful_login_hostname, last_successful_login_remote_ip, last_successful_login_host_country, " + "last_successful_login_host_city, login_domain, last_failed_login_type, last_failed_login_hostname, " + "local_admin_privileges\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, <=): " + "first_seen_timestamp, last_successful_login_timestamp,last_failed_login_timestamp, " + "password_last_set_timestamp\n\t\t\tAll filter fields and operations supports negation (!).", "name": "filter", "in": "query" } @@ -164,14 +195,16 @@ "query_applications", "GET", "/discover/queries/applications/v1", - "Search for applications in your environment by providing an FQL filter and paging details. " - "returns a set of application IDs which match the filter criteria.", + "Search for applications in your environment by providing an FQL filter and paging details. returns a set " + "of application IDs which match the filter criteria.", "discover", [ { "minimum": 0, "type": "integer", - "description": "The index of the starting resource.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -179,23 +212,35 @@ "maximum": 100, "minimum": 1, "type": "integer", - "description": "The number of account IDs to return in this response (min: 1, max: 100, default: 100). " - "Use with the `offset` parameter to manage pagination of results.", + "description": "The number of application ids to return in this response (Min: 1, Max: 100, Default: 100).", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort accounts by their properties. A single sort field is allowed. " - "Common sort options include:\n\n
  • username|asc
  • last_failed_login_timestamp|desc
", + "description": "Sort applications by their properties. A single sort field is allowed.", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter accounts using an FQL query. " - "Common filter options include:\n\n
  • account_type:'Local'
  • admin_privileges:'Yes'
    • " - "
  • first_seen_timestamp:<'now-7d'
  • last_successful_login_type:'Terminal server'
", + "description": "Search for applications in your environment by providing an FQL " + "filter.\n\t\t\t\tAvailable filter fields that support exact match: name, version, vendor, name_vendor, " + "name_vendor_version, first_seen_timestamp, installation_timestamp, architectures, installation_paths, " + "versioning_scheme, groups, is_normalized, last_used_user_sid, last_used_user_name, last_used_file_name, " + "last_used_file_hash, last_used_timestamp, last_updated_timestamp, is_suspicious, host.id, host.platform_name, " + "host.hostname, cid, host.os_version, host.machine_domain, host.ou, host.site_name, host.country, " + "host.current_mac_address, host.current_network_prefix, host.tags, host.groups, host.product_type_desc, " + "host.kernel_version, host.system_manufacturer, host.internet_exposure, host.agent_version, host.external_ip, " + "host.aid\n\t\t\t\tAvailable filter fields that supports wildcard (*): name, version, vendor, name_vendor, " + "name_vendor_version, architectures, installation_paths, groups, last_used_user_sid, last_used_user_name, " + "last_used_file_name, last_used_file_hash, host.platform_name, host.hostname, cid, host.os_version, " + "host.machine_domain, host.ou, host.site_name, host.country, host.current_mac_address, " + "host.current_network_prefix, host.tags, host.groups, host.product_type_desc, host.kernel_version, " + "host.system_manufacturer, host.internet_exposure, host.agent_version, host.external_ip, " + "host.aid\n\t\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, <=): " + "first_seen_timestamp, installation_timestamp, last_used_timestamp, last_updated_timestamp\n\t\t\t\tAll filter " + "fields and operations supports negation (!).", "name": "filter", "in": "query" } @@ -205,16 +250,16 @@ "query_hosts", "GET", "/discover/queries/hosts/v1", - "Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. " - "Returns a set of asset IDs which match the filter criteria.", + "Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging " + "details. Returns a set of asset IDs which match the filter criteria.", "discover", [ { "minimum": 0, "type": "integer", - "description": "An offset used with the `limit` parameter to manage pagination of results. " - "On your first request, don’t provide an `offset`. On subsequent requests, provide the `offset` " - "from the previous response to continue from that place in the results.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -229,35 +274,81 @@ }, { "type": "string", - "description": "Sort assets by their properties. A single sort field is allowed. " - "Common sort options include:\n\n
  • hostname|asc
  • product_type_desc|desc
", + "description": "Sort assets by their properties. A single sort field is allowed. Common sort options " + "include:\n\n
  • hostname|asc
  • product_type_desc|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter assets using an FQL query. Common filter options include:\n\n" - "
  • entity_type:'managed'
  • product_type_desc:'Workstation'
  • platform_name:'Windows'
    • " - "
  • last_seen_timestamp:>'now-7d'
", + "description": "Filter assets using an FQL query. Common filter options include:
  • entity_type:'m " + "anaged'
  • product_type_desc:'Workstation'
  • platform_name:'Windows'
  • last_seen_timestamp:>' " + "now-7d'
\n\t\t\tAvailable filter fields that support exact match: id, aid, entity_type, country, " + "city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, " + "system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, " + "machine_domain, site_name, external_ip, hostname, local_ips_count, network_interfaces.local_ip, " + "network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, " + "network_interfaces.network_prefix, last_discoverer_aid, discoverer_count, discoverer_aids, discoverer_tags, " + "discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, " + "data_providers, data_providers_count, mac_addresses, local_ip_addresses, reduced_functionality_mode, " + "number_of_disk_drives, processor_package_count, physical_core_count, logical_core_count, total_disk_space, " + "disk_sizes.disk_name, disk_sizes.disk_space, cpu_processor_name, total_memory, encryption_status, " + "encrypted_drives, encrypted_drives_count, unencrypted_drives, unencrypted_drives_count, " + "os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, " + "os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, " + "os_security.iommu_protection_status, os_security.secure_boot_enabled_status, " + "os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, " + "os_security.kernel_dma_protection_status, total_bios_files, bios_hashes_data.sha256_hash, " + "bios_hashes_data.measurement_type, bios_id, average_processor_usage, average_memory_usage, " + "average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, " + "used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.mount_path, " + "mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, " + "managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, " + "account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, " + "discovering_by\n\t\t\tAvailable filter fields that supports wildcard (*): id, aid, entity_type, country, city, " + " platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, " + "system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, " + "machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, " + " network_interfaces.interface_alias, network_interfaces.interface_description, " + "network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, " + "discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, " + "data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, " + "cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, " + "os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, " + "os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, " + "os_security.iommu_protection_status, os_security.secure_boot_enabled_status, " + "os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, " + "os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, " + "bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, " + "department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, " + " cpu_manufacturer, discovering_by\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, " + "<=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, " + "number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, " + " total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, " + "total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, " + "max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, " + "available_disk_space, available_disk_space_pct, mount_storage_info.used_space, " + "mount_storage_info.available_space, ad_user_account_control, creation_timestamp\n\t\t\tAll filter fields and " + "operations supports negation (!).", "name": "filter", "in": "query" } ] ], [ - "query_logins", + "query_iot_hosts", "GET", - "/discover/queries/logins/v1", - "Search for logins in your environment by providing an FQL (Falcon Query Language) filter and paging details. " - "Returns a set of login IDs which match the filter criteria.", + "/discover/queries/iot-hosts/v1", + "Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging " + "details. Returns a set of asset IDs which match the filter criteria.", "discover", [ { "minimum": 0, "type": "integer", - "description": "An offset used with the `limit` parameter to manage pagination of results. " - "On your first request, don’t provide an `offset`. On subsequent requests, provide the `offset` " - "from the previous response to continue from that place in the results.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -272,55 +363,41 @@ }, { "type": "string", - "description": "Sort assets by their properties. A single sort field is allowed. " - "Common sort options include:\n\n
  • hostname|asc
  • product_type_desc|desc
", + "description": "Sort assets by their properties. A single sort field is allowed. Common sort options " + "include:\n\n
  • hostname|asc
  • product_type_desc|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter assets using an FQL query. Common filter options include:\n\n" - "
  • entity_type:'managed'
  • product_type_desc:'Workstation'
  • platform_name:'Windows'
    • " - "
  • last_seen_timestamp:>'now-7d'
", + "description": "Filter assets using an FQL query. Common filter options include:
  • entity_type:'m " + "anaged'
  • product_type_desc:'Workstation'
  • platform_name:'Windows'
  • last_seen_timestamp:>' " + "now-7d'
\n\t\t\tAvailable filter fields that support exact match: device_family, device_class, " + "device_type, device_mode, business_criticality, line_of_business, virtual_zone, subnet, purdue_level, vlan, " + "local_ip_addresses, mac_addresses, physical_connections_count, data_providers\n\t\t\tAvailable filter fields " + "that supports wildcard (*): device_family, device_class, device_type, device_mode, business_criticality, " + "line_of_business, virtual_zone, subnet, purdue_level, vlan, local_ip_addresses, mac_addresses, " + "data_providers\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, <=): " + "physical_connections_count\n\t\t\tAll filter fields and operations supports negation (!).", "name": "filter", "in": "query" } ] ], [ - "get_iot_hosts", - "GET", - "/discover/entities/iot-hosts/v1", - "Get details on IoT assets by providing one or more IDs.", - "discover_iot", - [ - { - "type": "array", - "items": { - "type": "string" - }, - "collectionFormat": "multi", - "description": "One or more asset IDs (max: 100). Find asset IDs with GET `/discover/queries/iot-hosts/v1`", - "name": "ids", - "in": "query", - "required": True - } - ] - ], - [ - "query_iot_hosts", + "query_logins", "GET", - "/discover/queries/iot-hosts/v1", - "Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. " - "Returns a set of asset IDs which match the filter criteria.", - "discover_iot", + "/discover/queries/logins/v1", + "Search for logins in your environment by providing an FQL (Falcon Query Language) filter and paging " + "details. Returns a set of login IDs which match the filter criteria.", + "discover", [ { "minimum": 0, "type": "integer", - "description": "An offset used with the `limit` parameter to manage pagination of results. On your first request, " - "don’t provide an `offset`. On subsequent requests, provide the `offset` from the previous response to continue " - "from that place in the results.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -328,23 +405,31 @@ "maximum": 100, "minimum": 1, "type": "integer", - "description": "The number of asset IDs to return in this response (min: 1, max: 100, default: 100). " + "description": "The number of login IDs to return in this response (min: 1, max: 100, default: 100). " "Use with the `offset` parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort assets by their properties. A single sort field is allowed. " - "Common sort options include:\n\n
  • hostname|asc
  • product_type_desc|desc
", + "description": "Sort logins by their properties. A single sort field is allowed. Common sort options " + "include:\n\n
  • account_name|asc
  • login_timestamp|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter assets using an FQL query. Common filter options include:\n\n
    " - "
  • entity_type:'managed'
  • product_type_desc:'Workstation'
    • " - "
  • platform_name:'Windows'
  • last_seen_timestamp:>'now-7d'
", + "description": "Filter logins using an FQL query. Common filter options include:
  • account_type:' " + "Local'
  • login_type:'Interactive'
  • first_seen_timestamp:<'now-" + "7d'
  • admin_privileges:'No'
\n\t\t\tAvailable filter fields that support exact match: id, cid, " + "login_status, account_id, host_id, user_sid, aid, account_name, username, hostname, account_type, login_type, " + "login_timestamp, login_domain, admin_privileges, local_admin_privileges, local_ip, remote_ip, host_country, " + "host_city, is_suspicious, failure_description, login_event_count, aggregation_time_interval\n\t\t\tAvailable " + "filter fields that supports wildcard (*): id, cid, login_status, account_id, host_id, user_sid, aid, " + "account_name, username, hostname, account_type, login_type, login_domain, admin_privileges, " + "local_admin_privileges, local_ip, remote_ip, host_country, host_city, failure_description, " + "aggregation_time_interval\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, <=): " + "login_timestamp, login_event_count\n\t\t\tAll filter fields and operations supports negation (!).", "name": "filter", "in": "query" } diff --git a/src/falconpy/_endpoint/_falcon_complete_dashboard.py b/src/falconpy/_endpoint/_falcon_complete_dashboard.py index c9f34e513..d29325edd 100644 --- a/src/falconpy/_endpoint/_falcon_complete_dashboard.py +++ b/src/falconpy/_endpoint/_falcon_complete_dashboard.py @@ -164,16 +164,16 @@ }, { "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see " - "[our FQL documentation](https://falconpy.io/Usage/Falcon-Query-Language).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -200,16 +200,16 @@ }, { "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -236,16 +236,16 @@ }, { "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -272,16 +272,16 @@ }, { "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -297,8 +297,7 @@ "GetDeviceCountCollectionQueriesByFilter", "GET", "/falcon-complete-dashboards/queries/devicecount-collections/v1", - "Retrieve device count collection Ids that match the provided FQL filter, " - "criteria with scrolling enabled", + "Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled", "falcon_complete_dashboard", [ { @@ -309,16 +308,16 @@ }, { "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -345,16 +344,16 @@ }, { "type": "string", - "description": "The property to sort on, followed by a dot (.), followed by the sort " - "direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -381,16 +380,16 @@ }, { "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -417,16 +416,16 @@ }, { "type": "string", - "description": "The property to sort on, followed by a dot (.), followed by " - "the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_falcon_container.py b/src/falconpy/_endpoint/_falcon_container.py index 3d5be3cd4..a0f00cbf4 100644 --- a/src/falconpy/_endpoint/_falcon_container.py +++ b/src/falconpy/_endpoint/_falcon_container.py @@ -46,22 +46,82 @@ [] ], [ - "GetCombinedImages", + "ReadRegistryEntitiesByUUID", "GET", - "/container-security/combined/image-assessment/images/v1", - "Get image assessment results by providing an FQL filter and paging details", - "falcon_container_image", + "/container-security/entities/registries/v1", + "Retrieve the registry entity identified by the entity UUID", + "falcon_container", [ { "type": "string", - "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " - "container_running_status, cve_id, first_seen, registry, repository, tag, vulnerability_severity", - "name": "filter", - "in": "query" + "description": "Registry entity UUID", + "name": "ids", + "in": "query", + "required": True + } + ] + ], + [ + "CreateRegistryEntities", + "POST", + "/container-security/entities/registries/v1", + "Create a registry entity using the provided details", + "falcon_container", + [ + { + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "UpdateRegistryEntities", + "PATCH", + "/container-security/entities/registries/v1", + "Update the registry entity, as identified by the entity UUID, using the provided details", + "falcon_container", + [ + { + "type": "string", + "description": "Registry entity UUID", + "name": "id", + "in": "query", + "required": True }, + { + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "DeleteRegistryEntities", + "DELETE", + "/container-security/entities/registries/v1", + "Delete the registry entity identified by the entity UUID", + "falcon_container", + [ + { + "type": "string", + "description": "Registry entity UUID", + "name": "ids", + "in": "query", + "required": True + } + ] + ], + [ + "ReadRegistryEntities", + "GET", + "/container-security/queries/registries/v1", + "Retrieve registry entities identified by the customer id", + "falcon_container", + [ { "type": "integer", - "description": "The upper-bound on the number of records to retrieve [1-100]", + "description": "The upper-bound on the number of records to retrieve.", "name": "limit", "in": "query" }, @@ -73,8 +133,7 @@ }, { "type": "string", - "description": "The fields to sort the records on. Supported columns: " - "[first_seen registry repository tag vulnerability_severity]", + "description": "The field to sort on, e.g. id.desc or id.asc.", "name": "sort", "in": "query" } @@ -85,7 +144,7 @@ "POST", "/image-assessment/combined/vulnerability-lookups/v1", "Retrieve known vulnerabilities for the provided image", - "falcon_container_cli", + "falcon_container", [ { "name": "body", @@ -94,6 +153,41 @@ } ] ], + [ + "GetCombinedImages", + "GET", + "/container-security/combined/image-assessment/images/v1", + "Get image assessment results by providing an FQL filter and paging details", + "falcon_container_image", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " + "container_running_status, cve_id, first_seen, registry, repository, tag, vulnerability_severity", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve [1-100]", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on. Supported columns: [first_seen registry repository " + "tag vulnerability_severity]", + "name": "sort", + "in": "query" + } + ] + ], [ "GetImageAssessmentReport", "GET", @@ -151,8 +245,8 @@ "ImageMatchesPolicy", "GET", "/policy-checks", - "After an image scan, use this operation to see if any images match a policy. If deny is true," - " the policy suggestion is that you do not deploy the image in your environment.", + "After an image scan, use this operation to see if any images match a policy. If deny is true, the policy " + "suggestion is that you do not deploy the image in your environment.", "falcon_container", [ { @@ -170,99 +264,5 @@ "required": True } ] - ], - [ - "ReadRegistryEntities", - "GET", - "/container-security/queries/registries/v1", - "Retrieve registry entities identified by the customer ID.", - "falcon_container_image", - [ - { - "type": "string", - "description": "Starting index of result set from which to return IDs.", - "name": "offset", - "in": "query" - }, - { - "type": "integer", - "description": "Number of IDs to return.", - "name": "limit", - "in": "query" - }, - { - "type": "string", - "description": "Order by fields.", - "name": "sort", - "in": "query" - } - ] - ], - [ - "CreateRegistryEntities", - "POST", - "/container-security/entities/registries/v1", - "Create a registry entity using the provided details.", - "falcon_container_image", - [ - { - "name": "body", - "in": "body", - "required": True - } - ] - ], - [ - "DeleteRegistryEntities", - "DELETE", - "/container-security/entities/registries/v1", - "Delete the registry entity identified by the entity UUID.", - "falcon_container_image", - [ - { - "type": "string", - "description": "Registry entity UUID.", - "name": "ids", - "in": "query", - "required": True - } - ] - ], - [ - "UpdateRegistryEntities", - "PATCH", - "/container-security/entities/registries/v1", - "Update the registry entity, as identified by the entity UUID, using the provided details.", - "falcon_container_image", - [ - { - "type": "string", - "description": "Registry entity UUID.", - "name": "id", - "in": "query", - "required": True - }, - { - "name": "body", - "in": "body", - "required": True - } - ] - ], - [ - "ReadRegistryEntitiesByUUID", - "GET", - "/container-security/entities/registries/v1", - "Retrieve the registry entity identified by the entity UUID.", - "falcon_container_image", - [ - { - "type": "string", - "description": "Registry entity UUID.", - "name": "ids", - "in": "query", - "required": True - } - ] ] ] diff --git a/src/falconpy/_endpoint/_falconx_sandbox.py b/src/falconpy/_endpoint/_falconx_sandbox.py index 93830c93b..e5994d3da 100644 --- a/src/falconpy/_endpoint/_falconx_sandbox.py +++ b/src/falconpy/_endpoint/_falconx_sandbox.py @@ -41,13 +41,13 @@ "GetArtifacts", "GET", "/falconx/entities/artifacts/v1", - "Download IOC packs, PCAP files, and other analysis artifacts.", + "Download IOC packs, PCAP files, memory dumps, and other analysis artifacts.", "falconx_sandbox", [ { "type": "string", - "description": "ID of an artifact, such as an IOC pack, PCAP file, or actor image. " - "Find an artifact ID in a report or summary.", + "description": "ID of an artifact, such as an IOC pack, PCAP file, memory dump, or actor image. Find " + "an artifact ID in a report or summary.", "name": "id", "in": "query", "required": True @@ -60,8 +60,8 @@ }, { "type": "string", - "description": "Format used to compress your downloaded file. Currently, you must " - "provide the value `gzip`, the only valid format.", + "description": "Format used to compress your downloaded file. Currently, you must provide the value " + "`gzip`, the only valid format.", "name": "Accept-Encoding", "in": "header" } @@ -89,8 +89,8 @@ }, { "type": "string", - "description": "Format used to compress your downloaded file. " - "Currently, you must provide the value `gzip`, the only valid format.", + "description": "Format used to compress your downloaded file. Currently, you must provide the value " + "`gzip`, the only valid format.", "name": "Accept-Encoding", "in": "header" } @@ -118,8 +118,8 @@ }, { "type": "string", - "description": "Format used to compress your downloaded file. " - "Currently, you must provide the value `gzip`, the only valid format.", + "description": "Format used to compress your downloaded file. Currently, you must provide the value " + "`gzip`, the only valid format.", "name": "Accept-Encoding", "in": "header" } @@ -147,8 +147,8 @@ }, { "type": "string", - "description": "Format used to compress your downloaded file. " - "Currently, you must provide the value `gzip`, the only valid format.", + "description": "Format used to compress your downloaded file. Currently, you must provide the value " + "`gzip`, the only valid format.", "name": "Accept-Encoding", "in": "header" } @@ -167,8 +167,8 @@ "type": "string" }, "collectionFormat": "csv", - "description": "ID of a summary. Find a summary ID from the response when submitting a " - "malware sample or search with `/falconx/queries/reports/v1`.", + "description": "ID of a summary. Find a summary ID from the response when submitting a malware sample " + "or search with `/falconx/queries/reports/v1`.", "name": "ids", "in": "query", "required": True @@ -188,8 +188,8 @@ "type": "string" }, "collectionFormat": "csv", - "description": "ID of a report. Find a report ID from the response when submitting a " - "malware sample or search with `/falconx/queries/reports/v1`.", + "description": "ID of a report. Find a report ID from the response when submitting a malware sample or " + "search with `/falconx/queries/reports/v1`.", "name": "ids", "in": "query", "required": True @@ -200,8 +200,8 @@ "DeleteReport", "DELETE", "/falconx/entities/reports/v1", - "Delete report based on the report ID. Operation can be checked for success by polling for the " - "report ID on the report-summaries endpoint.", + "Delete report based on the report ID. Operation can be checked for success by polling for the report ID " + "on the report-summaries endpoint.", "falconx_sandbox", [ { @@ -226,8 +226,8 @@ "type": "string" }, "collectionFormat": "csv", - "description": "ID of a submitted malware sample. Find a submission ID from the response when submitting " - "a malware sample or search with `/falconx/queries/submissions/v1`.", + "description": "ID of a submitted malware sample. Find a submission ID from the response when " + "submitting a malware sample or search with `/falconx/queries/submissions/v1`.", "name": "ids", "in": "query", "required": True @@ -238,29 +238,30 @@ "Submit", "POST", "/falconx/entities/submissions/v1", - "Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is " - "usually less than 15 minutes.", + "Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually " + "less than 15 minutes.", "falconx_sandbox", [ { - "description": "Submit either a URL or a sample SHA256 for sandbox analysis. " - "The sample file must have been previously uploaded through `/samples/entities/samples/v2`. " - "You must specify a JSON object that includes the `falconx.SubmissionParametersV1` key/value pairs " - "shown below.\n\n**`environment_id`**: Specifies the sandbox environment used for analysis. " - "Values:\n\n- `300`: Linux Ubuntu 16.04, 64-bit\n- `200`: Android (static analysis)\n- `160`: " - "Windows 10, 64-bit\n- `110`: Windows 7, 64-bit\n- `100`: Windows 7, 32-bit\n\n**`sha256`** " - "ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading " - "a malware sample or search with `/falconx/queries/submissions/v1`.The `url` parameter must be unset " - "if `sha256` is used.\n\n**`url`** A web page or file URL. It can be HTTP(S) or FTP. The `sha256` " - "parameter must be unset if `url` is used.\n\n**`action_script`** (optional): Runtime script for " - "sandbox analysis. Values:\n\n- `default`\n- `default_maxantievasion`\n- `default_randomfiles`\n- " - "`default_randomtheme`\n- `default_openie`\n\n**`command_line`** (optional): Command line script " - "passed to the submitted file at runtime. Max length: 2048 characters\n\n**`document_password`** " - "(optional): Auto-filled for Adobe or Office files that prompt for a password. Max length: 32 " - "characters\n\n**`enable_tor`** (optional): If `true`, sandbox analysis routes network traffic via " - "TOR. Default: `false`.\n\n**`submit_name`** (optional): Name of the malware sample that's used for " - "file type detection and analysis\n\n**`system_date`** (optional): Set a custom date in the format " - "`yyyy-MM-dd` for the sandbox environment\n\n**`system_time`** (optional): Set a custom time in the " + "description": "Submit either a URL or a sample SHA256 for sandbox analysis. The sample file must have " + " been previously uploaded through `/samples/entities/samples/v2`. You must specify a JSON object that includes " + " the `falconx.SubmissionParametersV1` key/value pairs shown below.\n\n**`environment_id`**: Specifies the " + "sandbox environment used for analysis. Values:\n\n- `300`: Linux Ubuntu 16.04, 64-bit\n- `200`: Android " + "(static analysis)\n- `160`: Windows 10, 64-bit\n- `110`: Windows 7, 64-bit\n- `100`: Windows 7, " + "32-bit\n\n**`sha256`** ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when " + " uploading a malware sample or search with `/falconx/queries/submissions/v1`.The `url` parameter must be unset " + " if `sha256` is used.\n\n**`url`** A web page or file URL. It can be HTTP(S) or FTP. The `sha256` parameter " + "must be unset if `url` is used.\n\n**`action_script`** (optional): Runtime script for sandbox analysis. " + "Values:\n\n- `default`\n- `default_maxantievasion`\n- `default_randomfiles`\n- `default_randomtheme`\n- " + "`default_openie`\n\n**`command_line`** (optional): Command line script passed to the submitted file at " + "runtime. Max length: 2048 characters\n\n**`document_password`** (optional): Auto-filled for Adobe or Office " + "files that prompt for a password. Max length: 32 characters\n\n**`enable_tor`** (optional): Deprecated, please " + " use `network_settings` instead. If `true`, sandbox analysis routes network traffic via TOR. Default: " + "`false`.\n\n**`network_settings`** (optional): Specifies the sandbox network_settings used for analysis. " + "Values:\n\n- `default`: Fully operating network\n- `tor`: Route network traffic via TOR\n- `simulated`: " + "Simulate network traffic\n- `offline`: No network traffic\n\n**`submit_name`** (optional): Name of the malware " + " sample that's used for file type detection and analysis\n\n**`system_date`** (optional): Set a custom date in " + " the format `yyyy-MM-dd` for the sandbox environment\n\n**`system_time`** (optional): Set a custom time in the " "format `HH:mm` for the sandbox environment.", "name": "body", "in": "body", @@ -272,15 +273,15 @@ "QueryReports", "GET", "/falconx/queries/reports/v1", - "Find sandbox reports by providing an FQL filter and paging details. " - "Returns a set of report IDs that match your criteria.", + "Find sandbox reports by providing an FQL filter and paging details. Returns a set of report IDs that " + "match your criteria.", "falconx_sandbox", [ { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -308,15 +309,15 @@ "QuerySubmissions", "GET", "/falconx/queries/submissions/v1", - "Find submission IDs for uploaded files by providing an FQL filter and paging details. " - "Returns a set of submission IDs that match your criteria.", + "Find submission IDs for uploaded files by providing an FQL filter and paging details. Returns a set of " + "submission IDs that match your criteria.", "falconx_sandbox", [ { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -367,7 +368,8 @@ "UploadSampleV2", "POST", "/samples/entities/samples/v2", - "Upload a file for sandbox analysis. After uploading, use `/falconx/entities/submissions/v1` to start analyzing the file.", + "Upload a file for sandbox analysis. After uploading, use `/falconx/entities/submissions/v1` to start " + "analyzing the file.", "falconx_sandbox", [ { @@ -407,9 +409,9 @@ { "type": "boolean", "default": True, - "description": "Defines visibility of this file in Falcon MalQuery, either via the API or the " - "Falcon console.\n\n- `true`: File is only shown to users within your customer account\n- `false`: " - "File can be seen by other CrowdStrike customers \n\nDefault: `true`.", + "description": "Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon " + "console.\n\n- `true`: File is only shown to users within your customer account\n- `false`: File can be seen by " + "other CrowdStrike customers \n\nDefault: `true`.", "name": "is_confidential", "in": "formData" } @@ -435,8 +437,8 @@ "QuerySampleV1", "POST", "/samples/queries/samples/GET/v1", - "Retrieves a list with sha256 of samples that exist and customer has rights to access them, " - "maximum number of accepted items is 200", + "Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number " + "of accepted items is 200", "falconx_sandbox", [ { diff --git a/src/falconpy/_endpoint/_fdr.py b/src/falconpy/_endpoint/_fdr.py index 819bb8631..ea75c8731 100644 --- a/src/falconpy/_endpoint/_fdr.py +++ b/src/falconpy/_endpoint/_fdr.py @@ -42,7 +42,7 @@ "GET", "/fdr/combined/schema-members/v1", "Fetch combined schema", - "event_schema", + "fdr", [] ], [ @@ -50,7 +50,26 @@ "GET", "/fdr/entities/schema-events/v1", "Fetch event schema by ID", - "event_schema", + "fdr", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "Specify feed IDs to fetch", + "name": "ids", + "in": "query" + } + ] + ], + [ + "fdrschema_entities_field_get", + "GET", + "/fdr/entities/schema-fields/v1", + "Fetch field schema by ID", + "fdr", [ { "type": "array", @@ -69,7 +88,7 @@ "GET", "/fdr/queries/schema-events/v1", "Get list of event IDs given a particular query.", - "event_schema", + "fdr", [ { "type": "integer", @@ -97,31 +116,12 @@ } ] ], - [ - "fdrschema_entities_field_get", - "GET", - "/fdr/entities/schema-fields/v1", - "Fetch field schema by ID", - "field_schema", - [ - { - "type": "array", - "items": { - "type": "string" - }, - "collectionFormat": "multi", - "description": "Specify feed IDs to fetch", - "name": "ids", - "in": "query" - } - ] - ], [ "fdrschema_queries_field_get", "GET", "/fdr/queries/schema-fields/v1", "Get list of field IDs given a particular query.", - "field_schema", + "fdr", [ { "type": "integer", diff --git a/src/falconpy/_endpoint/_filevantage.py b/src/falconpy/_endpoint/_filevantage.py index 0743ce570..671ffbacb 100644 --- a/src/falconpy/_endpoint/_filevantage.py +++ b/src/falconpy/_endpoint/_filevantage.py @@ -52,8 +52,8 @@ "type": "string" }, "collectionFormat": "multi", - "description": "One or more change ids in the form of `ids=ID1&ids=ID2`. " - "The maximum number of ids that can be requested at once is `500`.", + "description": "One or more change ids in the form of `ids=ID1&ids=ID2`. The maximum number of ids " + "that can be requested at once is `500`.", "name": "ids", "in": "query", "required": True @@ -148,8 +148,8 @@ "type": "string" }, "collectionFormat": "multi", - "description": "One or more rule group ids in the form of ids=ID1&ids=ID2. Note, for the precedence action, " - "precedence is controlled by the order of the ids as they are specified in the request.", + "description": "One or more rule group ids in the form of ids=ID1&ids=ID2. Note, for the precedence " + "action, precedence is controlled by the order of the ids as they are specified in the request.", "name": "ids", "in": "query", "required": True @@ -185,9 +185,10 @@ "filevantage", [ { - "description": "Create a new policy.\n\n * `name` must be between 1 and 100 characters.\n\n * `description` " - "can be between 0 and 500 characters.\n\n * `platform` must be one of `Windows`, `Linux`, or `Mac`\n\n " - "Rule and host group assignment and policy precedence setting is performed via their respective patch end-points.", + "description": "Create a new policy.\n\n * `name` must be between 1 and 100 characters.\n\n * " + "`description` can be between 0 and 500 characters.\n\n * `platform` must be one of `Windows`, `Linux`, or " + "`Mac`\n\n Rule and host group assignment and policy precedence setting is performed via their respective patch " + "end-points.", "name": "body", "in": "body", "required": True @@ -202,11 +203,11 @@ "filevantage", [ { - "description": "Enables updates to the following fields for an existing policy. \n\n * `id` of the policy " - "to update.\n\n * `name` must be between 1 and 100 characters.\n\n * `description` can be between 0 and 500 " - "characters.\n\n * `platform` may not be modified after the policy is created.\n\n * `enabled` must be one " - "of `true` or `false`.\n\n Rule and host group assignment and policy precedence setting is performed via " - "their respective patch end-points.", + "description": "Enables updates to the following fields for an existing policy. \n\n * `id` of the " + "policy to update.\n\n * `name` must be between 1 and 100 characters.\n\n * `description` can be between 0 and " + "500 characters.\n\n * `platform` may not be modified after the policy is created.\n\n * `enabled` must be one " + "of `true` or `false`.\n\n Rule and host group assignment and policy precedence setting is performed via their " + "respective patch end-points.", "name": "body", "in": "body", "required": True @@ -268,17 +269,30 @@ "filevantage", [ { - "description": "Create a new scheduled exclusion configuration for the specified policy.\n\n \n\n * `policy_id` " - "to add the scheduled exclusion to.\n\n * `name` must be between 1 and 100 characters.\n\n * `description` " - "can be between 0 and 500 characters.\n\n * `users` can be between 0 and 500 characters representing a comma " - "separated list of user to exclude their changes.\n\n * admin* excludes changes made by all usernames that " - "begin with admin. Falon GLOB syntax is supported.\n\n * `processes` can be between 0 and 500 characters " - "representing a comma separated list of processes to exclude their changes.\n\n * **\\RunMe.exe or **/RunMe.sh " - "excludes changes made by RunMe.exe or RunMe.sh in any location.\n\n * `schedule_start` must be provided to " - "indicate the start of the schedule. This date/time must be an rfc3339 formatted string " - "https://datatracker.ietf.org/doc/html/rfc3339.\n\n * `schedule_end` optionally provided to indicate " - "the end of the schedule. This date/time must be an rfc3339 formatted string " - "https://datatracker.ietf.org/doc/html/rfc3339.", + "description": "Create a new scheduled exclusion configuration for the specified policy.\n\n \n\n * " + "`policy_id` to add the scheduled exclusion to.\n\n * `name` must be between 1 and 100 characters.\n\n * " + "`description` can be between 0 and 500 characters.\n\n * `users` can be between 0 and 500 characters " + "representing a comma separated list of user to exclude their changes.\n\n * admin* excludes changes made " + "by all usernames that begin with admin. Falon GLOB syntax is supported.\n\n * `processes` can be between 0 and " + " 500 characters representing a comma separated list of processes to exclude their changes.\n\n * " + "**\\RunMe.exe or **/RunMe.sh excludes changes made by RunMe.exe or RunMe.sh in any location.\n\n * " + "`schedule_start` must be provided to indicate the start of the schedule. This date/time must be an rfc3339 " + "formatted string https://datatracker.ietf.org/doc/html/rfc3339.\n\n * `schedule_end` optionally provided to " + "indicate the end of the schedule. This date/time must be an rfc3339 formatted string " + "https://datatracker.ietf.org/doc/html/rfc3339.\n\n * `timezone` must be provided to indicate the TimeZone " + "Name set for the provided `scheduled_start` and `scheduled_end` values. See " + "https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.\n\n * `repeated` optionally provided to indicate " + " that the exclusion is applied repeatedly within the `scheduled_start` and `scheduled_end` time.\n\n * " + "`start_time` must be the hour(00-23) and minute(00-59) of the day formatted as `HH:MM`. Required if `all_day` " + "is not set to `true`\n\n * `end_time` must be the hour(00-23) and minute(00-59) of the day formatted as " + "`HH:MM`. Required if `all_day` is not set to `true`\n\n * `all_day` must be `true` or `false` to indicate " + "the exclusion is applied all day. \n\n * `frequency` must be one of `daily`, `weekly` or `monthly`. \n\n " + " * `occurrence` must be one of the following when `frequency` is set to `monthly`:\n\n * `1st`, `2nd`, " + " `3rd`, `4th` or `Last` represents the week.\n\n * `Days` represents specific calendar days.\n\n * " + "`weekly_days` must be one or more of `Monday`, `Tuesday`, `Wednesday`, `Thursday`, `Friday`, `Saturday` or " + "`Sunday` when `frequency` is set to `weekly` or `frequency` is set to `monthly` and `occurrence` is NOT set to " + " `Days`. \n\n * `monthly_days` must be set to one or more calendar days, between 1 and 31 when `frequency` " + "is set to `monthly` and `occurrence` is set to `Days`. ", "name": "body", "in": "body", "required": True @@ -293,18 +307,30 @@ "filevantage", [ { - "description": "Update an existing scheduled exclusion for the specified policy.\n\n \n\n * `id` " - "representing the scheduled exclusion to update.\n\n * `policy_id` which the scheduled exclusion " - "is assigned.\n\n * `name` must be between 1 and 100 characters.\n\n * `description` can be between " - "0 and 500 characters.\n\n * `users` can be between 0 and 500 characters representing a comma " - "separated list of user to exclude their changes.\n\n * admin* excludes changes made by all " - "usernames that begin with admin. Falon GLOB syntax is supported.\n\n * `processes` can be between " - "0 and 500 characters representing a comma separated list of processes to exclude their changes.\n\n" - " * **\\RunMe.exe or **/RunMe.sh excludes changes made by RunMe.exe or RunMe.sh in any location." - "\n\n * `schedule_start` must be provided to indicate the start of the schedule. This date/time must " - "be an rfc3339 formatted string https://datatracker.ietf.org/doc/html/rfc3339.\n\n * `schedule_end` " - "optionally provided to indicate the end of the schedule. This date/time must be an rfc3339 formatted " - "string https://datatracker.ietf.org/doc/html/rfc3339.", + "description": "Update an existing scheduled exclusion for the specified policy.\n\n \n\n * " + "`policy_id` to add the scheduled exclusion to.\n\n * `name` must be between 1 and 100 characters.\n\n * " + "`description` can be between 0 and 500 characters.\n\n * `users` can be between 0 and 500 characters " + "representing a comma separated list of user to exclude their changes.\n\n * admin* excludes changes made " + "by all usernames that begin with admin. Falon GLOB syntax is supported.\n\n * `processes` can be between 0 and " + " 500 characters representing a comma separated list of processes to exclude their changes.\n\n * " + "**\\RunMe.exe or **/RunMe.sh excludes changes made by RunMe.exe or RunMe.sh in any location.\n\n * " + "`schedule_start` must be provided to indicate the start of the schedule. This date/time must be an rfc3339 " + "formatted string https://datatracker.ietf.org/doc/html/rfc3339.\n\n * `schedule_end` optionally provided to " + "indicate the end of the schedule. This date/time must be an rfc3339 formatted string " + "https://datatracker.ietf.org/doc/html/rfc3339.\n\n * `timezone` must be provided to indicate the TimeZone " + "Name set for the provided `scheduled_start` and `scheduled_end` values. See " + "https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.\n\n * `repeated` optionally provided to indicate " + " that the exclusion is applied repeatedly within the `scheduled_start` and `scheduled_end` time.\n\n * " + "`start_time` must be the hour(00-23) and minute(00-59) of the day formatted as `HH:MM`. Required if `all_day` " + "is not set to `true`\n\n * `end_time` must be the hour(00-23) and minute(00-59) of the day formatted as " + "`HH:MM`. Required if `all_day` is not set to `true`\n\n * `all_day` must be `true` or `false` to indicate " + "the exclusion is applied all day. \n\n * `frequency` must be one of `daily`, `weekly` or `monthly`. \n\n " + " * `occurrence` must be one of the following when `frequency` is set to `monthly`:\n\n * `1st`, `2nd`, " + " `3rd`, `4th` or `Last` represents the week.\n\n * `Days` represents specific calendar days.\n\n * " + "`weekly_days` must be one or more of `Monday`, `Tuesday`, `Wednesday`, `Thursday`, `Friday`, `Saturday` or " + "`Sunday` when `frequency` is set to `weekly` or `frequency` is set to `monthly` and `occurrence` is NOT set to " + " `Days`. \n\n * `monthly_days` must be set to one or more calendar days, between 1 and 31 when `frequency` " + "is set to `monthly` and `occurrence` is set to `Days`. ", "name": "body", "in": "body", "required": True @@ -401,35 +427,33 @@ [ { "description": "Create a new rule configuration for the specified rule group.\n\n * `id` is not " - "supported for creation of a rule, the new id of the created rule will be included in the response." - "\n\n * `rule_group_id` to add the new rule configuration.\n\n * `description` can be between 0 and " - "500 characters.\n\n * `path` representing the file system or registry path to monitor.\n\n * must " - "be between 1 and 250 characters. \n\n * All paths must end with the path separator, e.g. " - "c:\\windows\\ /usr/bin/ \n\n * `severity` to categorize change events produced by this rule; " - "must be one of: `Low`, `Medium`, `High` or `Critical`\n\n * `depth` below the base path to monitor; " - "must be one of: `1`, `2`, `3`, `4`, `5` or `ANY`\n\n * `precedence` - is not supported for creation " - "of a rule, new rules will be added last in precedence order.will result this rule being placed before " - "that existing rule.\n\nFalcon GLOB syntax is supported for the following 6 properties. Allowed rule " - "group configuration is based on the type of rule group the rule group is added to.\n\n * `include` " - "represents the files, directories, registry keys, or registry values that will be monitored. \n\n " - "* `exclude` represents the files, directories, registry keys, or registry values that will `NOT` " - "be monitored. \n\n * `include_users` represents the changes performed by specific users that will " - "be monitored (`macOS` is not supported at this time).\n\n * `exclude_users` represents the changes " - "performed by specific users that will `NOT` be monitored (`macOS` is not supported at this time)." - "\n\n * `include_processes` represents the changes performed by specific processes that will be monitored " - "(`macOS` is not supported at this time).\n\n * `exclude_users` represents the changes performed by " - "specific processes that will be `NOT` monitored (`macOS` is not supported at this time).\n\nFile " - "system directory monitoring:\n\n * `watch_delete_directory_changes`\n\n * " + "supported for creation of a rule, the new id of the created rule will be included in the response.\n\n * " + "`rule_group_id` to add the new rule configuration.\n\n * `description` can be between 0 and 500 " + "characters.\n\n * `path` representing the file system or registry path to monitor.\n\n * must be between 1 " + "and 250 characters. \n\n * All paths must end with the path separator, e.g. c:\\windows\\ /usr/bin/ \n\n * " + "`severity` to categorize change events produced by this rule; must be one of: `Low`, `Medium`, `High` or " + "`Critical`\n\n * `depth` below the base path to monitor; must be one of: `1`, `2`, `3`, `4`, `5` or `ANY`\n\n " + "* `precedence` - is not supported for creation of a rule, new rules will be added last in precedence " + "order.\n\nFalcon GLOB syntax is supported for the following 6 properties. Allowed rule group configuration is " + "based on the type of rule group the rule group is added to.\n\n * `include` represents the files, directories, " + " registry keys, or registry values that will be monitored. \n\n * `exclude` represents the files, directories, " + " registry keys, or registry values that will `NOT` be monitored. \n\n * `include_users` represents the changes " + " performed by specific users that will be monitored.\n\n * `exclude_users` represents the changes performed by " + " specific users that will `NOT` be monitored.\n\n * `include_processes` represents the changes performed by " + "specific processes that will be monitored.\n\n * `exclude_processes` represents the changes performed by " + "specific processes that will be `NOT` monitored.\n\n * `content_files` represents the files whose content will " + " be monitored. Listed files must match the file include pattern and not match the file exclude pattern\n\n * " + "`content_registry_values` represents the registry values whose content will be monitored. Listed registry " + "values must match the registry include pattern and not match the registry exclude pattern\n\n * " + "`enable_content_capture`\n\nFile system directory monitoring:\n\n * `watch_delete_directory_changes`\n\n * " "`watch_create_directory_changes`\n\n * `watch_rename_directory_changes`\n\n * " "`watch_attributes_directory_changes` (`macOS` is not supported at this time)\n\n * " - "`watch_permissions_directory_changes` (`macOS` is not supported at this time)\n\n" - "File system file monitoring:\n\n * `watch_rename_file_changes`\n\n * " - "`watch_write_file_changes`\n\n * `watch_create_file_changes`\n\n * " - "`watch_delete_file_changes`\n\n * `watch_attributes_file_changes` " - "(`macOS` is not supported at this time)\n\n * `watch_permissions_file_changes` " - "(`macOS` is not supported at this time)\n\nWindows registry key and value monitoring: " - "\n\n * `watch_create_key_changes`\n\n * `watch_delete_key_changes`\n\n * " - "`watch_rename_key_changes`\n\n * `watch_set_value_changes`\n\n * " + "`watch_permissions_directory_changes` (`macOS` is not supported at this time)\n\nFile system file " + "monitoring:\n\n * `watch_rename_file_changes`\n\n * `watch_write_file_changes`\n\n * " + "`watch_create_file_changes`\n\n * `watch_delete_file_changes`\n\n * `watch_attributes_file_changes` (`macOS` " + "is not supported at this time)\n\n * `watch_permissions_file_changes` (`macOS` is not supported at this " + "time)\n\nWindows registry key and value monitoring: \n\n * `watch_create_key_changes`\n\n * " + "`watch_delete_key_changes`\n\n * `watch_rename_key_changes`\n\n * `watch_set_value_changes`\n\n * " "`watch_delete_value_changes`\n\n * `watch_create_file_changes`", "name": "body", "in": "body", @@ -445,39 +469,35 @@ "filevantage", [ { - "description": "Update the rule configuration for the specified rule ID and group." - "\n\n * `id` of the rule to update.\n\n * `rule_group_id` that contains the rule " - "configuration.\n\n * `description` can be between 0 and 500 characters.\n\n * " - "`path` representing the file system or registry path to monitor.\n\n * must be " - "between 1 and 250 characters. \n\n * All paths must end with the path separator, " - "e.g. c:\\windows\\ /usr/bin/ \n\n * `severity` to categorize change events produced " - "by this rule; must be one of: `Low`, `Medium`, `High` or `Critical`\n\n * `depth` " - "below the base path to monitor; must be one of: `1`, `2`, `3`, `4`, `5` or `ANY`" - "\n\n * `precedence` is the order in which rules will be evaluated starting with 1. " - "Specifying a precedence value that is already set for another rule in the group will " - "result this rule being placed before that existing rule.\n\nFalcon GLOB syntax is " - "supported for the following 6 properties. Allowed rule group configuration is based " - "on the type of rule group the rule group is added to.\n\n * `include` represents the " - "files, directories, registry keys, or registry values that will be monitored. \n\n " - "* `exclude` represents the files, directories, registry keys, or registry values " - "that will `NOT` be monitored. \n\n * `include_users` represents the changes performed " - "by specific users that will be monitored (`macOS` is not supported at this time).\n\n " - "* `exclude_users` represents the changes performed by specific users that will `NOT` " - "be monitored (`macOS` is not supported at this time).\n\n * `include_processes` " - "represents the changes performed by specific processes that will be monitored " - "(`macOS` is not supported at this time).\n\n * `exclude_users` represents the changes " - "performed by specific processes that will be `NOT` monitored (`macOS` is not supported " - "at this time).\n\nFile system directory monitoring:\n\n * `watch_delete_directory_changes`" - "\n\n * `watch_create_directory_changes`\n\n * `watch_rename_directory_changes`\n\n * " + "description": "Update the rule configuration for the specified rule ID and group.\n\n * `id` of the " + "rule to update.\n\n * `rule_group_id` that contains the rule configuration.\n\n * `description` can be between " + " 0 and 500 characters.\n\n * `path` representing the file system or registry path to monitor.\n\n * must be " + "between 1 and 250 characters. \n\n * All paths must end with the path separator, e.g. c:\\windows\\ " + "/usr/bin/ \n\n * `severity` to categorize change events produced by this rule; must be one of: `Low`, " + "`Medium`, `High` or `Critical`\n\n * `depth` below the base path to monitor; must be one of: `1`, `2`, `3`, " + "`4`, `5` or `ANY`\n\n * `precedence` is the order in which rules will be evaluated starting with 1. Specifying " + " a precedence value that is already set for another rule in the group will result this rule being placed " + "before that existing rule.\n\nFalcon GLOB syntax is supported for the following 6 properties. Allowed rule " + "group configuration is based on the type of rule group the rule group is added to.\n\n * `include` represents " + "the files, directories, registry keys, or registry values that will be monitored. \n\n * `exclude` represents " + "the files, directories, registry keys, or registry values that will `NOT` be monitored. \n\n * `include_users` " + " represents the changes performed by specific users that will be monitored.\n\n * `exclude_users` represents " + "the changes performed by specific users that will `NOT` be monitored.\n\n * `include_processes` represents the " + " changes performed by specific processes that will be monitored.\n\n * `exclude_processes` represents the " + "changes performed by specific processes that will be `NOT` monitored.\n\n * `content_files` represents the " + "files that will be monitored. Listed files must match the file include pattern and not match the file exclude " + "pattern\n\n * `content_registry_values` represents the registry values whose content will be monitored. Listed " + " registry values must match the registry include pattern and not match the registry exclude pattern\n\n * " + "`enable_content_capture`\n\nFile system directory monitoring:\n\n * `watch_delete_directory_changes`\n\n * " + "`watch_create_directory_changes`\n\n * `watch_rename_directory_changes`\n\n * " "`watch_attributes_directory_changes` (`macOS` is not supported at this time)\n\n * " - "`watch_permissions_directory_changes` (`macOS` is not supported at this time)\n\n" - "File system file monitoring:\n\n * `watch_rename_file_changes`\n\n * `watch_write_file_changes`" - "\n\n * `watch_create_file_changes`\n\n * `watch_delete_file_changes`\n\n * " - "`watch_attributes_file_changes` (`macOS` is not supported at this time)\n\n * " - "`watch_permissions_file_changes` (`macOS` is not supported at this time)\n\n" - "Windows registry key and value monitoring: \n\n * `watch_create_key_changes`\n\n * " - "`watch_delete_key_changes`\n\n * `watch_rename_key_changes`\n\n * " - "`watch_set_value_changes`\n\n * `watch_delete_value_changes`\n\n * `watch_create_file_changes`", + "`watch_permissions_directory_changes` (`macOS` is not supported at this time)\n\nFile system file " + "monitoring:\n\n * `watch_rename_file_changes`\n\n * `watch_write_file_changes`\n\n * " + "`watch_create_file_changes`\n\n * `watch_delete_file_changes`\n\n * `watch_attributes_file_changes` (`macOS` " + "is not supported at this time)\n\n * `watch_permissions_file_changes` (`macOS` is not supported at this " + "time)\n\nWindows registry key and value monitoring: \n\n * `watch_create_key_changes`\n\n * " + "`watch_delete_key_changes`\n\n * `watch_rename_key_changes`\n\n * `watch_set_value_changes`\n\n * " + "`watch_delete_value_changes`\n\n * `watch_create_file_changes`", "name": "body", "in": "body", "required": True @@ -539,10 +559,10 @@ "filevantage", [ { - "description": "Create a new rule group of a specific type.\n\n * `name` must be between 1 and " - "100 characters.\n\n * `type` must be one of `WindowsFiles`, `WindowsRegistry`, `LinuxFiles` or " - "`MacFiles`.\n\n * `description` can be between 0 and 500 characters.\n\n Note: rules are " - "added/removed from rule groups using their dedicated end-points.", + "description": "Create a new rule group of a specific type.\n\n * `name` must be between 1 and 100 " + "characters.\n\n * `type` must be one of `WindowsFiles`, `WindowsRegistry`, `LinuxFiles` or `MacFiles`.\n\n * " + "`description` can be between 0 and 500 characters.\n\n Note: rules are added/removed from rule groups using " + "their dedicated end-points.", "name": "body", "in": "body", "required": True @@ -557,10 +577,10 @@ "filevantage", [ { - "description": "Enables updates to the following fields for an existing rule group. \n\n * `id` " - "of the rule group to update.\n\n * `name` must be between 1 and 100 characters.\n\n * " - "`description` can be between 0 and 500 characters.\n\n * `type` may not be modified after " - "the rule group is created.\n\n Note: rules are added/removed from rule groups using their dedicated end-points.", + "description": "Enables updates to the following fields for an existing rule group. \n\n * `id` of the " + " rule group to update.\n\n * `name` must be between 1 and 100 characters.\n\n * `description` can be between 0 " + " and 500 characters.\n\n * `type` may not be modified after the rule group is created.\n\n Note: rules are " + "added/removed from rule groups using their dedicated end-points.", "name": "body", "in": "body", "required": True @@ -591,42 +611,39 @@ "queryChanges", "GET", "/filevantage/queries/changes/v2", - "Returns one or more change IDs", + "Returns 1 or more change ids", "filevantage", [ { "minimum": 0, "type": "integer", - "description": "The first change index to return in the response. " - "If not provided it will default to '0'. " - "Use with the `limit` parameter to manage pagination of results.", + "default": 0, + "description": "The offset to start retrieving records from. Defaults to `0` if not specified.", "name": "offset", "in": "query" }, { "maximum": 500, "type": "integer", - "description": "The maximum number of changes to return in the response " - "(default: 100; max: 500). " - "Use with the `offset` parameter to manage pagination of results", + "default": 100, + "description": "The maximum number of ids to return. Defaults to `100` if not specified. The maximum " + "number of results that can be returned in a single call is `500`.", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort changes using options like:\n\n" - "- `action_timestamp` (timestamp of the change occurrence) \n\n " - "Sort either `asc` (ascending) or `desc` (descending). " - "For example: `action_timestamp|asc`.\n" - "The full list of allowed sorting options can be reviewed in our API documentation.", + "description": "Sort results using options like:\n\n- `action_timestamp` (timestamp of the change " + "occurrence) \n\nSort either `asc` (ascending) or `desc` (descending). For example: " + "`action_timestamp|asc`.\nThe full list of allowed sorting options can be reviewed in our API documentation.", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter changes using a query in Falcon Query Language (FQL). \n\n" - "Common filter options include:\n\n - `host.host_name`\n - `action_timestamp`\n\n " - "The full list of allowed filter parameters can be reviewed in our API documentation.", + "description": "Filter changes using a query in Falcon Query Language (FQL). \n\nCommon filter options " + " include:\n\n - `host.name`\n - `action_timestamp`\n\n The full list of allowed filter parameters can be " + "reviewed in our API documentation.", "name": "filter", "in": "query" } @@ -641,10 +658,10 @@ [ { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request don't provide a value for the `after` token. On subsequent requests provide " - "the `after` token value from the previous response to continue pagination from where you left. " - "If the response returns an empty `after` token it means there are no more results to return.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request don't provide a value for the `after` token. On subsequent requests provide the `after` " + "token value from the previous response to continue pagination from where you left. If the response returns an " + "empty `after` token it means there are no more results to return.", "name": "after", "in": "query" }, @@ -652,8 +669,8 @@ "maximum": 5000, "type": "integer", "default": 100, - "description": "The maximum number of ids to return. Defaults to `100` if not specified. " - "The maximum number of results that can be returned in a single call is `5000`.", + "description": "The maximum number of ids to return. Defaults to `100` if not specified. The maximum " + "number of results that can be returned in a single call is `5000`.", "name": "limit", "in": "query" }, @@ -661,17 +678,17 @@ "type": "string", "default": "action_timestamp|desc", "description": "Sort results using options like:\n\n- `action_timestamp` (timestamp of the change " - "occurrence) \n\nSort either `asc` (ascending) or `desc` (descending). For example: " - "`action_timestamp|asc`. Defaults to `action_timestamp|desc` no value is specified.\nThe full list " - "of allowed sorting options can be reviewed in our API documentation.", + "occurrence) \n\nSort either `asc` (ascending) or `desc` (descending). For example: `action_timestamp|asc`. " + "Defaults to `action_timestamp|desc` no value is specified.\nThe full list of allowed sorting options can be " + "reviewed in our API documentation.", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter changes using a query in Falcon Query Language (FQL). \n\nCommon filter " - "options include:\n\n - `host.name`\n - `action_timestamp`\n\n The full list of allowed filter " - "parameters can be reviewed in our API documentation.", + "description": "Filter changes using a query in Falcon Query Language (FQL). \n\nCommon filter options " + " include:\n\n - `host.name`\n - `action_timestamp`\n\n The full list of allowed filter parameters can be " + "reviewed in our API documentation.", "name": "filter", "in": "query" } @@ -693,16 +710,16 @@ }, { "type": "integer", - "description": "The maximum number of ids to return. Defaults to 100 if not specified. " - "The maximum number of results that can be returned in a single call is 500.", + "description": "The maximum number of ids to return. Defaults to 100 if not specified. The maximum " + "number of results that can be returned in a single call is 500.", "name": "limit", "in": "query" }, { "type": "string", "description": "Sort the returned ids based on one of the following properties:\n\n`precedence`, " - "`created_timestamp` or `modified_timestamp`\n\n Sort either `asc` (ascending) or `desc` " - "(descending); for example: `precedence|asc`.", + "`created_timestamp` or `modified_timestamp`\n\n Sort either `asc` (ascending) or `desc` (descending); for " + "example: `precedence|asc`.", "name": "sort", "in": "query" }, @@ -747,23 +764,23 @@ }, { "type": "integer", - "description": "The maximum number of ids to return. Defaults to 100 if not specified. " - "The maximum number of results that can be returned in a single call is 500.", + "description": "The maximum number of ids to return. Defaults to 100 if not specified. The maximum " + "number of results that can be returned in a single call is 500.", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort the returned ids based on one of the following properties:\n\n `created_timestamp` " - "or `modified_timestamp`\n\n Sort either `asc` (ascending) or `desc` (descending); " - "for example: `created_timestamp|asc`.", + "description": "Sort the returned ids based on one of the following properties:\n\n " + "`created_timestamp` or `modified_timestamp`\n\n Sort either `asc` (ascending) or `desc` (descending); for " + "example: `created_timestamp|asc`.", "name": "sort", "in": "query" }, { "type": "string", - "description": "The rule group type to retrieve the ids of.\n\n Allowed values are: " - "`WindowsFiles`, `WindowsRegistry`, `LinuxFiles` or `MacFiles`.", + "description": "The rule group type to retrieve the ids of.\n\n Allowed values are: `WindowsFiles`, " + "`WindowsRegistry`, `LinuxFiles` or `MacFiles`.", "name": "type", "in": "query", "required": True diff --git a/src/falconpy/_endpoint/_firewall_management.py b/src/falconpy/_endpoint/_firewall_management.py index 20f8ba0b7..4fd9dec55 100644 --- a/src/falconpy/_endpoint/_firewall_management.py +++ b/src/falconpy/_endpoint/_firewall_management.py @@ -218,26 +218,12 @@ ] ], [ - "create_network_locations", - "POST", + "upsert_network_locations", + "PUT", "/fwmgr/entities/network-locations/v1", - "Create new network locations provided, and return the ID.", + "Updates the network locations provided, and return the ID.", "firewall_management", [ - { - "type": "string", - "description": "A network location ID from which to copy location. " - "If this is provided then the body of the request is ignored.", - "name": "clone_id", - "in": "query" - }, - { - "type": "boolean", - "description": "A boolean to determine whether the cloned location needs " - "to be added to the same firewall rules that original location is added to.", - "name": "add_fw_rules", - "in": "query" - }, { "type": "string", "description": "Audit log comment for this action", @@ -252,12 +238,26 @@ ] ], [ - "update_network_locations", - "PATCH", + "create_network_locations", + "POST", "/fwmgr/entities/network-locations/v1", - "Updates the network locations provided, and return the ID.", + "Create new network locations provided, and return the ID.", "firewall_management", [ + { + "type": "string", + "description": "A network location ID from which to copy location. If this is provided then the body " + "of the request is ignored.", + "name": "clone_id", + "in": "query" + }, + { + "type": "boolean", + "description": "A boolean to determine whether the cloned location needs to be added to the same " + "firewall rules that original location is added to.", + "name": "add_fw_rules", + "in": "query" + }, { "type": "string", "description": "Audit log comment for this action", @@ -272,8 +272,8 @@ ] ], [ - "upsert_network_locations", - "PUT", + "update_network_locations", + "PATCH", "/fwmgr/entities/network-locations/v1", "Updates the network locations provided, and return the ID.", "firewall_management", @@ -355,8 +355,8 @@ "update_policy_container_v1", "PUT", "/fwmgr/entities/policies/v1", - "Update an identified policy container. WARNING: This endpoint is deprecated in favor " - "of v2, using this endpoint could disable your local logging setting.", + "Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this " + "endpoint could disable your local logging setting.", "firewall_management", [ { @@ -409,15 +409,15 @@ [ { "type": "string", - "description": "A rule group ID from which to copy rules. " - "If this is provided then the 'rules' property of the body is ignored.", + "description": "A rule group ID from which to copy rules. If this is provided then the 'rules' " + "property of the body is ignored.", "name": "clone_id", "in": "query" }, { "type": "string", - "description": "If this flag is set to true then the rules will be " - "cloned from the clone_id from the CrowdStrike Firewall Rule Groups Library.", + "description": "If this flag is set to true then the rules will be cloned from the clone_id from the " + "CrowdStrike Firewal Rule Groups Library.", "name": "library", "in": "query" }, @@ -489,15 +489,15 @@ [ { "type": "string", - "description": "A rule group ID from which to copy rules. " - "If this is provided then the 'rules' property of the body is ignored.", + "description": "A rule group ID from which to copy rules. If this is provided then the 'rules' " + "property of the body is ignored.", "name": "clone_id", "in": "query" }, { "type": "string", - "description": "If this flag is set to true then the rules will be cloned " - "from the clone_id from the CrowdStrike Firewall Rule Groups Library.", + "description": "If this flag is set to true then the rules will be cloned from the clone_id from the " + "CrowdStrike Firewall Rule Groups Library.", "name": "library", "in": "query" }, @@ -518,8 +518,8 @@ "update_rule_group_validation", "PATCH", "/fwmgr/entities/rule-groups/validation/v1", - "Validates the request of updating name, description, or enabled status of " - "a rule group, or create, edit, delete, or reorder rules", + "Validates the request of updating name, description, or enabled status of a rule group, or create, edit, " + "delete, or reorder rules", "firewall_management", [ { @@ -584,10 +584,9 @@ }, { "type": "string", - "description": "FQL query specifying the filter parameters. " - "Filter term criteria: enabled, platform, name, description, etc TODO. " - "Filter range criteria: created_on, modified_on; use any common date format, " - "such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, platform, " + "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such " + "as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -605,9 +604,9 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination " - "of results. On your first request, don't provide an `after` token. On subsequent requests, " - "provide the `after` token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, @@ -679,9 +678,9 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, @@ -735,9 +734,9 @@ }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, " - "platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use " - "any common date format, such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, platform, " + "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such " + "as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -776,9 +775,9 @@ }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, " - "platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use " - "any common date format, such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, platform, " + "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such " + "as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -796,9 +795,9 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of " - "results. On your first request, don't provide an `after` token. On subsequent requests, provide " - "the `after` token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, @@ -826,8 +825,8 @@ { "type": "string", "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, platform, " - "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date " - "format, such as '2010-05-15T14:55:21.892315096Z'.", + "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such " + "as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -845,9 +844,9 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, diff --git a/src/falconpy/_endpoint/_firewall_policies.py b/src/falconpy/_endpoint/_firewall_policies.py index aaceec986..494cf8a91 100644 --- a/src/falconpy/_endpoint/_firewall_policies.py +++ b/src/falconpy/_endpoint/_firewall_policies.py @@ -41,8 +41,8 @@ "queryCombinedFirewallPolicyMembers", "GET", "/policy/combined/firewall-members/v1", - "Search for members of a Firewall Policy in your environment by providing an FQL " - "filter and paging details. Returns a set of host details which match the filter criteria", + "Search for members of a Firewall Policy in your environment by providing an FQL filter and paging " + "details. Returns a set of host details which match the filter criteria", "firewall_policies", [ { @@ -84,8 +84,8 @@ "queryCombinedFirewallPolicies", "GET", "/policy/combined/firewall/v1", - "Search for Firewall Policies in your environment by providing an FQL filter and paging details. " - "Returns a set of Firewall Policies which match the filter criteria", + "Search for Firewall Policies in your environment by providing an FQL filter and paging details. Returns a " + "set of Firewall Policies which match the filter criteria", "firewall_policies", [ { @@ -168,9 +168,9 @@ "setFirewallPoliciesPrecedence", "POST", "/policy/entities/firewall-precedence/v1", - "Sets the precedence of Firewall Policies based on the order of IDs specified in the request. " - "The first ID specified will have the highest precedence and the last ID specified will have the lowest. " - "You must specify all non-Default Policies for a platform when updating precedence", + "Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID " + " specified will have the highest precedence and the last ID specified will have the lowest. You must specify " + "all non-Default Policies for a platform when updating precedence", "firewall_policies", [ { @@ -260,8 +260,8 @@ "queryFirewallPolicyMembers", "GET", "/policy/queries/firewall-members/v1", - "Search for members of a Firewall Policy in your environment by providing an FQL filter and paging details. " - "Returns a set of Agent IDs which match the filter criteria", + "Search for members of a Firewall Policy in your environment by providing an FQL filter and paging " + "details. Returns a set of Agent IDs which match the filter criteria", "firewall_policies", [ { @@ -303,8 +303,8 @@ "queryFirewallPolicies", "GET", "/policy/queries/firewall/v1", - "Search for Firewall Policies in your environment by providing an FQL filter and paging details. " - "Returns a set of Firewall Policy IDs which match the filter criteria", + "Search for Firewall Policies in your environment by providing an FQL filter and paging details. Returns a " + "set of Firewall Policy IDs which match the filter criteria", "firewall_policies", [ { diff --git a/src/falconpy/_endpoint/_host_group.py b/src/falconpy/_endpoint/_host_group.py index c36b449e7..dbd0a1316 100644 --- a/src/falconpy/_endpoint/_host_group.py +++ b/src/falconpy/_endpoint/_host_group.py @@ -41,8 +41,8 @@ "queryCombinedGroupMembers", "GET", "/devices/combined/host-group-members/v1", - "Search for members of a Host Group in your environment by providing an FQL filter " - "and paging details. Returns a set of host details which match the filter criteria", + "Search for members of a Host Group in your environment by providing an FQL filter and paging details. " + "Returns a set of host details which match the filter criteria", "host_group", [ { @@ -84,8 +84,8 @@ "queryCombinedHostGroups", "GET", "/devices/combined/host-groups/v1", - "Search for Host Groups in your environment by providing an FQL filter and paging details. " - "Returns a set of Host Groups which match the filter criteria", + "Search for Host Groups in your environment by providing an FQL filter and paging details. Returns a set " + "of Host Groups which match the filter criteria", "host_group", [ { @@ -278,8 +278,8 @@ "queryHostGroups", "GET", "/devices/queries/host-groups/v1", - "Search for Host Groups in your environment by providing an FQL filter and paging details. " - "Returns a set of Host Group IDs which match the filter criteria", + "Search for Host Groups in your environment by providing an FQL filter and paging details. Returns a set " + "of Host Group IDs which match the filter criteria", "host_group", [ { diff --git a/src/falconpy/_endpoint/_hosts.py b/src/falconpy/_endpoint/_hosts.py index 22e499d99..3574156c7 100644 --- a/src/falconpy/_endpoint/_hosts.py +++ b/src/falconpy/_endpoint/_hosts.py @@ -74,23 +74,21 @@ [ { "type": "string", - "description": "Specify one of these actions:\n\n- `contain` - " - "This action contains the host, which stops any network communications to " - "locations other than the CrowdStrike cloud and IPs specified in your [containment policy]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#containmentpolicy)" - "\n- `lift_containment`: This action lifts containment on the host, which returns its network " - "communications to normal\n- `hide_host`: This action will delete a host. After the host is deleted, " - "no new detections for that host will be reported via UI or APIs\n- `unhide_host`: " - "This action will restore a host. Detection reporting will resume after the host is restored", + "description": "Specify one of these actions:\n\n- `contain` - This action contains the host, which " + "stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your " + "[containment policy](https://falcon.crowdstrike.com/support/documentation/11/getting-started-" + "guide#containmentpolicy)\n- `lift_containment`: This action lifts containment on the host, which returns its " + "network communications to normal\n- `hide_host`: This action will delete a host. After the host is deleted, no " + " new detections for that host will be reported via UI or APIs\n- `unhide_host`: This action will restore a " + "host. Detection reporting will resume after the host is restored", "name": "action_name", "in": "query", "required": True }, { - "description": "The host agent ID (AID) of the host you want to contain. " - "Get an agent ID from a detection, the Falcon console, or the Streaming API.\n\n" - "Provide the ID in JSON format with the key `ids` and the value in square brackets, " - "such as: \n\n`\"ids\": [\"123456789\"]`", + "description": "The host agent ID (AID) of the host you want to contain. Get an agent ID from a " + "detection, the Falcon console, or the Streaming API.\n\nProvide the ID in JSON format with the key `ids` and " + "the value in square brackets, such as: \n\n`\"ids\": [\"123456789\"]`", "name": "body", "in": "body", "required": True @@ -101,7 +99,7 @@ "UpdateDeviceTags", "PATCH", "/devices/entities/devices/tags/v1", - "Append or remove one or more Falcon Grouping Tags on one or more hosts.", + "Append or remove one or more Falcon Grouping Tags on one or more hosts. Tags must be of the form FalconGroupingTags/", "hosts", [ { @@ -129,8 +127,8 @@ "GetDeviceDetailsV1", "GET", "/devices/entities/devices/v1", - "Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs " - "(AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API", + "Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from " + "the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API", "hosts", [ { @@ -185,7 +183,7 @@ "entities_perform_action", "POST", "/devices/entities/group-actions/v1", - "Performs the specified action on the provided prevention policy IDs.", + "Performs the specified action on the provided group IDs.", "hosts", [ { @@ -229,10 +227,10 @@ "GetOnlineState_V1", "GET", "/devices/entities/online-state/v1", - "Get the online status for one or more hosts by specifying each host’s unique ID. " - "Successful requests return an HTTP 200 response and the status for each host identified " - "by a `state` of `online`, `offline`, or `unknown` for each host, identified by host `id`." - "\n\nMake a `GET` request to `/devices/queries/devices/v1` to get a list of host IDs.", + "Get the online status for one or more hosts by specifying each host’s unique ID. Successful requests " + "return an HTTP 200 response and the status for each host identified by a `state` of `online`, `offline`, or " + "`unknown` for each host, identified by host `id`.\n\nUse QueryDevicesByFilterScroll to get a list of host " + "IDs.", "hosts", [ { @@ -285,8 +283,8 @@ "QueryDevicesByFilterScroll", "GET", "/devices/queries/devices-scroll/v1", - "Search for hosts in your environment by platform, hostname, IP, and other criteria with " - "continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)", + "Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous " + "pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)", "hosts", [ { diff --git a/src/falconpy/_endpoint/_identity_protection.py b/src/falconpy/_endpoint/_identity_protection.py index cf433aa4a..ddec887f1 100644 --- a/src/falconpy/_endpoint/_identity_protection.py +++ b/src/falconpy/_endpoint/_identity_protection.py @@ -38,33 +38,32 @@ _identity_protection_endpoints = [ [ - "api_preempt_proxy_post_graphql", + "GetSensorAggregates", "POST", - "/identity-protection/combined/graphql/v1", - "Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, " - "identity-based incidents and security assessment. Allows to perform actions on entities " - "and identity-based incidents.", + "/identity-protection/aggregates/devices/GET/v1", + "Get sensor aggregates as specified via json in request body.", "identity_protection", [ { - "type": "string", - "description": "Authorization Header", - "name": "Authorization", - "in": "header", + "name": "body", + "in": "body", "required": True } ] ], [ - "GetSensorAggregates", + "api_preempt_proxy_post_graphql", "POST", - "/identity-protection/aggregates/devices/GET/v1", - "Get sensor aggregates as specified via json in request body.", - "identity_entities", + "/identity-protection/combined/graphql/v1", + "Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based " + "incidents and security assessment. Allows to perform actions on entities and identity-based incidents.", + "identity_protection", [ { - "name": "body", - "in": "body", + "type": "string", + "description": "Authorization Header", + "name": "Authorization", + "in": "header", "required": True } ] @@ -74,7 +73,7 @@ "POST", "/identity-protection/entities/devices/GET/v1", "Get details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs.", - "identity_entities", + "identity_protection", [ { "name": "body", @@ -88,7 +87,7 @@ "GET", "/identity-protection/queries/devices/v1", "Search for sensors in your environment by hostname, IP, and other criteria.", - "identity_entities", + "identity_protection", [ { "type": "integer", diff --git a/src/falconpy/_endpoint/_incidents.py b/src/falconpy/_endpoint/_incidents.py index c6a3a69e3..793755300 100644 --- a/src/falconpy/_endpoint/_incidents.py +++ b/src/falconpy/_endpoint/_incidents.py @@ -46,9 +46,9 @@ [ { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -74,8 +74,8 @@ "timestamp.desc" ], "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" } @@ -99,31 +99,31 @@ "PerformIncidentAction", "POST", "/incidents/entities/incident-actions/v1", - "Perform a set of actions on one or more incidents, such as adding tags or comments " - "or updating the incident name or description", + "Perform a set of actions on one or more incidents, such as adding tags or comments or updating the " + "incident name or description", "incidents", [ { "type": "boolean", "default": False, - "description": "If true, update assigned-to-uuid and or status of detections associated with " - "the incident(s). Defaults to false", + "description": "If true, update assigned-to-uuid and or status of detections associated with the " + "incident(s). Defaults to false", "name": "update_detects", "in": "query" }, { "type": "boolean", "default": False, - "description": "If true and update-detects is true, the assigned-to-uuid or status for ALL " - "detections associated with the incident(s) will be overwritten. If false, only detects that " - "have default values for assigned-to-uuid and/or status will be updated. Defaults to false. " - "Ignored if 'update-detects' is missing or false.", + "description": "If true and update-detects is true, the assigned-to-uuid or status for ALL detections " + "associated with the incident(s) will be overwritten. If false, only detects that have default values for " + "assigned-to-uuid and/or status will be updated. Defaults to false. Ignored if 'update-detects' is missing or " + "false.", "name": "overwrite_detects", "in": "query" }, { - "description": "Incident Update request body containing minimum 1 and maximum 5000 Incident ID(s) " - "and action param(s) to be performed action against.", + "description": "Incident Update request body containing minimum 1 and maximum 5000 Incident ID(s) and " + "action param(s) to be performed action against.", "name": "body", "in": "body", "required": True @@ -153,9 +153,9 @@ [ { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -189,8 +189,8 @@ "timestamp.desc" ], "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" } @@ -225,16 +225,16 @@ "status.desc" ], "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_installation_tokens.py b/src/falconpy/_endpoint/_installation_tokens.py index a98ae3cd0..08882fafc 100644 --- a/src/falconpy/_endpoint/_installation_tokens.py +++ b/src/falconpy/_endpoint/_installation_tokens.py @@ -64,6 +64,20 @@ "installation_tokens", [] ], + [ + "customer_settings_update", + "PATCH", + "/installation-tokens/entities/customer-settings/v1", + "Update installation token settings.", + "installation_tokens", + [ + { + "name": "body", + "in": "body", + "required": True + } + ] + ], [ "tokens_read", "GET", @@ -207,19 +221,5 @@ "in": "query" } ] - ], - [ - "customer_settings_update", - "PATCH", - "/installation-tokens/entities/customer-settings/v1", - "Update installation token settings.", - "installation_tokens_settings", - [ - { - "name": "body", - "in": "body", - "required": True - } - ] ] ] diff --git a/src/falconpy/_endpoint/_intel.py b/src/falconpy/_endpoint/_intel.py index 8aeb0ece3..69f3e50f5 100644 --- a/src/falconpy/_endpoint/_intel.py +++ b/src/falconpy/_endpoint/_intel.py @@ -64,14 +64,20 @@ }, { "type": "string", - "description": "Filter your query by specifying FQL filter parameters. " - "Filter parameters include:\n\nactors, actors.id, actors.name, actors.slug, " - "actors.url, created_date, description, id, last_modified_date, motivations, " - "motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, " - "slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, " - "tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, " - "target_industries, target_industries.id, target_industries.slug, target_industries.value, " - "type, type.id, type.name, type.slug, url.", + "description": "Filter your query by specifying FQL filter parameters. Filter parameters " + "include:\n\nactor_type, capabilities, capability, capability.id, capability.slug, capability.value, " + "created_date, description, ecrime_kill_chain.attribution, ecrime_kill_chain.crimes, " + "ecrime_kill_chain.customers, ecrime_kill_chain.marketing, ecrime_kill_chain.monetization, " + "ecrime_kill_chain.services_offered, ecrime_kill_chain.services_used, ecrime_kill_chain.technical_tradecraft, " + "ecrime_kill_chain.victims, first_activity_date, group, group.id, group.slug, group.value, id, " + "kill_chain.actions_and_objectives, kill_chain.actions_on_objectives, kill_chain.command_and_control, " + "kill_chain.delivery, kill_chain.exploitation, kill_chain.installation, kill_chain.objectives, " + "kill_chain.reconnaissance, kill_chain.weaponization, known_as, last_activity_date, last_modified_date, " + "motivations, motivations.id, motivations.slug, motivations.value, name, objectives, origins, origins.id, " + "origins.slug, origins.value, region, region.id, region.slug, region.value, short_description, slug, status, " + "target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, " + "target_industries.id, target_industries.slug, target_industries.value, target_regions, target_regions.id, " + "target_regions.slug, target_regions.value.", "name": "filter", "in": "query" }, @@ -87,9 +93,9 @@ "type": "string" }, "collectionFormat": "multi", - "description": "The fields to return, or a predefined set of fields in the form of the collection " - "name surrounded by two underscores like:\n\n\\_\\_\\\\_\\_.\n\n" - "Ex: slug \\_\\_full\\_\\_.\n\nDefaults to \\_\\_basic\\_\\_.", + "description": "The fields to return, or a predefined set of fields in the form of the collection name " + " surrounded by two underscores like:\n\n\\_\\_\\\\_\\_.\n\nEx: slug " + "\\_\\_full\\_\\_.\n\nDefaults to \\_\\_basic\\_\\_.", "name": "fields", "in": "query" } @@ -110,7 +116,7 @@ }, { "type": "integer", - "description": "Set the number of indicators to return. The number must be between 1 and 50000", + "description": "Set the number of indicators to return. The number must be between 1 and 10000", "name": "limit", "in": "query" }, @@ -122,11 +128,10 @@ }, { "type": "string", - "description": "Filter your query by specifying FQL filter parameters. " - "Filter parameters include:\n\n_marker, actors, deleted, domain_types, id, indicator, " - "ip_address_types, kill_chains, labels, labels.created_on, labels.last_valid_on, labels.name, " - "last_updated, malicious_confidence, malware_families, published_date, reports, targets, " - "threat_types, type, vulnerabilities.", + "description": "Filter your query by specifying FQL filter parameters. Filter parameters " + "include:\n\n_marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, " + "labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, " + "published_date, reports, scope, targets, threat_types, type, vulnerabilities.", "name": "filter", "in": "query" }, @@ -177,12 +182,12 @@ }, { "type": "string", - "description": "Filter your query by specifying FQL filter parameters. " - "Filter parameters include:\n\nactors, actors.id, actors.name, actors.slug, actors.url, " - "created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, " - "motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, " - "sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, " - "target_countries.slug, target_countries.value, target_industries, target_industries.id, " + "description": "Filter your query by specifying FQL filter parameters. Filter parameters " + "include:\n\nactors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, " + "last_modified_date, malware, malware.community_identifiers, malware.family_name, malware.slug, motivations, " + "motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, " + "sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, " + "target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, " "target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url.", "name": "filter", "in": "query" @@ -199,9 +204,9 @@ "type": "string" }, "collectionFormat": "multi", - "description": "The fields to return, or a predefined set of fields in the form of the collection " - "name surrounded by two underscores like:\n\n\\_\\_\\\\_\\_.\n\n" - "Ex: slug \\_\\_full\\_\\_.\n\nDefaults to \\_\\_basic\\_\\_.", + "description": "The fields to return, or a predefined set of fields in the form of the collection name " + " surrounded by two underscores like:\n\n\\_\\_\\\\_\\_.\n\nEx: slug " + "\\_\\_full\\_\\_.\n\nDefaults to \\_\\_basic\\_\\_.", "name": "fields", "in": "query" } @@ -231,9 +236,9 @@ "type": "string" }, "collectionFormat": "multi", - "description": "The fields to return, or a predefined set of fields in the form of the " - "collection name surrounded by two underscores like:\n\n\\_\\_\\\\_\\_.\n\n" - "Ex: slug \\_\\_full\\_\\_.\n\nDefaults to \\_\\_basic\\_\\_.", + "description": "The fields to return, or a predefined set of fields in the form of the collection name " + " surrounded by two underscores like:\n\n\\_\\_\\\\_\\_.\n\nEx: slug " + "\\_\\_full\\_\\_.\n\nDefaults to \\_\\_basic\\_\\_.", "name": "fields", "in": "query" } @@ -305,8 +310,8 @@ }, { "type": "string", - "description": "The ID of the report you want to download as a PDF. " - "This parameter is used only if no id parameter given.", + "description": "The ID of the report you want to download as a PDF. This parameter is used only if no " + "id parameter given.", "name": "ids", "in": "query" } @@ -336,9 +341,9 @@ "type": "string" }, "collectionFormat": "multi", - "description": "The fields to return, or a predefined set of fields in the form of the " - "collection name surrounded by two underscores like:\n\n\\_\\_\\\\_\\_.\n\n" - "Ex: slug \\_\\_full\\_\\_.\n\nDefaults to \\_\\_basic\\_\\_.", + "description": "The fields to return, or a predefined set of fields in the form of the collection name " + " surrounded by two underscores like:\n\n\\_\\_\\\\_\\_.\n\nEx: slug " + "\\_\\_full\\_\\_.\n\nDefaults to \\_\\_basic\\_\\_.", "name": "fields", "in": "query" } @@ -393,16 +398,16 @@ }, { "type": "string", - "description": "Download the latest rule set only if the rule was modified after this date. " - "http, ANSIC and RFC850 formats accepted", + "description": "Download the latest rule set only if the rule was modified after this date. http, " + "ANSIC and RFC850 formats accepted", "name": "If-Modified-Since", "in": "header" }, { "type": "string", - "description": "The rule news report type. Accepted values:\n\nsnort-suricata-master\n\n" - "snort-suricata-update\n\nsnort-suricata-changelog\n\nyara-master\n\nyara-update\n\n" - "yara-changelog\n\ncommon-event-format\n\nnetwitness", + "description": "The rule news report type. Accepted values:\n\nsnort-suricata-master\n\nsnort-" + "suricata-update\n\nsnort-suricata-changelog\n\nyara-master\n\nyara-update\n\nyara-changelog\n\ncommon-event-" + "format\n\nnetwitness", "name": "type", "in": "query", "required": True @@ -476,13 +481,20 @@ }, { "type": "string", - "description": "Filter your query by specifying FQL filter parameters. " - "Filter parameters include:\n\nactors, actors.id, actors.name, actors.slug, actors.url, " - "created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, " - "motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, " - "sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, " - "target_countries.slug, target_countries.value, target_industries, target_industries.id, " - "target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url.", + "description": "Filter your query by specifying FQL filter parameters. Filter parameters " + "include:\n\nactor_type, capabilities, capability, capability.id, capability.slug, capability.value, " + "created_date, description, ecrime_kill_chain.attribution, ecrime_kill_chain.crimes, " + "ecrime_kill_chain.customers, ecrime_kill_chain.marketing, ecrime_kill_chain.monetization, " + "ecrime_kill_chain.services_offered, ecrime_kill_chain.services_used, ecrime_kill_chain.technical_tradecraft, " + "ecrime_kill_chain.victims, first_activity_date, group, group.id, group.slug, group.value, id, " + "kill_chain.actions_and_objectives, kill_chain.actions_on_objectives, kill_chain.command_and_control, " + "kill_chain.delivery, kill_chain.exploitation, kill_chain.installation, kill_chain.objectives, " + "kill_chain.reconnaissance, kill_chain.weaponization, known_as, last_activity_date, last_modified_date, " + "motivations, motivations.id, motivations.slug, motivations.value, name, objectives, origins, origins.id, " + "origins.slug, origins.value, region, region.id, region.slug, region.value, short_description, slug, status, " + "target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, " + "target_industries.id, target_industries.slug, target_industries.value, target_regions, target_regions.id, " + "target_regions.slug, target_regions.value.", "name": "filter", "in": "query" }, @@ -509,7 +521,7 @@ }, { "type": "integer", - "description": "Set the number of indicator IDs to return. The number must be between 1 and 50000", + "description": "Set the number of indicator IDs to return. The number must be between 1 and 10000", "name": "limit", "in": "query" }, @@ -521,10 +533,10 @@ }, { "type": "string", - "description": "Filter your query by specifying FQL filter parameters. " - "Filter parameters include:\n\n_marker, actors, deleted, domain_types, id, indicator, ip_address_types, " - "kill_chains, labels, labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, " - "malware_families, published_date, reports, targets, threat_types, type, vulnerabilities.", + "description": "Filter your query by specifying FQL filter parameters. Filter parameters " + "include:\n\n_marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, " + "labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, " + "published_date, reports, scope, targets, threat_types, type, vulnerabilities.", "name": "filter", "in": "query" }, @@ -552,7 +564,8 @@ "QueryMitreAttacks", "GET", "/intel/queries/mitre/v1", - "Gets MITRE tactics and techniques for the given actor", + "Gets MITRE tactics and techniques for the given actor, returning concatenation of id and tactic and " + "technique ids, example: fancy-bear_TA0011_T1071", "intel", [ { @@ -602,13 +615,13 @@ }, { "type": "string", - "description": "Filter your query by specifying FQL filter parameters. " - "Filter parameters include:\n\nactors, actors.id, actors.name, actors.slug, actors.url, " - "created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, " - "motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, " - "sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, " - "target_countries.slug, target_countries.value, target_industries, target_industries.id, " - "arget_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url.", + "description": "Filter your query by specifying FQL filter parameters. Filter parameters " + "include:\n\nactors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, " + "last_modified_date, malware, malware.community_identifiers, malware.family_name, malware.slug, motivations, " + "motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, " + "sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, " + "target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, " + "target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url.", "name": "filter", "in": "query" }, @@ -657,9 +670,9 @@ }, { "type": "string", - "description": "The rule news report type. Accepted values:\n\nsnort-suricata-master\n\n" - "snort-suricata-update\n\nsnort-suricata-changelog\n\nyara-master\n\nyara-update\n\n" - "yara-changelog\n\ncommon-event-format\n\nnetwitness", + "description": "The rule news report type. Accepted values:\n\nsnort-suricata-master\n\nsnort-" + "suricata-update\n\nsnort-suricata-changelog\n\nyara-master\n\nyara-update\n\nyara-changelog\n\ncommon-event-" + "format\n\nnetwitness", "name": "type", "in": "query", "required": True diff --git a/src/falconpy/_endpoint/_ioc.py b/src/falconpy/_endpoint/_ioc.py index 3f636a241..3b08d4707 100644 --- a/src/falconpy/_endpoint/_ioc.py +++ b/src/falconpy/_endpoint/_ioc.py @@ -78,8 +78,9 @@ }, { "type": "integer", - "description": "The offset to start retrieving records from. Offset and After params are mutually exclusive. " - "If none provided then scrolling will be used by default.", + "description": "The offset to start retrieving records from. Offset and After params are mutually " + "exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the " + "'after' parameter instead of 'offset'.", "name": "offset", "in": "query" }, @@ -117,10 +118,10 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' " - "token from the previous response to continue from that place in the results. To access more than 10k " - "indicators, use the 'after' parameter instead of 'offset'.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' token from " + "the previous response to continue from that place in the results. To access more than 10k indicators, use the " + "'after' parameter instead of 'offset'.", "name": "after", "in": "query" }, @@ -248,8 +249,8 @@ [ { "type": "string", - "description": "The FQL expression to delete Indicators in bulk. If both 'filter' and 'ids' are provided, " - "then filter takes precedence and ignores ids.", + "description": "The FQL expression to delete Indicators in bulk. If both 'filter' and 'ids' are " + "provided, then filter takes precedence and ignores ids.", "name": "filter", "in": "query" }, @@ -259,8 +260,8 @@ "type": "string" }, "collectionFormat": "multi", - "description": "The ids of the Indicators to delete. If both 'filter' and 'ids' are provided, " - "then filter takes precedence and ignores ids", + "description": "The ids of the Indicators to delete. If both 'filter' and 'ids' are provided, then " + "filter takes precedence and ignores ids", "name": "ids", "in": "query" }, @@ -314,8 +315,9 @@ }, { "type": "integer", - "description": "The offset to start retrieving records from. Offset and After params are mutually exclusive. " - "If none provided then scrolling will be used by default.", + "description": "The offset to start retrieving records from. Offset and After params are mutually " + "exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the " + "'after' parameter instead of 'offset'.", "name": "offset", "in": "query" }, @@ -353,10 +355,10 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' " - "token from the previous response to continue from that place in the results. To access more than 10k " - "indicators, use the 'after' parameter instead of 'offset'.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' token from " + "the previous response to continue from that place in the results. To access more than 10k indicators, use the " + "'after' parameter instead of 'offset'.", "name": "after", "in": "query" }, diff --git a/src/falconpy/_endpoint/_iocs.py b/src/falconpy/_endpoint/_iocs.py index dd3b7b11a..c32804ee9 100644 --- a/src/falconpy/_endpoint/_iocs.py +++ b/src/falconpy/_endpoint/_iocs.py @@ -186,10 +186,10 @@ [ { "type": "string", - "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash string. " - "Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: 32.\n\ndomain: A domain " - "name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP address.\n\nipv6: An IPv6 address. " - "Must be a valid IP address.\n", + "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash " + " string. Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: " + "32.\n\ndomain: A domain name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP " + "address.\n\nipv6: An IPv6 address. Must be a valid IP address.\n", "name": "type", "in": "query", "required": True @@ -203,15 +203,15 @@ }, { "type": "string", - "description": "The first process to return, where 0 is the latest offset. Use with the offset parameter " - "to manage pagination of results.", + "description": "The first process to return, where 0 is the latest offset. Use with the offset " + "parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "The first process to return, where 0 is the latest offset. Use with the limit parameter " - "to manage pagination of results.", + "description": "The first process to return, where 0 is the latest offset. Use with the limit " + "parameter to manage pagination of results.", "name": "offset", "in": "query" } @@ -302,10 +302,10 @@ [ { "type": "string", - "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash string. " - "Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: 32.\n\ndomain: A domain " - "name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP address.\n\nipv6: An IPv6 address. " - "Must be a valid IP address.\n", + "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash " + " string. Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: " + "32.\n\ndomain: A domain name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP " + "address.\n\nipv6: An IPv6 address. Must be a valid IP address.\n", "name": "type", "in": "query", "required": True @@ -327,15 +327,15 @@ }, { "type": "string", - "description": "The first process to return, where 0 is the latest offset. " - "Use with the offset parameter to manage pagination of results.", + "description": "The first process to return, where 0 is the latest offset. Use with the offset " + "parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "The first process to return, where 0 is the latest offset. " - "Use with the limit parameter to manage pagination of results.", + "description": "The first process to return, where 0 is the latest offset. Use with the limit " + "parameter to manage pagination of results.", "name": "offset", "in": "query" } diff --git a/src/falconpy/_endpoint/_malquery.py b/src/falconpy/_endpoint/_malquery.py index fd473e687..70139be74 100644 --- a/src/falconpy/_endpoint/_malquery.py +++ b/src/falconpy/_endpoint/_malquery.py @@ -49,9 +49,8 @@ "PostMalQueryFuzzySearchV1", "POST", "/malquery/combined/fuzzy-search/v1", - "Search Falcon MalQuery quickly, but with more potential for false positives. " - "Search for a combination of hex patterns and strings in order to identify samples based upon " - "file content at byte level granularity.", + "Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of " + "hex patterns and strings in order to identify samples based upon file content at byte level granularity.", "malquery", [ { @@ -106,8 +105,8 @@ "GetMalQueryRequestV1", "GET", "/malquery/entities/requests/v1", - "Check the status and results of an asynchronous request, such as hunt or exact-search. " - "Supports a single request id at this time.", + "Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single " + "request id at this time.", "malquery", [ { @@ -127,8 +126,8 @@ "GetMalQueryEntitiesSamplesFetchV1", "GET", "/malquery/entities/samples-fetch/v1", - "Fetch a zip archive with password 'infected' containing the samples. " - "Call this once the /entities/samples-multidownload request has finished processing", + "Fetch a zip archive with password 'infected' containing the samples. Call this once the " + "/entities/samples-multidownload request has finished processing", "malquery", [ { @@ -144,8 +143,8 @@ "PostMalQueryEntitiesSamplesMultidownloadV1", "POST", "/malquery/entities/samples-multidownload/v1", - "Schedule samples for download. Use the result id with the /request endpoint to check if " - "the download is ready after which you can call the /entities/samples-fetch to get the zip", + "Schedule samples for download. Use the result id with the /request endpoint to check if the download is " + "ready after which you can call the /entities/samples-fetch to get the zip", "malquery", [ { @@ -160,9 +159,9 @@ "PostMalQueryExactSearchV1", "POST", "/malquery/queries/exact-search/v1", - "Search Falcon MalQuery for a combination of hex patterns and strings in order to identify " - "samples based upon file content at byte level granularity. You can filter results on criteria " - "such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint", + "Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based " + "upon file content at byte level granularity. You can filter results on criteria such as file type, file size " + "and first seen date. Returns a request id which can be used with the /request endpoint", "malquery", [ { diff --git a/src/falconpy/_endpoint/_message_center.py b/src/falconpy/_endpoint/_message_center.py index 679424c6d..8c23a62b0 100644 --- a/src/falconpy/_endpoint/_message_center.py +++ b/src/falconpy/_endpoint/_message_center.py @@ -197,19 +197,18 @@ { "enum": [ "activity.created_time.asc", - "activity.created_time.desc", - "activity.type.asc", - "activity.type.desc" + "activity.created_time.desc" ], "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query.", + "description": "Optional filter and sort criteria in the form of an FQL query. Allowed filters are: " + "activity.created_time\nactivity.type", "name": "filter", "in": "query" }, @@ -243,26 +242,21 @@ }, { "enum": [ - "case.created_time.asc", - "case.created_time.desc", "case.id.asc", - "case.id.desc", - "case.last_modified_time.asc", - "case.last_modified_time.desc", - "case.status.asc", - "case.status.desc", - "case.type.asc", - "case.type.desc" + "case.id.desc" ], "type": "string", - "description": "The property to sort on, followed by a dot (.), " - "followed by the sort direction, either \"asc\" or \"desc\".", + "description": "The property to sort on, followed by a dot (.), followed by the sort direction, either " + "\"asc\" or \"desc\".", "name": "sort", "in": "query" }, { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query.", + "description": "Optional filter and sort criteria in the form of an FQL query. Allowed filters are: _a " + "ll\nactivity.body\ncase.aids\ncase.assigner.display_name\ncase.assigner.first_name\ncase.assigner.last_name\nc " + "ase.assigner.uid\ncase.assigner.uuid\ncase.body\ncase.created_time\ncase.detections.id\ncase.hosts\ncase.id\nc " + "ase.incidents.id\ncase.ip_addresses\ncase.key\ncase.last_modified_time\ncase.status\ncase.title\ncase.type", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_mssp.py b/src/falconpy/_endpoint/_mssp.py index 7e955e82c..3a0b1c03f 100644 --- a/src/falconpy/_endpoint/_mssp.py +++ b/src/falconpy/_endpoint/_mssp.py @@ -75,7 +75,7 @@ "getCIDGroupMembersByV1", "GET", "/mssp/entities/cid-group-members/v1", - "Deprecated: Please use getCIDGroupMembersBy. Get CID group members by CID group ID.", + "Deprecated : Please use getCIDGroupMembersBy. Get CID group members by CID group ID.", "mssp", [ { @@ -141,6 +141,21 @@ } ] ], + [ + "deleteCIDGroupMembers", + "DELETE", + "/mssp/entities/cid-group-members/v1", + "Deprecated : Please use deleteCIDGroupMembers. Delete CID group members.", + "mssp", + [ + { + "description": "Both 'cid_group_id' and 'cids' fields are required.", + "name": "body", + "in": "body", + "required": True + } + ] + ], [ "getCIDGroupMembersByV2", "GET", @@ -161,21 +176,6 @@ } ] ], - [ - "deleteCIDGroupMembers", - "DELETE", - "/mssp/entities/cid-group-members/v2", - "Delete CID group members. Prevents removal of a cid group a cid group if it is only part of one cid group.", - "mssp", - [ - { - "description": "Both 'cid_group_id' and 'cids' fields are required.", - "name": "body", - "in": "body", - "required": True - } - ] - ], [ "deleteCIDGroupMembersV2", "DELETE", @@ -195,7 +195,7 @@ "getCIDGroupByIdV1", "GET", "/mssp/entities/cid-groups/v1", - "Deprecated: Please use getCIDGroupById. Get CID groups by ID.", + "Deprecated : Please use getCIDGroupById. Get CID groups by ID.", "mssp", [ { @@ -226,24 +226,6 @@ } ] ], - [ - "updateCIDGroups", - "PATCH", - "/mssp/entities/cid-groups/v1", - "Update existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. " - "Name is a required field but description is an optional field. Empty description will override " - "existing value. CID Group member(s) remain unaffected.", - "mssp", - [ - { - "description": "'cid_group_id' field is required to identify the CID group to update along " - "with 'name' and/or 'description' fields to be updated.", - "name": "body", - "in": "body", - "required": True - } - ] - ], [ "deleteCIDGroups", "DELETE", @@ -264,6 +246,24 @@ } ] ], + [ + "updateCIDGroups", + "PATCH", + "/mssp/entities/cid-groups/v1", + "Update existing CID groups. CID group ID is expected for each CID group definition provided in request " + "body. Name is a required field but description is an optional field. Empty description will override existing " + "value. CID group member(s) remain unaffected.", + "mssp", + [ + { + "description": "'cid_group_id' field is required to identify the CID group to update along with 'name' " + "and/or 'description' fields to be updated.", + "name": "body", + "in": "body", + "required": True + } + ] + ], [ "getCIDGroupById", "GET", @@ -308,8 +308,8 @@ "getRolesByID", "GET", "/mssp/entities/mssp-roles/v1", - "Get link between user group and CID group by ID. Link ID is a string consisting of multiple " - "components, but should be treated as opaque. MSSP Role assignment is of the format :.", + "Get link between user group and CID group by ID. Link ID is a string consisting of multiple components, " + "but should be treated as opaque.", "mssp", [ { @@ -318,8 +318,7 @@ "type": "string" }, "collectionFormat": "multi", - "description": "Link ID is a string consisting of multiple components, but should be " - "treated as opaque. MSSP Role assignment is of the format :", + "description": "Link ID is a string consisting of multiple components, but should be treated as opaque.", "name": "ids", "in": "query", "required": True @@ -330,14 +329,13 @@ "addRole", "POST", "/mssp/entities/mssp-roles/v1", - "Create a link between user group and CID group, with zero or more additional roles. " - "The call does not replace any existing link between them. User group ID and CID group ID " - "have to be specified in request. ", + "Create a link between user group and CID group, with zero or more additional roles. The call does not " + "replace any existing link between them. User group ID and CID group ID have to be specified in request. ", "mssp", [ { - "description": "'user_group_id', 'cid_group_id' and 'role_ids' fields are required. " - "Remaining are populated by system.", + "description": "'user_group_id', 'cid_group_id' and 'role_ids' fields are required. Remaining are " + "populated by system.", "name": "body", "in": "body", "required": True @@ -348,14 +346,14 @@ "deletedRoles", "DELETE", "/mssp/entities/mssp-roles/v1", - "Delete links or additional roles between user groups and CID groups. User group ID and CID " - "group ID have to be specified in request. Only specified roles are removed if specified in " - "request payload, else association between User Group and CID group is dissolved completely (if no roles specified).", + "Delete links or additional roles between user groups and CID groups. User group ID and CID group ID have " + "to be specified in request. Only specified roles are removed if specified in request payload, else association " + "between User Group and CID group is dissolved completely (if no roles specified).", "mssp", [ { - "description": "'user_group_id' and 'cid_group_id' fields are required. 'role_ids' " - "field is optional. Remaining fields are ignored.", + "description": "'user_group_id' and 'cid_group_id' fields are required. 'role_ids' field is optional. " + "Remaining fields are ignored.", "name": "body", "in": "body", "required": True @@ -366,7 +364,7 @@ "getUserGroupMembersByIDV1", "GET", "/mssp/entities/user-group-members/v1", - "Deprecated: Please use getUserGroupMembersByID. Get user group members by user group ID.", + "Deprecated : Please use getUserGroupMembersByID. Get user group members by user group ID.", "mssp", [ { @@ -456,7 +454,7 @@ "getUserGroupsByIDV1", "GET", "/mssp/entities/user-groups/v1", - "Deprecated: Please use getUserGroupsByID. Get user groups by ID.", + "Deprecated : Please use getUserGroupsByID. Get user groups by ID.", "mssp", [ { @@ -476,31 +474,12 @@ "createUserGroups", "POST", "/mssp/entities/user-groups/v1", - "Create new user groups. Name is a required field but description is an optional field. " - "Maximum 500 user groups allowed per customer.", + "Create new user groups. Name is a required field but description is an optional field. Maximum 500 user " + "groups allowed per customer.", "mssp", [ { - "description": "Only 'name' and/or 'description' fields are required. " - "Remaining are assigned by the system.", - "name": "body", - "in": "body", - "required": True - } - ] - ], - [ - "updateUserGroups", - "PATCH", - "/mssp/entities/user-groups/v1", - "Update existing user group(s). User group ID is expected for each user group definition " - "provided in request body. Name is a required field but description is an optional field. " - "Empty description will override existing value. User group member(s) remain unaffected.", - "mssp", - [ - { - "description": "'user_group_id' field is required to identify the user group to " - "update along with 'name' and/or 'description' fields to be updated.", + "description": "Only 'name' and/or 'description' fields are required. Remaining are assigned by the system.", "name": "body", "in": "body", "required": True @@ -527,6 +506,24 @@ } ] ], + [ + "updateUserGroups", + "PATCH", + "/mssp/entities/user-groups/v1", + "Update existing user group(s). User group ID is expected for each user group definition provided in " + "request body. Name is a required field but description is an optional field. Empty description will override " + "existing value. User group member(s) remain unaffected.", + "mssp", + [ + { + "description": "'user_group_id' field is required to identify the user group to update along with " + "'name' and/or 'description' fields to be updated.", + "name": "body", + "in": "body", + "required": True + } + ] + ], [ "getUserGroupsByID", "GET", @@ -694,8 +691,8 @@ "queryRoles", "GET", "/mssp/queries/mssp-roles/v1", - "Query links between user groups and CID groups. At least one of CID group ID or user " - "group ID should also be provided. Role ID is optional.", + "Query links between user groups and CID groups. At least one of CID group ID or user group ID should also " + "be provided. Role ID is optional.", "mssp", [ { diff --git a/src/falconpy/_endpoint/_oauth2.py b/src/falconpy/_endpoint/_oauth2.py index ba90a0e32..ef4a6e60b 100644 --- a/src/falconpy/_endpoint/_oauth2.py +++ b/src/falconpy/_endpoint/_oauth2.py @@ -52,9 +52,8 @@ }, { "type": "string", - "description": "The OAuth2 access token you want to revoke.\n\nInclude your API " - "client ID and secret in basic auth format (`Authorization: basic `) in your request header.", + "description": "The OAuth2 access token you want to revoke.\n\nInclude your API client ID and secret " + "in basic auth format (`Authorization: basic `) in your request header.", "name": "token", "in": "formData", "required": True @@ -70,18 +69,18 @@ [ { "type": "string", - "description": "The API client ID to authenticate your API requests. " - "For information on generating API clients, see [API documentation inside Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/1/crowdstrike-api-introduction-for-developers).", + "description": "The API client ID to authenticate your API requests. For information on generating API " + " clients, see [API documentation inside " + "Falcon](https://falcon.crowdstrike.com/support/documentation/1/crowdstrike-api-introduction-for-developers).", "name": "client_id", "in": "formData", "required": True }, { "type": "string", - "description": "The API client secret to authenticate your API requests. " - "For information on generating API clients, see [API documentation inside Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/1/crowdstrike-api-introduction-for-developers).", + "description": "The API client secret to authenticate your API requests. For information on generating " + " API clients, see [API documentation inside " + "Falcon](https://falcon.crowdstrike.com/support/documentation/1/crowdstrike-api-introduction-for-developers).", "name": "client_secret", "in": "formData", "required": True diff --git a/src/falconpy/_endpoint/_ods.py b/src/falconpy/_endpoint/_ods.py index 890e7689a..03d9c6de9 100644 --- a/src/falconpy/_endpoint/_ods.py +++ b/src/falconpy/_endpoint/_ods.py @@ -236,8 +236,8 @@ [ { "type": "string", - "description": "A FQL compatible query string. Terms: [id cid scan_id host_id " - "host_scan_id filepath filename hash pattern_id severity quarantined last_updated]", + "description": "A FQL compatible query string. Terms: [id scan_id host_id host_scan_id filepath " + "filename hash pattern_id severity quarantined last_updated]", "name": "filter", "in": "query", "allowEmptyValue": True @@ -279,8 +279,7 @@ ], "type": "string", "default": "last_updated|desc", - "description": "The property to sort on, followed by a |, followed by the sort direction, " - "either \"asc\" or \"desc\"", + "description": "The property to sort on, followed by a |, followed by the sort direction, either \"asc\" or \"desc\"", "name": "sort", "in": "query", "allowEmptyValue": True @@ -296,10 +295,9 @@ [ { "type": "string", - "description": "A FQL compatible query string. Terms: [id cid profile_id host_id scan_id " - "host_scan_id filecount.scanned filecount.malicious filecount.quarantined " - "filecount.skipped affected_hosts_count status severity completed_on started_on " - "last_updated]", + "description": "A FQL compatible query string. Terms: [id profile_id host_id scan_id host_scan_id " + "filecount.scanned filecount.malicious filecount.quarantined filecount.skipped affected_hosts_count status " + "severity completed_on started_on last_updated scan_control_reason]", "name": "filter", "in": "query", "allowEmptyValue": True @@ -343,12 +341,13 @@ "completed_on|asc", "completed_on|desc", "last_updated|asc", - "last_updated|desc" + "last_updated|desc", + "scan_control_reason.keyword|asc", + "scan_control_reason.keyword|desc" ], "type": "string", "default": "last_updated|desc", - "description": "The property to sort on, followed by a |, followed by the sort direction, " - "either \"asc\" or \"desc\"", + "description": "The property to sort on, followed by a |, followed by the sort direction, either \"asc\" or \"desc\"", "name": "sort", "in": "query", "allowEmptyValue": True @@ -364,10 +363,10 @@ [ { "type": "string", - "description": "A FQL compatible query string. Terms: [id cid profile_id " - "description.keyword initiated_from filecount.scanned filecount.malicious " - "filecount.quarantined filecount.skipped affected_hosts_count status severity " - "scan_started_on scan_completed_on created_on created_by last_updated]", + "description": "A FQL compatible query string. Terms: [id profile_id description.keyword " + "initiated_from filecount.scanned filecount.malicious filecount.quarantined filecount.skipped " + "affected_hosts_count status severity scan_started_on scan_completed_on created_on created_by last_updated " + "targeted_host_count missing_host_count]", "name": "filter", "in": "query", "allowEmptyValue": True @@ -417,12 +416,15 @@ "created_by|asc", "created_by|desc", "last_updated|asc", - "last_updated|desc" + "last_updated|desc", + "targeted_host_count|asc", + "targeted_host_count|desc", + "missing_host_count|asc", + "missing_host_count|desc" ], "type": "string", "default": "created_on|desc", - "description": "The property to sort on, followed by a |, followed by the sort direction, " - "either \"asc\" or \"desc\"", + "description": "The property to sort on, followed by a |, followed by the sort direction, either \"asc\" or \"desc\"", "name": "sort", "in": "query", "allowEmptyValue": True @@ -438,9 +440,8 @@ [ { "type": "string", - "description": "A FQL compatible query string. Terms: [id cid description initiated_from " - "status schedule.start_timestamp schedule.Interval created_on created_by last_updated " - "deleted]", + "description": "A FQL compatible query string. Terms: [id description initiated_from status " + "schedule.start_timestamp schedule.Interval created_on created_by last_updated deleted]", "name": "filter", "in": "query", "allowEmptyValue": True @@ -480,8 +481,7 @@ ], "type": "string", "default": "schedule.start_timestamp|desc", - "description": "The property to sort on, followed by a |, followed by the sort direction, " - "either \"asc\" or \"desc\"", + "description": "The property to sort on, followed by a |, followed by the sort direction, either \"asc\" or \"desc\"", "name": "sort", "in": "query", "allowEmptyValue": True diff --git a/src/falconpy/_endpoint/_prevention_policies.py b/src/falconpy/_endpoint/_prevention_policies.py index 2b8dc3967..b90421819 100644 --- a/src/falconpy/_endpoint/_prevention_policies.py +++ b/src/falconpy/_endpoint/_prevention_policies.py @@ -41,8 +41,8 @@ "queryCombinedPreventionPolicyMembers", "GET", "/policy/combined/prevention-members/v1", - "Search for members of a Prevention Policy in your environment by providing an " - "FQL filter and paging details. Returns a set of host details which match the filter criteria", + "Search for members of a Prevention Policy in your environment by providing an FQL filter and paging " + "details. Returns a set of host details which match the filter criteria", "prevention_policies", [ { @@ -84,8 +84,8 @@ "queryCombinedPreventionPolicies", "GET", "/policy/combined/prevention/v1", - "Search for Prevention Policies in your environment by providing an FQL filter and paging details. " - "Returns a set of Prevention Policies which match the filter criteria", + "Search for Prevention Policies in your environment by providing an FQL filter and paging details. Returns " + "a set of Prevention Policies which match the filter criteria", "prevention_policies", [ { @@ -168,9 +168,9 @@ "setPreventionPoliciesPrecedence", "POST", "/policy/entities/prevention-precedence/v1", - "Sets the precedence of Prevention Policies based on the order of IDs specified in the request. " - "The first ID specified will have the highest precedence and the last ID specified will have the lowest. " - "You must specify all non-Default Policies for a platform when updating precedence", + "Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first " + "ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify " + "all non-Default Policies for a platform when updating precedence", "prevention_policies", [ { @@ -252,8 +252,8 @@ "queryPreventionPolicyMembers", "GET", "/policy/queries/prevention-members/v1", - "Search for members of a Prevention Policy in your environment by providing an FQL filter and paging details. " - "Returns a set of Agent IDs which match the filter criteria", + "Search for members of a Prevention Policy in your environment by providing an FQL filter and paging " + "details. Returns a set of Agent IDs which match the filter criteria", "prevention_policies", [ { @@ -295,8 +295,8 @@ "queryPreventionPolicies", "GET", "/policy/queries/prevention/v1", - "Search for Prevention Policies in your environment by providing an FQL filter and paging details. " - "Returns a set of Prevention Policy IDs which match the filter criteria", + "Search for Prevention Policies in your environment by providing an FQL filter and paging details. Returns " + "a set of Prevention Policy IDs which match the filter criteria", "prevention_policies", [ { diff --git a/src/falconpy/_endpoint/_quarantine.py b/src/falconpy/_endpoint/_quarantine.py index eddf5ab28..26e91a764 100644 --- a/src/falconpy/_endpoint/_quarantine.py +++ b/src/falconpy/_endpoint/_quarantine.py @@ -116,15 +116,15 @@ }, { "type": "string", - "description": "Possible order by fields: hostname, username, date_updated, date_created, paths.path, state, " - "paths.state. Ex: 'date_created|asc'.", + "description": "Possible order by fields: hostname, username, date_updated, date_created, paths.path, " + "state, paths.state. Ex: 'date_created|asc'.", "name": "sort", "in": "query" }, { "type": "string", - "description": "FQL query specifying the filter parameters. Special value '*' means to not filter on anything. " - "Filter term criteria: status, adversary_id, device.device_id, device.country, device.hostname, " + "description": "FQL query specifying the filter parameters. Special value '*' means to not filter on " + "anything. Filter term criteria: status, adversary_id, device.device_id, device.country, device.hostname, " "behaviors.behavior_id, behaviors.ioc_type, behaviors.ioc_value, behaviors.username, behaviors.tree_root_hash. " "Filter range criteria:, max_severity, max_confidence, first_behavior, last_behavior.", "name": "filter", @@ -132,8 +132,8 @@ }, { "type": "string", - "description": "Match phrase_prefix query criteria; included fields: _all (all filter string fields), sha256, state, " - "paths.path, paths.state, hostname, username, date_updated, date_created.", + "description": "Match phrase_prefix query criteria; included fields: _all (all filter string fields), " + "sha256, state, paths.path, paths.state, hostname, username, date_updated, date_created.", "name": "q", "in": "query" } diff --git a/src/falconpy/_endpoint/_quick_scan.py b/src/falconpy/_endpoint/_quick_scan.py index 32ad8afb5..401e74834 100644 --- a/src/falconpy/_endpoint/_quick_scan.py +++ b/src/falconpy/_endpoint/_quick_scan.py @@ -55,8 +55,8 @@ "GetScans", "GET", "/scanner/entities/scans/v1", - "Check the status of a volume scan. Time required for analysis increases with " - "the number of samples in a volume but usually it should take less than 1 minute", + "Check the status of a volume scan. Time required for analysis increases with the number of samples in a " + "volume but usually it should take less than 1 minute", "quick_scan", [ { @@ -76,13 +76,13 @@ "ScanSamples", "POST", "/scanner/entities/scans/v1", - "Submit a volume of files for ml scanning. Time required for analysis increases with the " - "number of samples in a volume but usually it should take less than 1 minute", + "Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples " + "in a volume but usually it should take less than 1 minute", "quick_scan", [ { - "description": "Submit a batch of SHA256s for ml scanning. The samples must have been " - "previously uploaded through `/samples/entities/samples/v3`", + "description": "Submit a batch of SHA256s for ml scanning. The samples must have been previously " + "uploaded through `/samples/entities/samples/v3`", "name": "body", "in": "body", "required": True @@ -93,15 +93,15 @@ "QuerySubmissionsMixin0", "GET", "/scanner/queries/scans/v1", - "Find IDs for submitted scans by providing an FQL filter and paging details. " - "Returns a set of volume IDs that match your criteria.", + "Find IDs for submitted scans by providing an FQL filter and paging details. Returns a set of volume IDs " + "that match your criteria.", "quick_scan", [ { "type": "string", - "description": "Optional filter and sort criteria in the form of an FQL query. " - "For more information about FQL queries, see [our FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter and sort criteria in the form of an FQL query. For more information " + "about FQL queries, see [our FQL documentation in " + "Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_real_time_response.py b/src/falconpy/_endpoint/_real_time_response.py index c6f361177..0a1c2d664 100644 --- a/src/falconpy/_endpoint/_real_time_response.py +++ b/src/falconpy/_endpoint/_real_time_response.py @@ -45,15 +45,13 @@ "real_time_response", [ { - "description": "Supported aggregations: \n- `term`\n- `date_range`\n\n" - "Supported aggregation members:\n\n**`date_ranges`** If peforming a date range " - "query specify the **`from`** and **`to`** date ranges. These can be in common " - "date formats like `2019-07-18` or `now`\n**`field`** Term you want to aggregate on. " - "If doing a `date_range` query, this is the date field you want to apply the date ranges " - "to\n**`filter`** Optional filter criteria in the form of an FQL query. For more " - "information about FQL queries, see our [FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).\n" - "**`name`** Name of the aggregation\n**`size`** Size limit to apply to the queries.", + "description": "Supported aggregations: \n- `term`\n- `date_range`\n\nSupported aggregation " + "members:\n\n**`date_ranges`** If peforming a date range query specify the **`from`** and **`to`** date ranges. " + " These can be in common date formats like `2019-07-18` or `now`\n**`field`** Term you want to aggregate on. " + "If doing a `date_range` query, this is the date field you want to apply the date ranges to\n**`filter`** " + "Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our [FQL " + "documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-" + "feature-guide).\n**`name`** Name of the aggregation\n**`size`** Size limit to apply to the queries.", "name": "body", "in": "body", "required": True @@ -70,42 +68,40 @@ { "type": "integer", "default": 30, - "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. " - "Maximum is 10 minutes.", + "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 " + "seconds. Maximum is 5 minutes.", "name": "timeout", "in": "query" }, { "type": "string", "default": "30s", - "description": "Timeout duration for for how long to wait for the request in duration syntax. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 10 minutes.", + "description": "Timeout duration for how long to wait for the request in duration syntax. Example, " + "`10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 5 minutes.", "name": "timeout_duration", "in": "query" }, { "type": "string", "default": "tiny bit less than overall request timeout", - "description": "Timeout duration for how long a host has time to complete processing. " - "Default value is a bit less than the overall timeout value. It cannot be greater than " - "the overall request timeout. Maximum is < 10 minutes. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", + "description": "Timeout duration for how long a host has time to complete processing. Default value is " + " a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is " + "< 5 minutes. Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", "name": "host_timeout_duration", "in": "query" }, { - "description": "Use this endpoint to run these [real time response commands]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):" - "\n- `cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- " - "`get`\n- `getsid`\n- `help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- " - "`mkdir`\n- `mount`\n- `mv`\n- `netstat`\n- `ps`\n- `reg query`\n- `reg set`\n- `reg delete`\n- " - "`reg load`\n- `reg unload`\n- `restart`\n- `rm`\n- `runscript`\n- `shutdown`\n- `unmap`\n- " - "`update history`\n- `update install`\n- `update list`\n- `update query`\n- `xmemdump`\n- " - "`zip`\n\n**`base_command`** Active-Responder command type we are going to execute, for example: " - "`get` or `cp`. Refer to the RTR documentation for the full list of commands.\n**`batch_id`** " - "Batch ID to execute the command on. Received from `/real-time-response/combined/init-sessions/v1`.\n" - "**`command_string`** Full command string for the command. For example `get some_file.txt`\n" - "**`optional_hosts`** List of a subset of hosts we want to run the command on. " + "description": "Use this endpoint to run these [real time response " + "commands](https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " + "`cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- `get`\n- `getsid`\n- " + "`help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- `mkdir`\n- `mount`\n- `mv`\n- " + "`netstat`\n- `ps`\n- `reg query`\n- `reg set`\n- `reg delete`\n- `reg load`\n- `reg unload`\n- `restart`\n- " + "`rm`\n- `runscript`\n- `shutdown`\n- `unmap`\n- `update history`\n- `update install`\n- `update list`\n- " + "`update query`\n- `xmemdump`\n- `zip`\n\n**`base_command`** Active-Responder command type we are going to " + "execute, for example: `get` or `cp`. Refer to the RTR documentation for the full list of " + "commands.\n**`batch_id`** Batch ID to execute the command on. Received from `/real-time-" + "response/combined/batch-init-session/v1`.\n**`command_string`** Full command string for the command. For " + "example `get some_file.txt`\n**`optional_hosts`** List of a subset of hosts we want to run the command on. " "If this list is supplied, only these hosts will receive the command.", "name": "body", "in": "body", @@ -123,40 +119,38 @@ { "type": "integer", "default": 30, - "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. " - "Maximum is 10 minutes.", + "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 " + "seconds. Maximum is 5 minutes.", "name": "timeout", "in": "query" }, { "type": "string", "default": "30s", - "description": "Timeout duration for for how long to wait for the request in duration syntax. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 10 minutes.", + "description": "Timeout duration for how long to wait for the request in duration syntax. Example, " + "`10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 5 minutes.", "name": "timeout_duration", "in": "query" }, { "type": "string", "default": "tiny bit less than overall request timeout", - "description": "Timeout duration for how long a host has time to complete processing. " - "Default value is a bit less than the overall timeout value. It cannot be greater than " - "the overall request timeout. Maximum is < 10 minutes. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", + "description": "Timeout duration for how long a host has time to complete processing. Default value is " + " a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is " + "< 5 minutes. Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", "name": "host_timeout_duration", "in": "query" }, { - "description": "Use this endpoint to run these [real time response commands]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " + "description": "Use this endpoint to run these [real time response " + "commands](https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " "`cat`\n- `cd`\n- `clear`\n- `env`\n- `eventlog`\n- `filehash`\n- `getsid`\n- `help`\n- `history`\n- " - "`ipconfig`\n- `ls`\n- `mount`\n- `netstat`\n- `ps`\n- `reg query`\n\n**`base_command`** read-only " - "command type we are going to execute, for example: `ls` or `cd`. Refer to the RTR documentation for " - "the full list of commands.\n**`batch_id`** Batch ID to execute the command on. " - "Received from `/real-time-response/combined/init-sessions/v1`.\n**`command_string`** " - "Full command string for the command. For example `cd C:\\some_directory`\n**`optional_hosts`** " - "List of a subset of hosts we want to run the command on. If this list is supplied, only these " - "hosts will receive the command.", + "`ipconfig`\n- `ls`\n- `mount`\n- `netstat`\n- `ps`\n- `reg query`\n\n**`base_command`** read-only command type " + " we are going to execute, for example: `ls` or `cd`. Refer to the RTR documentation for the full list of " + "commands.\n**`batch_id`** Batch ID to execute the command on. Received from `/real-time-" + "response/combined/batch-init-session/v1`.\n**`command_string`** Full command string for the command. For " + "example `cd C:\\some_directory`\n**`optional_hosts`** List of a subset of hosts we want to run the command " + "on. If this list is supplied, only these hosts will receive the command.", "name": "body", "in": "body", "required": True @@ -167,23 +161,23 @@ "BatchGetCmdStatus", "GET", "/real-time-response/combined/batch-get-command/v1", - "Retrieves the status of the specified batch get command. " - "Will return successful files when they are finished processing.", + "Retrieves the status of the specified batch get command. Will return successful files when they are " + "finished processing.", "real_time_response", [ { "type": "integer", "default": 30, - "description": "Timeout for how long to wait for the request in seconds, " - "default timeout is 30 seconds. Maximum is 10 minutes.", + "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 " + "seconds. Maximum is 5 minutes.", "name": "timeout", "in": "query" }, { "type": "string", "default": "30s", - "description": "Timeout duration for for how long to wait for the request in duration syntax. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 10 minutes.", + "description": "Timeout duration for how long to wait for the request in duration syntax. Example, " + "`10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 5 minutes.", "name": "timeout_duration", "in": "query" }, @@ -200,42 +194,40 @@ "BatchGetCmd", "POST", "/real-time-response/combined/batch-get-command/v1", - "Batch executes `get` command across hosts to retrieve files. After this call is made " - "`GET /real-time-response/combined/batch-get-command/v1` is used to query for the results.", + "Batch executes `get` command across hosts to retrieve files. After this call is made `GET /real-time-" + "response/combined/batch-get-command/v1` is used to query for the results.", "real_time_response", [ { "type": "integer", "default": 30, - "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. " - "Maximum is 10 minutes.", + "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 " + "seconds. Maximum is 5 minutes.", "name": "timeout", "in": "query" }, { "type": "string", "default": "30s", - "description": "Timeout duration for for how long to wait for the request in duration syntax. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 10 minutes.", + "description": "Timeout duration for how long to wait for the request in duration syntax. Example, " + "`10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 5 minutes.", "name": "timeout_duration", "in": "query" }, { "type": "string", "default": "tiny bit less than overall request timeout", - "description": "Timeout duration for how long a host has time to complete processing. " - "Default value is a bit less than the overall timeout value. It cannot be greater than " - "the overall request timeout. Maximum is < 10 minutes. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", + "description": "Timeout duration for how long a host has time to complete processing. Default value is " + " a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is " + "< 5 minutes. Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", "name": "host_timeout_duration", "in": "query" }, { - "description": "**`batch_id`** Batch ID to execute the command on. " - "Received from `/real-time-response/combined/init-sessions/v1`.\n**`file_path`** " - "Full path to the file that is to be retrieved from each host in the batch.\n**`optional_hosts`** " - "List of a subset of hosts we want to run the command on. " - "If this list is supplied, only these hosts will receive the command.", + "description": "**`batch_id`** Batch ID to execute the command on. Received from `/real-time-" + "response/combined/batch-init-session/v1`.\n**`file_path`** Full path to the file that is to be retrieved from " + "each host in the batch.\n**`optional_hosts`** List of a subset of hosts we want to run the command on. If " + "this list is supplied, only these hosts will receive the command.", "name": "body", "in": "body", "required": True @@ -246,39 +238,41 @@ "BatchInitSessions", "POST", "/real-time-response/combined/batch-init-session/v1", - "Batch initialize a RTR session on multiple hosts. " - "Before any RTR commands can be used, an active session is needed on the host.", + "Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session " + "is needed on the host.", "real_time_response", [ { "type": "integer", "default": 30, - "description": "Timeout for how long to wait for the request in seconds, " - "default timeout is 30 seconds. Maximum is 10 minutes.", + "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 " + "seconds. Maximum is 5 minutes.", "name": "timeout", "in": "query" }, { "type": "string", "default": "30s", - "description": "Timeout duration for for how long to wait for the request in duration syntax. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 10 minutes.", + "description": "Timeout duration for how long to wait for the request in duration syntax. Example, " + "`10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 5 minutes.", "name": "timeout_duration", "in": "query" }, { "type": "string", "default": "tiny bit less than overall request timeout", - "description": "Timeout duration for how long a host has time to complete processing. " - "Default value is a bit less than the overall timeout value. It cannot be greater than " - "the overall request timeout. Maximum is < 10 minutes. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", + "description": "Timeout duration for how long a host has time to complete processing. Default value is " + " a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is " + "< 5 minutes. Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", "name": "host_timeout_duration", "in": "query" }, { - "description": "**`host_ids`** List of host agent ID's to initialize a RTR session on\n**`existing_batch_id`** " - "Optional batch ID. Use an existing batch ID if you want to initialize new hosts and add them to the existing batch", + "description": "**`host_ids`** List of host agent ID's to initialize a RTR session on. A maximum of " + "10000 hosts can be in a single batch session.\n**`existing_batch_id`** Optional batch ID. Use an existing " + "batch ID if you want to initialize new hosts and add them to the existing batch\n**`queue_offline`** If we " + "should queue this session if the host is offline. Any commands run against an offline-queued session will be " + "queued up and executed when the host comes online.", "name": "body", "in": "body", "required": True @@ -295,24 +289,23 @@ { "type": "integer", "default": 30, - "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. " - "Maximum is 10 minutes.", + "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 " + "seconds. Maximum is 5 minutes.", "name": "timeout", "in": "query" }, { "type": "string", "default": "30s", - "description": "Timeout duration for for how long to wait for the request in duration syntax. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 10 minutes.", + "description": "Timeout duration for how long to wait for the request in duration syntax. Example, " + "`10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 5 minutes.", "name": "timeout_duration", "in": "query" }, { - "description": "**`batch_id`** Batch ID to execute the command on. " - "Received from `/real-time-response/combined/init-sessions/v1`.\n**`hosts_to_remove`** " - "Hosts to remove from the batch session. Heartbeats will no longer happen on these hosts and " - "the sessions will expire.", + "description": "**`batch_id`** Batch ID to execute the command on. Received from `/real-time-" + "response/combined/batch-init-session/v1`.\n**`hosts_to_remove`** Hosts to remove from the batch session. " + "Heartbeats will no longer happen on these hosts and the sessions will expire.", "name": "body", "in": "body", "required": True @@ -351,17 +344,16 @@ "real_time_response", [ { - "description": "Use this endpoint to run these [real time response commands]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " - "`cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- `get`\n- " - "`getsid`\n- `help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- `mkdir`\n- " - "`mount`\n- `mv`\n- `netstat`\n- `ps`\n- `reg query`\n- `reg set`\n- `reg delete`\n- `reg load`\n- " - "`reg unload`\n- `restart`\n- `rm`\n- `runscript`\n- `shutdown`\n- `unmap`\n- `update history`\n- " - "`update install`\n- `update list`\n- `update query`\n- `xmemdump`\n- `zip`\n\nRequired values. " - "The rest of the fields are unused.\n**`base_command`** Active-Responder command type we are going " - "to execute, for example: `get` or `cp`. Refer to the RTR documentation for the full list of " - "commands.\n**`command_string`** Full command string for the command. For example `get some_file.txt`\n" - "**`session_id`** RTR session ID to run the command on", + "description": "Use this endpoint to run these [real time response " + "commands](https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " + "`cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- `get`\n- `getsid`\n- " + "`help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- `mkdir`\n- `mount`\n- `mv`\n- " + "`netstat`\n- `ps`\n- `reg query`\n- `reg set`\n- `reg delete`\n- `reg load`\n- `reg unload`\n- `restart`\n- " + "`rm`\n- `runscript`\n- `shutdown`\n- `unmap`\n- `update history`\n- `update install`\n- `update list`\n- " + "`update query`\n- `xmemdump`\n- `zip`\n\nRequired values. The rest of the fields are " + "unused.\n**`base_command`** Active-Responder command type we are going to execute, for example: `get` or `cp`. " + " Refer to the RTR documentation for the full list of commands.\n**`command_string`** Full command string for " + "the command. For example `get some_file.txt`\n**`session_id`** RTR session ID to run the command on", "name": "body", "in": "body", "required": True @@ -400,14 +392,13 @@ "real_time_response", [ { - "description": "Use this endpoint to run these [real time response commands]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " + "description": "Use this endpoint to run these [real time response " + "commands](https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " "`cat`\n- `cd`\n- `clear`\n- `env`\n- `eventlog`\n- `filehash`\n- `getsid`\n- `help`\n- `history`\n- " - "`ipconfig`\n- `ls`\n- `mount`\n- `netstat`\n- `ps`\n- `reg query`\n\nRequired values. " - "The rest of the fields are unused.\n**`base_command`** read-only command type we are going to execute, " - "for example: `ls` or `cd`. Refer to the RTR documentation for the full list of commands.\n**`command_string`** " - "Full command string for the command. For example `cd C:\\some_directory`\n**`session_id`** " - "RTR session ID to run the command on", + "`ipconfig`\n- `ls`\n- `mount`\n- `netstat`\n- `ps`\n- `reg query`\n\nRequired values. The rest of the fields " + "are unused.\n**`base_command`** read-only command type we are going to execute, for example: `ls` or `cd`. " + "Refer to the RTR documentation for the full list of commands.\n**`command_string`** Full command string for " + "the command. For example `cd C:\\some_directory`\n**`session_id`** RTR session ID to run the command on", "name": "body", "in": "body", "required": True @@ -529,8 +520,8 @@ "real_time_response", [ { - "description": "**`ids`** List of RTR sessions to retrieve. " - "RTR will only return the sessions that were created by the calling user", + "description": "**`ids`** List of RTR sessions to retrieve. RTR will only return the sessions that " + "were created by the calling user", "name": "body", "in": "body", "required": True @@ -568,8 +559,8 @@ "real_time_response", [ { - "description": "**`device_id`** The host agent ID to refresh the RTR session on. " - "RTR will retrieve an existing session for the calling user on this host", + "description": "**`device_id`** The host agent ID to refresh the RTR session on. RTR will retrieve an " + "existing session for the calling user on this host", "name": "body", "in": "body", "required": True @@ -584,8 +575,8 @@ "real_time_response", [ { - "description": "**`ids`** List of RTR sessions to retrieve. " - "RTR will only return the sessions that were created by the calling user", + "description": "**`ids`** List of RTR sessions to retrieve. RTR will only return the sessions that " + "were created by the calling user", "name": "body", "in": "body", "required": True @@ -602,25 +593,24 @@ { "type": "integer", "default": 30, - "description": "Timeout for how long to wait for the request in seconds, default timeout " - "is 30 seconds. Maximum is 10 minutes.", + "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 " + "seconds. Maximum is 5 minutes.", "name": "timeout", "in": "query" }, { "type": "string", "default": "30s", - "description": "Timeout duration for how long to wait for the request in duration syntax. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 10 minutes.", + "description": "Timeout duration for how long to wait for the request in duration syntax. Example, " + "`10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 5 minutes.", "name": "timeout_duration", "in": "query" }, { - "description": "**`device_id`** The host agent ID to initialize the RTR session on. " - "RTR will retrieve an existing session for the calling user on this host\n" - "**`queue_offline`** If we should queue this session if the host is offline. " - "Any commands run against an offline-queued session will be queued up and executed " - "when the host comes online.", + "description": "**`device_id`** The host agent ID to initialize the RTR session on. RTR will retrieve " + " an existing session for the calling user on this host\n**`queue_offline`** If we should queue this session if " + " the host is offline. Any commands run against an offline-queued session will be queued up and executed when " + "the host comes online.", "name": "body", "in": "body", "required": True @@ -670,10 +660,10 @@ }, { "type": "string", - "description": "Optional filter criteria in the form of an FQL query. " - "For more information about FQL queries, see our [FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide). " - "“user_id” can accept a special value ‘@me’ which will restrict results to records with current user’s ID.", + "description": "Optional filter criteria in the form of an FQL query. For more information about FQL " + "queries, see our [FQL documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-" + "query-language-feature-guide). “user_id” can accept a special value ‘@me’ which will restrict results to " + "records with current user’s ID.", "name": "filter", "in": "query" } diff --git a/src/falconpy/_endpoint/_real_time_response_admin.py b/src/falconpy/_endpoint/_real_time_response_admin.py index bbb873ec2..34ec908f2 100644 --- a/src/falconpy/_endpoint/_real_time_response_admin.py +++ b/src/falconpy/_endpoint/_real_time_response_admin.py @@ -47,42 +47,41 @@ { "type": "integer", "default": 30, - "description": "Timeout for how long to wait for the request in seconds, " - "default timeout is 30 seconds. Maximum is 10 minutes.", + "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 " + "seconds. Maximum is 5 minutes.", "name": "timeout", "in": "query" }, { "type": "string", "default": "30s", - "description": "Timeout duration for for how long to wait for the request in duration syntax. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 10 minutes.", + "description": "Timeout duration for how long to wait for the request in duration syntax. Example, " + "`10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 5 minutes.", "name": "timeout_duration", "in": "query" }, { "type": "string", "default": "tiny bit less than overall request timeout", - "description": "Timeout duration for how long a host has time to complete processing. " - "Default value is a bit less than the overall timeout value. " - "It cannot be greater than the overall request timeout. Maximum is < 10 minutes. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", + "description": "Timeout duration for how long a host has time to complete processing. Default value is " + " a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is " + "< 5 minutes. Example, `10s`. Valid units: `ns, us, ms, s, m, h`. ", "name": "host_timeout_duration", "in": "query" }, { - "description": "Use this endpoint to run these [real time response commands]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " - "`cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- `get`\n- " - "`getsid`\n- `help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- `mkdir`\n- " - "`mount`\n- `mv`\n- `netstat`\n- `ps`\n- `put`\n- `reg query`\n- `reg set`\n- `reg delete`\n- " - "`reg load`\n- `reg unload`\n- `restart`\n- `rm`\n- `run`\n- `runscript`\n- `shutdown`\n- `unmap`\n- " - "`update history`\n- `update install`\n- `update list`\n- `update query`\n- `xmemdump`\n- `zip`\n\n" - "**`base_command`** Active-Responder command type we are going to execute, for example: `get` or `cp`. " - "Refer to the RTR documentation for the full list of commands.\n**`batch_id`** Batch ID to execute the command on. " - "Received from `/real-time-response/combined/init-sessions/v1`.\n**`command_string`** Full command string " - "for the command. For example `get some_file.txt`\n**`optional_hosts`** List of a subset of hosts we want " - "to run the command on. If this list is supplied, only these hosts will receive the command.", + "description": "Use this endpoint to run these [real time response " + "commands](https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " + "`cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- `get`\n- `getsid`\n- " + "`help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- `mkdir`\n- `mount`\n- `mv`\n- " + "`netstat`\n- `ps`\n- `put`\n- `reg query`\n- `reg set`\n- `reg delete`\n- `reg load`\n- `reg unload`\n- " + "`restart`\n- `rm`\n- `run`\n- `runscript`\n- `shutdown`\n- `unmap`\n- `update history`\n- `update install`\n- " + "`update list`\n- `update query`\n- `xmemdump`\n- `zip`\n\n**`base_command`** Active-Responder command type we " + "are going to execute, for example: `get` or `cp`. Refer to the RTR documentation for the full list of " + "commands.\n**`batch_id`** Batch ID to execute the command on. Received from `/real-time-" + "response/combined/batch-init-session/v1`.\n**`command_string`** Full command string for the command. For " + "example `get some_file.txt`\n**`optional_hosts`** List of a subset of hosts we want to run the command on. " + "If this list is supplied, only these hosts will receive the command.", "name": "body", "in": "body", "required": True @@ -121,17 +120,16 @@ "real_time_response_admin", [ { - "description": "Use this endpoint to run these [real time response commands]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " + "description": "Use this endpoint to run these [real time response " + "commands](https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " "`cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- `get`\n- `getsid`\n- " "`help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- `mkdir`\n- `mount`\n- `mv`\n- " "`netstat`\n- `ps`\n- `put`\n- `reg query`\n- `reg set`\n- `reg delete`\n- `reg load`\n- `reg unload`\n- " "`restart`\n- `rm`\n- `run`\n- `runscript`\n- `shutdown`\n- `unmap`\n- `update history`\n- `update install`\n- " - "`update list`\n- `update query`\n- `xmemdump`\n- `zip`\n\nRequired values. " - "The rest of the fields are unused.\n**`base_command`** Active-Responder command type we are going to execute, " - "for example: `get` or `cp`. Refer to the RTR documentation for the full list of commands.\n**`command_string`** " - "Full command string for the command. For example `get some_file.txt`\n**`session_id`** RTR session ID to " - "run the command on", + "`update list`\n- `update query`\n- `xmemdump`\n- `zip`\n\nRequired values. The rest of the fields are " + "unused.\n**`base_command`** Active-Responder command type we are going to execute, for example: `get` or `cp`. " + " Refer to the RTR documentation for the full list of commands.\n**`command_string`** Full command string for " + "the command. For example `get some_file.txt`\n**`session_id`** RTR session ID to run the command on", "name": "body", "in": "body", "required": True @@ -180,6 +178,7 @@ "required": True }, { + "maxLength": 32766, "type": "string", "description": "File name (if different than actual file name)", "name": "name", @@ -271,6 +270,7 @@ "required": True }, { + "maxLength": 32766, "type": "string", "description": "File name (if different than actual file name)", "name": "name", @@ -287,8 +287,8 @@ "type": "string", "default": "none", "description": "Permission for the custom-script. Valid permission values: \n - `private`, usable by " - "only the user who uploaded it \n - `group`, usable by all RTR Admins \n - `public`, usable by all " - "active-responders and RTR admins", + "only the user who uploaded it \n - `group`, usable by all RTR Admins \n - `public`, usable by all active-" + "responders and RTR admins", "name": "permission_type", "in": "formData", "required": True @@ -305,11 +305,8 @@ "type": "string" }, "collectionFormat": "multi", - "x-cs-exposures": [ - "public" - ], - "description": "Platforms for the file. Currently supports: windows, mac, linux, . " - "If no platform is provided, it will default to 'windows'", + "description": "Platforms for the file. Currently supports: windows, mac, linux, . If no platform is " + "provided, it will default to 'windows'", "name": "platform", "in": "formData" } @@ -342,6 +339,7 @@ "in": "formData" }, { + "maxLength": 32766, "type": "string", "description": "File name (if different than actual file name)", "name": "name", @@ -358,8 +356,8 @@ "type": "string", "default": "none", "description": "Permission for the custom-script. Valid permission values: \n - `private`, usable by " - "only the user who uploaded it \n - `group`, usable by all RTR Admins \n - `public`, usable by all " - "active-responders and RTR admins", + "only the user who uploaded it \n - `group`, usable by all RTR Admins \n - `public`, usable by all active-" + "responders and RTR admins", "name": "permission_type", "in": "formData" }, @@ -375,10 +373,7 @@ "type": "string" }, "collectionFormat": "multi", - "x-cs-exposures": [ - "public" - ], - "description": "Platforms for the file. Currently supports: windows, mac, ", + "description": "Platforms for the file. Currently supports: windows, mac, linux, ", "name": "platform", "in": "formData" } @@ -430,8 +425,8 @@ { "type": "string", "description": "Optional filter criteria in the form of an FQL query. For more information about FQL " - "queries, see our [FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "queries, see our [FQL documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-" + "query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -464,9 +459,9 @@ [ { "type": "string", - "description": "Optional filter criteria in the form of an FQL query. For more information about " - "FQL queries, see our [FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter criteria in the form of an FQL query. For more information about FQL " + "queries, see our [FQL documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-" + "query-language-feature-guide).", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_real_time_response_audit.py b/src/falconpy/_endpoint/_real_time_response_audit.py index 5f073d6e0..d50c06675 100644 --- a/src/falconpy/_endpoint/_real_time_response_audit.py +++ b/src/falconpy/_endpoint/_real_time_response_audit.py @@ -46,9 +46,9 @@ [ { "type": "string", - "description": "Optional filter criteria in the form of an FQL query. " - "For more information about FQL queries, see our [FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter criteria in the form of an FQL query. For more information about FQL " + "queries, see our [FQL documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-" + "query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -59,8 +59,8 @@ "deleted_at" ], "type": "string", - "description": "how to sort the session IDs. e.g. sort=created_at|desc " - "will sort the results based on createdAt in descending order", + "description": "how to sort the session IDs. e.g. sort=created_at|desc will sort the results based on " + "createdAt in descending order", "name": "sort", "in": "query" }, @@ -81,8 +81,8 @@ { "type": "boolean", "default": False, - "description": "get sessions with command info included; by default sessions " - "are returned without command info which include cloud_request_ids and logs fields", + "description": "get sessions with command info included; by default sessions are returned without " + "command info which include cloud_request_ids and logs fields", "name": "with_command_info", "in": "query" } diff --git a/src/falconpy/_endpoint/_recon.py b/src/falconpy/_endpoint/_recon.py index 5584f74ac..8aaa70f2a 100644 --- a/src/falconpy/_endpoint/_recon.py +++ b/src/falconpy/_endpoint/_recon.py @@ -41,9 +41,9 @@ "AggregateNotificationsExposedDataRecordsV1", "POST", "/recon/aggregates/notifications-exposed-data-records/GET/v1", - "Get notification exposed data record aggregates as specified via JSON in request body. " - "The valid aggregation fields are: [notification_id created_date rule.id rule.name " - "rule.topic source_category site author]", + "Get notification exposed data record aggregates as specified via JSON in request body. The valid " + "aggregation fields are: [cid notification_id created_date rule.id rule.name rule.topic source_category site " + "author file.name credential_status bot.operating_system.hardware_id bot.bot_id]", "recon", [ { @@ -165,9 +165,9 @@ "GetExportJobsV1", "GET", "/recon/entities/exports/v1", - "Get the status of export jobs based on their IDs. Export jobs can be launched by calling " - "POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) " - "associated with it using GET entities/export-files/v1.", + "Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST " + "/entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using " + "GET entities/export-files/v1.", "recon", [ { @@ -221,9 +221,9 @@ "GetNotificationsDetailedTranslatedV1", "GET", "/recon/entities/notifications-detailed-translated/v1", - "Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match. " - "This endpoint will return translated notification content. The only target language available is English. " - "A single notification can be translated per request", + "Get detailed notifications based on their IDs. These include the raw intelligence content that generated " + "the match.This endpoint will return translated notification content. The only target language available is " + "English. A single notification can be translated per request", "recon", [ { @@ -263,9 +263,9 @@ "GetNotificationsExposedDataRecordsV1", "GET", "/recon/entities/notifications-exposed-data-records/v1", - "Get notifications exposed data records based on their IDs. IDs can be retrieved using the " - "GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can " - "be fetched using the /entities/notifications/v* endpoints", + "Get notifications exposed data records based on their IDs. IDs can be retrieved using the GET " + "/queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the " + "/entities/notifications/v* endpoints", "recon", [ { @@ -285,8 +285,9 @@ "GetNotificationsTranslatedV1", "GET", "/recon/entities/notifications-translated/v1", - "Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. " - "This endpoint will return translated notification content. The only target language available is English.", + "Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 " + "endpoint. This endpoint will return translated notification content. The only target language available is " + "English.", "recon", [ { @@ -360,7 +361,7 @@ "GetRulesV1", "GET", "/recon/entities/rules/v1", - "Get monitoring rules rules by provided IDs.", + "Get monitoring rules based on their IDs. IDs can be retrieved using the GET /queries/rules/v1 endpoint.", "recon", [ { @@ -434,8 +435,8 @@ "QueryActionsV1", "GET", "/recon/queries/actions/v1", - "Query actions based on provided criteria. Use the IDs from this response " - "to get the action entities on GET /entities/actions/v1.", + "Query actions based on provided criteria. Use the IDs from this response to get the action entities on " + "GET /entities/actions/v1.", "recon", [ { @@ -460,8 +461,9 @@ }, { "type": "string", - "description": "FQL query to filter actions by. Possible filter properties are: " - "[id cid user_uuid rule_id type frequency recipients status created_timestamp updated_timestamp]", + "description": "FQL query to filter actions by. Possible filter properties are: [id cid user_uuid " + "rule_id type frequency content_format trigger_matchless recipients status created_timestamp " + "updated_timestamp]", "name": "filter", "in": "query" }, @@ -477,8 +479,8 @@ "QueryNotificationsExposedDataRecordsV1", "GET", "/recon/queries/notifications-exposed-data-records/v1", - "Query notifications exposed data records based on provided criteria. " - "Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1", + "Query notifications exposed data records based on provided criteria. Use the IDs from this response to " + "get the notification +entities on GET /entities/notifications-exposed-data-records/v1", "recon", [ { @@ -503,16 +505,15 @@ }, { "type": "string", - "description": "FQL query to filter notifications by. " - "Possible filter properties are: [id cid user_uuid created_date exposure_date rule.id " - "rule.name rule.topic notification_id source_category site site_id author author_id " - "user_id user_name impacted_url impacted_domain impacted_ip email email_domain hash_type " - "display_name full_name user_ip phone_number company job_position file.name " - "file.complete_data_set file.download_urls location.postal_code location.city " - "location.state location.federal_district location.federal_admin_region location.country_code " - "social.twitter_id social.facebook_id social.vk_id social.vk_token social.aim_id social.icq_id " - "social.msn_id social.instagram_id social.skype_id financial.credit_card financial.bank_account " - "financial.crypto_currency_addresses login_id _all]", + "description": "FQL query to filter notifications by. Possible filter properties are: [id cid " + "user_uuid created_date exposure_date rule.id rule.name rule.topic notification_id source_category site site_id " + " author author_id user_id user_name credentials_url credentials_domain credentials_ip email domain hash_type " + "display_name full_name user_ip phone_number company job_position file.name file.complete_data_set " + "file.download_urls location.postal_code location.city location.state location.federal_district " + "location.federal_admin_region location.country_code social.twitter_id social.facebook_id social.vk_id " + "social.vk_token social.aim_id social.icq_id social.msn_id social.instagram_id social.skype_id " + "financial.credit_card financial.bank_account financial.crypto_currency_addresses login_id credential_status " + "_all bot.operating_system.hardware_id bot.bot_id]", "name": "filter", "in": "query" }, @@ -529,8 +530,8 @@ "GET", "/recon/queries/notifications/v1", "Query notifications based on provided criteria. Use the IDs from this response to get the notification " - "+entities on GET /entities/notifications/v1, GET /entities/notifications-detailed/v1, " - "+GET /entities/notifications-translated/v1 or GET /entities/notifications-detailed-translated/v1.", + "+entities on GET /entities/notifications/v1, GET /entities/notifications-detailed/v1, +GET " + "/entities/notifications-translated/v1 or GET /entities/notifications-detailed-translated/v1.", "recon", [ { @@ -555,16 +556,16 @@ }, { "type": "string", - "description": "FQL query to filter notifications by. " - "Possible filter properties are: `typosquatting.parent_domain.unicode_format`, `typosquatting.id`, " - "`typosquatting.base_domain.whois.name_servers`, `rule_id`, `item_site`, `typosquatting.base_domain.is_registered`, " - "`assigned_to_uuid`, `rule_priority`, `typosquatting.base_domain.punycode_format`, `typosquatting.base_domain.id`, " - "`rule_name`, `typosquatting.unicode_format`, `rule_topic`, `item_type`, " - "`typosquatting.base_domain.whois.registrant.email`, `cid`, `status`, " - "`typosquatting.base_domain.whois.registrar.name`, `typosquatting.base_domain.whois.registrar.status`, " - "`typosquatting.base_domain.whois.registrant.org`, `typosquatting.parent_domain.id`, " - "`typosquatting.base_domain.unicode_format`, `updated_date`, `typosquatting.base_domain.whois.registrant.name`, " - "`created_date`, `typosquatting.punycode_format`, `typosquatting.parent_domain.punycode_format`, `id`, `user_uuid`", + "description": "FQL query to filter notifications by. Possible filter properties are: [id cid " + "user_uuid status rule_id rule_name rule_topic rule_priority item_type item_site typosquatting.id " + "typosquatting.unicode_format typosquatting.punycode_format typosquatting.parent_domain.id " + "typosquatting.parent_domain.unicode_format typosquatting.parent_domain.punycode_format " + "typosquatting.base_domain.id typosquatting.base_domain.unicode_format " + "typosquatting.base_domain.punycode_format typosquatting.base_domain.is_registered " + "typosquatting.base_domain.whois.registrar.name typosquatting.base_domain.whois.registrar.status " + "typosquatting.base_domain.whois.registrant.email typosquatting.base_domain.whois.registrant.name " + "typosquatting.base_domain.whois.registrant.org typosquatting.base_domain.whois.name_servers created_date " + "updated_date assigned_to_uuid breach_summary.credential_statuses breach_summary.is_retroactively_deduped]", "name": "filter", "in": "query" }, @@ -580,13 +581,13 @@ "QueryRulesV1", "GET", "/recon/queries/rules/v1", - "Query monitoring rules based on provided criteria. " - "Use the IDs from this response to fetch the rules on /entities/rules/v1.", + "Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on " + "/entities/rules/v1.", "recon", [ { "type": "integer", - "description": "Starting index of overall result set from which to return ids.", + "description": "Starting index of overall result set from which to return IDs.", "name": "offset", "in": "query" }, @@ -600,15 +601,16 @@ }, { "type": "string", - "description": "Possible order by fields: created_timestamp, " - "last_updated_timestamp. Ex: 'last_updated_timestamp|desc'.", + "description": "Possible order by fields: created_timestamp, last_updated_timestamp. Ex: " + "`last_updated_timestamp|desc`.", "name": "sort", "in": "query" }, { "type": "string", - "description": "FQL query to filter rules by. Possible filter properties are: " - "[id cid user_uuid topic priority permissions filter status created_timestamp last_updated_timestamp]", + "description": "FQL query to filter rules by. Possible filter properties are: [id cid user_uuid topic " + "priority permissions status filter breach_monitoring_enabled substring_matching_enabled created_timestamp " + "last_updated_timestamp].", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_report_executions.py b/src/falconpy/_endpoint/_report_executions.py index 9c262bab5..d350d15e5 100644 --- a/src/falconpy/_endpoint/_report_executions.py +++ b/src/falconpy/_endpoint/_report_executions.py @@ -102,9 +102,9 @@ }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: type, scheduled_report_id, status." - "Filter range criteria: created_on, last_updated_on, expiration_on; use any common date format," - "such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: type, " + "scheduled_report_id, status. Filter range criteria: created_on, last_updated_on, expiration_on; use any common " + "date format, such as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_response_policies.py b/src/falconpy/_endpoint/_response_policies.py index 86b028f9b..fa3be9d28 100644 --- a/src/falconpy/_endpoint/_response_policies.py +++ b/src/falconpy/_endpoint/_response_policies.py @@ -41,8 +41,8 @@ "queryCombinedRTResponsePolicyMembers", "GET", "/policy/combined/response-members/v1", - "Search for members of a Response policy in your environment by providing an FQL filter and paging details." - "Returns a set of host details which match the filter criteria", + "Search for members of a Response policy in your environment by providing an FQL filter and paging " + "details. Returns a set of host details which match the filter criteria", "response_policies", [ { @@ -84,8 +84,8 @@ "queryCombinedRTResponsePolicies", "GET", "/policy/combined/response/v1", - "Search for Response Policies in your environment by providing an FQL filter and paging details." - "Returns a set of Response Policies which match the filter criteria", + "Search for Response Policies in your environment by providing an FQL filter and paging details. Returns a " + "set of Response Policies which match the filter criteria", "response_policies", [ { @@ -168,9 +168,9 @@ "setRTResponsePoliciesPrecedence", "POST", "/policy/entities/response-precedence/v1", - "Sets the precedence of Response Policies based on the order of IDs specified in the request." - "The first ID specified will have the highest precedence and the last ID specified will have the lowest." - "You must specify all non-Default Policies for a platform when updating precedence", + "Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID " + " specified will have the highest precedence and the last ID specified will have the lowest. You must specify " + "all non-Default Policies for a platform when updating precedence", "response_policies", [ { @@ -252,8 +252,8 @@ "queryRTResponsePolicyMembers", "GET", "/policy/queries/response-members/v1", - "Search for members of a Response policy in your environment by providing an FQL filter and paging details." - "Returns a set of Agent IDs which match the filter criteria", + "Search for members of a Response policy in your environment by providing an FQL filter and paging " + "details. Returns a set of Agent IDs which match the filter criteria", "response_policies", [ { @@ -295,8 +295,8 @@ "queryRTResponsePolicies", "GET", "/policy/queries/response/v1", - "Search for Response Policies in your environment by providing an FQL filter with sort and/or paging details." - "This returns a set of Response Policy IDs that match the given criteria.", + "Search for Response Policies in your environment by providing an FQL filter with sort and/or paging " + "details. This returns a set of Response Policy IDs that match the given criteria.", "response_policies", [ { diff --git a/src/falconpy/_endpoint/_sample_uploads.py b/src/falconpy/_endpoint/_sample_uploads.py index 74ef4408a..be0c3abe0 100644 --- a/src/falconpy/_endpoint/_sample_uploads.py +++ b/src/falconpy/_endpoint/_sample_uploads.py @@ -70,8 +70,8 @@ "ArchiveGetV1", "GET", "/archives/entities/archives/v1", - "Retrieves the archives upload operation statuses. Status `done` means that archive was processed successfully. " - "Status `error` means that archive was not processed successfully.", + "Retrieves the archives upload operation statuses. Status `done` means that archive was processed " + "successfully. Status `error` means that archive was not processed successfully.", "sample_uploads", [ { @@ -94,15 +94,16 @@ "ArchiveUploadV1", "POST", "/archives/entities/archives/v1", - "Uploads an archive and extracts files list from it. Operation is asynchronous use the ListArchivesV1 " - "operation to check the status. After uploading, use the ExtractionCreateV1 operation to copy the file " - "to internal storage making it available for content analysis. " - "This method is deprecated in favor of ArchiveUploadV2.", + "Uploads an archive and extracts files list from it. Operation is asynchronous use " + "`/archives/entities/archives/v1` to check the status. After uploading, use `/archives/entities/extractions/v1` " + " to copy the file to internal storage making it available for content analysis.\nThis method is deprecated in " + "favor of `/archives/entities/archives/v2`", "sample_uploads", [ { - "description": "Content of the uploaded archive in binary format. " - "Max file size: 100 MB.\n\nAccepted file formats:\n\n- Portable executables: `.zip`, `.7z`.", + "description": "Content of the uploaded archive in binary format. For example, use `--data-binary " + "@$FILE_PATH` when using cURL. Max file size: 100 MB.\n\nAccepted file formats:\n\n- Portable executables: " + "`.zip`, `.7z`.", "name": "body", "in": "body", "required": True @@ -123,9 +124,9 @@ { "type": "boolean", "default": True, - "description": "Defines visibility of this file, either via the API or the Falcon console. " - "- `true`: File is only shown to users within your customer account " - "- `false`: File can be seen by other CrowdStrike customers. Default: `true`.", + "description": "Defines visibility of this file, either via the API or the Falcon console.\n\n- " + "`true`: File is only shown to users within your customer account\n- `false`: File can be seen by other " + "CrowdStrike customers \n\nDefault: `true`.", "name": "is_confidential", "in": "query" }, @@ -157,14 +158,15 @@ "ArchiveUploadV2", "POST", "/archives/entities/archives/v2", - "Uploads an archive and extracts files list from it. Operation is asynchronous use `/archives/entities/archives/v1` " - "to check the status. After uploading, use `/archives/entities/extractions/v1` to copy the file to internal storage " - "making it available for content analysis.", + "Uploads an archive and extracts files list from it. Operation is asynchronous use " + "`/archives/entities/archives/v1` to check the status. After uploading, use `/archives/entities/extractions/v1` " + "to copy the file to internal storage making it available for content analysis.", "sample_uploads", [ { "type": "file", - "description": "Content of the uploaded archive. For example, use `--form file=@$FILE_PATH` when using cURL.", + "description": "Content of the uploaded archive. For example, use `--form file=@$FILE_PATH;type=` when " + "using cURL. Supported file types are `application/zip` and `application/x-7z-compressed`.", "name": "file", "in": "formData", "required": True @@ -185,16 +187,17 @@ { "type": "boolean", "default": True, - "description": "Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon console. " - "For example, use `--form is_confidential=` when using cURL.\n\n- `true`: File is only shown to users within " - "your customer account\n- `false`: File can be seen by other CrowdStrike customers \n\nDefault: `true`.", + "description": "Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon " + "console. For example, use `--form is_confidential=` when using cURL.\n\n- `true`: File is only shown to users " + "within your customer account\n- `false`: File can be seen by other CrowdStrike customers \n\nDefault: " + "`true`.", "name": "is_confidential", "in": "formData" }, { "type": "string", - "description": "A descriptive comment to identify the file for other users. " - "For example, use `--form comment=` when using cURL.", + "description": "A descriptive comment to identify the file for other users. For example, use `--form " + "comment=` when using cURL.", "name": "comment", "in": "formData" } @@ -204,8 +207,8 @@ "ExtractionListV1", "GET", "/archives/entities/extraction-files/v1", - "Retrieves the files extractions in chunks. Status `done` means that all files were processed successfully. " - "Status `error` means that at least one of the file could not be processed.", + "Retrieves the files extractions in chunks. Status `done` means that all files were processed " + "successfully. Status `error` means that at least one of the file could not be processed.", "sample_uploads", [ { @@ -234,8 +237,8 @@ "ExtractionGetV1", "GET", "/archives/entities/extractions/v1", - "Retrieves the files extraction operation statuses. Status `done` means that all files were processed successfully. " - "Status `error` means that at least one of the file could not be processed.", + "Retrieves the files extraction operation statuses. Status `done` means that all files were processed " + "successfully. Status `error` means that at least one of the file could not be processed.", "sample_uploads", [ { @@ -335,9 +338,9 @@ { "type": "boolean", "default": True, - "description": "Defines visibility of this file in Falcon MalQuery, either via the API or the " - "Falcon console.\n\n- `true`: File is only shown to users within your customer account\n- `false`: " - "File can be seen by other CrowdStrike customers \n\nDefault: `true`.", + "description": "Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon " + "console.\n\n- `true`: File is only shown to users within your customer account\n- `false`: File can be seen by " + "other CrowdStrike customers \n\nDefault: `true`.", "name": "is_confidential", "in": "formData" } diff --git a/src/falconpy/_endpoint/_scheduled_reports.py b/src/falconpy/_endpoint/_scheduled_reports.py index 944e86602..b8ea706c4 100644 --- a/src/falconpy/_endpoint/_scheduled_reports.py +++ b/src/falconpy/_endpoint/_scheduled_reports.py @@ -86,10 +86,9 @@ }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: type," - "trigger_reference, recipients, user_uuid, cid, trigger_params.metadata." - "Filter range criteria: created_on, modified_on; use any common date format," - "such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: type, " + "trigger_reference, recipients, user_uuid, cid, trigger_params.metadata. Filter range criteria: created_on, " + "modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/_sensor_download.py b/src/falconpy/_endpoint/_sensor_download.py index 70cef5b6d..dabf265c6 100644 --- a/src/falconpy/_endpoint/_sensor_download.py +++ b/src/falconpy/_endpoint/_sensor_download.py @@ -46,30 +46,30 @@ [ { "type": "integer", - "description": "The first item to return, where 0 is the latest item. " - "Use with the limit parameter to manage pagination of results.", + "description": "The first item to return, where 0 is the latest item. Use with the limit parameter to " + "manage pagination of results.", "name": "offset", "in": "query" }, { "type": "integer", - "description": "The number of items to return in this response (default: 100, max: 500). " - "Use with the offset parameter to manage pagination of results.", + "description": "The number of items to return in this response (default: 100, max: 500). Use with the " + "offset parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort items using their properties. " - "Common sort options include:\n\n
  • version|asc
  • release_date|desc
", + "description": "Sort items using their properties. Common sort options " + "include:\n\n
  • version|asc
  • release_date|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter items using a query in Falcon Query Language (FQL). " - "An asterisk wildcard * includes all results.\n\n" - "Common filter options include:\n
  • platform:\"windows\"
  • version:>\"5.2\"
", + "description": "Filter items using a query in Falcon Query Language (FQL). An asterisk wildcard * " + "includes all results.\n\nCommon filter options " + "include:\n
  • platform:\"windows\"
  • version:>\"5.2\"
", "name": "filter", "in": "query" } @@ -128,30 +128,30 @@ [ { "type": "integer", - "description": "The first item to return, where 0 is the latest item. " - "Use with the limit parameter to manage pagination of results.", + "description": "The first item to return, where 0 is the latest item. Use with the limit parameter to " + "manage pagination of results.", "name": "offset", "in": "query" }, { "type": "integer", - "description": "The number of items to return in this response (default: 100, max: 500). " - "Use with the offset parameter to manage pagination of results.", + "description": "The number of items to return in this response (default: 100, max: 500). Use with the " + "offset parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort items using their properties. " - "Common sort options include:\n\n
  • version|asc
  • release_date|desc
", + "description": "Sort items using their properties. Common sort options " + "include:\n\n
  • version|asc
  • release_date|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter items using a query in Falcon Query Language (FQL). " - "An asterisk wildcard * includes all results.\n\n" - "Common filter options include:\n
  • platform:\"windows\"
  • version:>\"5.2\"
", + "description": "Filter items using a query in Falcon Query Language (FQL). An asterisk wildcard * " + "includes all results.\n\nCommon filter options " + "include:\n
  • platform:\"windows\"
  • version:>\"5.2\"
", "name": "filter", "in": "query" } diff --git a/src/falconpy/_endpoint/_sensor_update_policies.py b/src/falconpy/_endpoint/_sensor_update_policies.py index 1e7f3e5aa..d7e79542b 100644 --- a/src/falconpy/_endpoint/_sensor_update_policies.py +++ b/src/falconpy/_endpoint/_sensor_update_policies.py @@ -41,8 +41,8 @@ "revealUninstallToken", "POST", "/policy/combined/reveal-uninstall-token/v1", - "Reveals an uninstall token for a specific device. " - "To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'", + "Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value " + "'MAINTENANCE' as the value for 'device_id'", "sensor_update_policies", [ { @@ -122,8 +122,8 @@ "queryCombinedSensorUpdatePolicyMembers", "GET", "/policy/combined/sensor-update-members/v1", - "Search for members of a Sensor Update Policy in your environment by providing an FQL filter and paging details. " - "Returns a set of host details which match the filter criteria", + "Search for members of a Sensor Update Policy in your environment by providing an FQL filter and paging " + "details. Returns a set of host details which match the filter criteria", "sensor_update_policies", [ { @@ -220,8 +220,9 @@ "queryCombinedSensorUpdatePoliciesV2", "GET", "/policy/combined/sensor-update/v2", - "Search for Sensor Update Policies with additional support for uninstall protection in your environment " - "by providing an FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria", + "Search for Sensor Update Policies with additional support for uninstall protection in your environment by " + " providing an FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter " + "criteria", "sensor_update_policies", [ { @@ -304,9 +305,9 @@ "setSensorUpdatePoliciesPrecedence", "POST", "/policy/entities/sensor-update-precedence/v1", - "Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. " - "The first ID specified will have the highest precedence and the last ID specified will have the lowest. " - "You must specify all non-Default Policies for a platform when updating precedence", + "Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The " + "first ID specified will have the highest precedence and the last ID specified will have the lowest. You must " + "specify all non-Default Policies for a platform when updating precedence", "sensor_update_policies", [ { @@ -408,8 +409,8 @@ "createSensorUpdatePoliciesV2", "POST", "/policy/entities/sensor-update/v2", - "Create Sensor Update Policies by specifying details about the policy to " - "create with additional support for uninstall protection", + "Create Sensor Update Policies by specifying details about the policy to create with additional support " + "for uninstall protection", "sensor_update_policies", [ { @@ -423,8 +424,8 @@ "updateSensorUpdatePoliciesV2", "PATCH", "/policy/entities/sensor-update/v2", - "Update Sensor Update Policies by specifying the ID of the policy and details " - "to update with additional support for uninstall protection", + "Update Sensor Update Policies by specifying the ID of the policy and details to update with additional " + "support for uninstall protection", "sensor_update_policies", [ { @@ -475,8 +476,8 @@ "querySensorUpdatePolicyMembers", "GET", "/policy/queries/sensor-update-members/v1", - "Search for members of a Sensor Update Policy in your environment by providing an " - "FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria", + "Search for members of a Sensor Update Policy in your environment by providing an FQL filter and paging " + "details. Returns a set of Agent IDs which match the filter criteria", "sensor_update_policies", [ { diff --git a/src/falconpy/_endpoint/_spotlight_evaluation_logic.py b/src/falconpy/_endpoint/_spotlight_evaluation_logic.py index 242522ad3..a29f32075 100644 --- a/src/falconpy/_endpoint/_spotlight_evaluation_logic.py +++ b/src/falconpy/_endpoint/_spotlight_evaluation_logic.py @@ -41,15 +41,15 @@ "combinedQueryEvaluationLogic", "GET", "/spotlight/combined/evaluation-logic/v1", - "Search for evaluation logic in your environment by providing a FQL filter and paging details. " - "Returns a set of evaluation logic entities which match the filter criteria.", + "Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a " + "set of evaluation logic entities which match the filter criteria.", "spotlight_evaluation_logic", [ { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, @@ -98,15 +98,15 @@ "queryEvaluationLogic", "GET", "/spotlight/queries/evaluation-logic/v1", - "Search for evaluation logic in your environment by providing a FQL filter and paging details. " - "Returns a set of evaluation logic IDs which match the filter criteria.", + "Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a " + "set of evaluation logic IDs which match the filter criteria.", "spotlight_evaluation_logic", [ { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, diff --git a/src/falconpy/_endpoint/_spotlight_vulnerabilities.py b/src/falconpy/_endpoint/_spotlight_vulnerabilities.py index 591030d10..d2c429398 100644 --- a/src/falconpy/_endpoint/_spotlight_vulnerabilities.py +++ b/src/falconpy/_endpoint/_spotlight_vulnerabilities.py @@ -41,15 +41,15 @@ "combinedQueryVulnerabilities", "GET", "/spotlight/combined/vulnerabilities/v1", - "Search for Vulnerabilities in your environment by providing an FQL filter and paging details. " - "Returns a set of Vulnerability entities which match the filter criteria", + "Search for Vulnerabilities in your environment by providing an FQL filter and paging details. Returns a " + "set of Vulnerability entities which match the filter criteria", "spotlight_vulnerabilities", [ { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, @@ -57,24 +57,29 @@ "maximum": 5000, "minimum": 1, "type": "integer", - "description": "The number of items to return in this response (default: 100, max: 5000). " - "Use with the after parameter to manage pagination of results.", + "description": "The number of items to return in this response (default: 100, max: 5000). Use with the " + "after parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", "description": "Sort vulnerabilities by their properties. Common sort options " - "include:\n\n
  • created_timestamp|desc
  • closed_timestamp|asc
", + "include:\n\n
  • updated_timestamp|asc
  • closed_timestamp|asc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter items using a query in Falcon Query Language (FQL). " - "Wildcards * are unsupported. \n\nCommon filter options include:\n\n
    " - "
  • created_timestamp:>'2019-11-25T22:36:12Z'
  • closed_timestamp:>'2019-11-25T22:36:12Z'
    • " - "
  • aid:'8e7656b27d8c49a34a1af416424d6231'
", + "description": "Filter items using a query in Falcon Query Language (FQL). Wildcards * and empty " + "filter values are unsupported.\n\t\t\tAvailable filter fields that supports match (~): N/A\n\t\t\tAvailable " + "filter fields that supports exact match: aid, cid, last_seen_within, status, cve.id, cve.is_cisa_kev, " + "cve.remediation_level, cve.cps_rating, cve.exprt_rating, cve.exploit_status_to_include, cve.severity, " + "cve.types, host_info.asset_criticality, host_info.asset_roles, host_info.internet_exposure, host_info.tags, " + "host_info.groups, host_info.product_type_desc, host_info.platform_name, suppression_info.is_suppressed, " + "suppression_info.reason\n\t\t\tAvailable filter fields that supports wildcard (*): N/A\n\t\t\tAvailable filter " + " fields that supports range comparisons (>, <, >=, <=): created_timestamp, closed_timestamp, " + "updated_timestamp\n\t\t\t", "name": "filter", "in": "query", "required": True @@ -85,9 +90,8 @@ "type": "string" }, "collectionFormat": "multi", - "description": "Select various details blocks to be returned for each vulnerability entity. " - "Supported values:\n\n
  • host_info
  • remediation
  • cve
    • " - "
  • evaluation_logic
", + "description": "Select various details blocks to be returned for each vulnerability entity. Supported " + "values:\n\n
  • host_info
  • remediation
  • cve
  • evaluation_logic
", "name": "facet", "in": "query" } @@ -126,8 +130,8 @@ "type": "string" }, "collectionFormat": "multi", - "description": "One or more vulnerability IDs (max: 400). " - "Find vulnerability IDs with GET /spotlight/queries/vulnerabilities/v1", + "description": "One or more vulnerability IDs (max: 400). Find vulnerability IDs with GET " + "/spotlight/queries/vulnerabilities/v1", "name": "ids", "in": "query", "required": True @@ -138,15 +142,15 @@ "queryVulnerabilities", "GET", "/spotlight/queries/vulnerabilities/v1", - "Search for Vulnerabilities in your environment by providing an FQL filter and paging details. " - "Returns a set of Vulnerability IDs which match the filter criteria", + "Search for Vulnerabilities in your environment by providing an FQL filter and paging details. Returns a " + "set of Vulnerability IDs which match the filter criteria", "spotlight_vulnerabilities", [ { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, @@ -154,23 +158,30 @@ "maximum": 400, "minimum": 1, "type": "integer", - "description": "The number of items to return in this response (default: 100, max: 400). " - "Use with the after parameter to manage pagination of results.", + "description": "The number of items to return in this response (default: 100, max: 400). Use with the " + "after parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort vulnerabilities by their properties. Common sort options include:\n\n" - "
  • created_timestamp|desc
  • closed_timestamp|asc
", + "description": "Sort vulnerabilities by their properties. Available sort options: " + "
  • updated_timestamp|asc/desc
  • closed_timestamp|asc
  • updated_timestamp|asc/desc
. " + "Can be used in a format |asc for ascending order or |desc for descending order.", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter items using a query in Falcon Query Language (FQL). Wildcards * are unsupported. " - "\n\nCommon filter options include:\n\n
  • created_timestamp:>'2019-11-25T22:36:12Z'
    • " - "
  • closed_timestamp:>'2019-11-25T22:36:12Z'
  • aid:'8e7656b27d8c49a34a1af416424d6231'
", + "description": "Filter items using a query in Falcon Query Language (FQL). Wildcards * and empty " + "filter values are unsupported.\n\t\t\tAvailable filter fields that supports match (~): N/A\n\t\t\tAvailable " + "filter fields that supports exact match: aid, cid, last_seen_within, status, cve.id, cve.is_cisa_kev, " + "cve.remediation_level, cve.cps_rating, cve.exprt_rating, cve.exploit_status_to_include, cve.severity, " + "cve.types, host_info.asset_criticality, host_info.asset_roles, host_info.internet_exposure, host_info.tags, " + "host_info.groups, host_info.product_type_desc, host_info.platform_name, suppression_info.is_suppressed, " + "suppression_info.reason\n\t\t\tAvailable filter fields that supports wildcard (*): N/A\n\t\t\tAvailable filter " + " fields that supports range comparisons (>, <, >=, <=): created_timestamp, closed_timestamp, " + "updated_timestamp\n\t\t\t", "name": "filter", "in": "query", "required": True diff --git a/src/falconpy/_endpoint/_tailored_intelligence.py b/src/falconpy/_endpoint/_tailored_intelligence.py index cb717928c..d0da5de12 100644 --- a/src/falconpy/_endpoint/_tailored_intelligence.py +++ b/src/falconpy/_endpoint/_tailored_intelligence.py @@ -141,8 +141,8 @@ }, { "type": "string", - "description": "Possible order by fields: name, value, rule_type, customer_id, " - "created_date, updated_date. Ex: 'updated_date|asc'.", + "description": "Possible order by fields: name, value, rule_type, customer_id, created_date, " + "updated_date. Ex: 'updated_date|asc'.", "name": "sort", "in": "query" }, diff --git a/src/falconpy/_endpoint/_user_management.py b/src/falconpy/_endpoint/_user_management.py index cde0a3191..755415b50 100644 --- a/src/falconpy/_endpoint/_user_management.py +++ b/src/falconpy/_endpoint/_user_management.py @@ -41,8 +41,7 @@ "combinedUserRolesV1", "GET", "/user-management/combined/user-roles/v1", - "Get User Grant(s). This endpoint lists both direct as well as flight control grants between " - "a User and a Customer.", + "Get User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer.", "user_management", [ { @@ -54,16 +53,16 @@ }, { "type": "string", - "description": "Customer ID to get grants for. Empty CID would result in Role IDs for " - "user against current CID in view.", + "description": "Customer ID to get grants for. Empty CID would result in Role IDs for user against " + "current CID in view.", "name": "cid", "in": "query" }, { "type": "boolean", "default": False, - "description": "Specifies if to request direct Only role grants or all role grants " - "between user and CID (specified in query params)", + "description": "Specifies if to request direct Only role grants or all role grants between user and " + "CID (specified in query params)", "name": "direct_only", "in": "query" }, @@ -116,8 +115,7 @@ [ { "type": "string", - "description": "Customer ID to get available roles for. Empty CID would result in " - "Role IDs for current CID in view.", + "description": "Customer ID to get available roles for. Empty CID would result in Role IDs for current CID in view.", "name": "cid", "in": "query" }, @@ -138,13 +136,13 @@ "userActionV1", "POST", "/user-management/entities/user-actions/v1", - "Apply actions to one or more User. Available action names: reset_2fa, reset_password. " - "User UUIDs can be provided in `ids` param as part of request payload.", + "Apply actions to one or more User. Available action names: reset_2fa, reset_password. User UUIDs can be " + "provided in `ids` param as part of request payload.", "user_management", [ { - "description": "User UUIDs and Action Name params are required. Allowed values for " - "Action Name param includes 'reset_2fa' and 'reset_password'", + "description": "User UUIDs and Action Name params are required. Allowed values for Action Name param " + "includes 'reset_2fa' and 'reset_password'", "name": "body", "in": "body", "required": True @@ -155,12 +153,13 @@ "userRolesActionV1", "POST", "/user-management/entities/user-role-actions/v1", - "Grant or Revoke one or more role(s) to a user against a CID.", + "Grant or Revoke one or more role(s) to a user against a CID. User UUID, CID and Role ID(s) can be " + "provided in request payload. Available Action(s) : grant, revoke", "user_management", [ { - "description": "All fields including CID, RoleID(s), User UUID and Action are required. " - "Allowed values for Action param include 'grant' and 'revoke'.", + "description": "All fields including CID, RoleID(s), User UUID and Action are required. Allowed values " + "for Action param include 'grant' and 'revoke'.", "name": "body", "in": "body", "required": True @@ -186,8 +185,7 @@ "createUserV1", "POST", "/user-management/entities/users/v1", - "Create a new user. After creating a user, assign one or more roles with " - "POST '/user-management/entities/user-role-actions/v1'", + "Create a new user. After creating a user, assign one or more roles with userRolesActionV1", "user_management", [ { @@ -198,13 +196,13 @@ "in": "query" }, { - "description": "Attributes for this user. `uid` (required) is the user's email address, " - "which is their username in Falcon.\n\nOptional attributes:\n\n
  • `firstName`
    • " - "
  • `lastName`
  • `password`
\n\nAs a best practice, we recommend " - "omitting `password`. If single sign-on is enabled for your customer account, the " - "`password` attribute is ignored. If single sign-on is not enabled, we send a user " - "activation request to their email address when you create the user with no `password`. " - "The user should use the activation email to set their own password.", + "description": "Attributes for this user. `uid` (required) is the user's email address, which is their " + " username in Falcon.\n\nOptional " + "attributes:\n\n
  • `firstName`
  • `lastName`
  • `password`
\n\nAs a best practice, we " + "recommend omitting `password`. If single sign-on is enabled for your customer account, the `password` " + "attribute is ignored. If single sign-on is not enabled, we send a user activation request to their email " + "address when you create the user with no `password`. The user should use the activation email to set their own " + "password.", "name": "body", "in": "body", "required": True @@ -253,21 +251,20 @@ "queriesRolesV1", "GET", "/user-management/queries/roles/v1", - "Show role IDs for all roles available in your customer account. For more information on each " - "role, provide the role ID to `/user-management/entities/roles/v1`.", + "Show role IDs for all roles available in your customer account. For more information on each role, " + "provide the role ID to entitiesRolesV1.", "user_management", [ { "type": "string", - "description": "Customer ID to get available roles for. Empty CID would result in " - "Role IDs for current CID in view.", + "description": "Customer ID to get available roles for. Empty CID would result in Role IDs for current CID in view.", "name": "cid", "in": "query" }, { "type": "string", - "description": "User UUID to get available roles for. Empty User UUID would returns all " - "roles IDs available for customer.", + "description": "User UUID to get available roles for. Empty User UUID would returns all roles IDs " + "available for customer.", "name": "user_uuid", "in": "query" }, @@ -284,14 +281,14 @@ "queryUserV1", "GET", "/user-management/queries/users/v1", - "List user IDs for all users in your customer account. For more information on each user, " - "provide the user ID to `/user-management/entities/users/GET/v1`.", + "List user IDs for all users in your customer account. For more information on each user, provide the user " + "ID to retrieveUsersGETV1.", "user_management", [ { "type": "string", - "description": "Filter using a query in Falcon Query Language (FQL). " - "Supported filters: assigned_cids, cid, first_name, last_name, name, uid", + "description": "Filter using a query in Falcon Query Language (FQL). Supported filters: assigned_cids, " + "cid, first_name, last_name, name, uid", "name": "filter", "in": "query" }, @@ -350,8 +347,7 @@ "type": "string" }, "collectionFormat": "multi", - "description": "ID of a role. Find a role ID from `/customer/queries/roles/v1` or " - "`/users/queries/roles/v1`.", + "description": "ID of a role. Find a role ID from GetAvailableRoleIds or queriesRolesV1.", "name": "ids", "in": "query", "required": True @@ -367,7 +363,7 @@ [ { "type": "string", - "description": "ID of a user. Find a user's ID from `/users/entities/user/v1`.", + "description": "ID of a user. Find a user's ID from queryUserV1.", "name": "user_uuid", "in": "query", "required": True @@ -389,7 +385,7 @@ [ { "type": "string", - "description": "ID of a user. Find a user's ID from `/users/entities/user/v1`.", + "description": "ID of a user. Find a user's ID from queryUserV1.", "name": "user_uuid", "in": "query", "required": True @@ -400,7 +396,7 @@ "type": "string" }, "collectionFormat": "multi", - "description": "One or more role IDs to revoke. Find a role's ID from `/users/queries/roles/v1`.", + "description": "One or more role IDs to revoke. Find a role's ID from queriesRolesV1.", "name": "ids", "in": "query", "required": True @@ -412,7 +408,7 @@ "GET", "/user-roles/queries/user-role-ids-by-cid/v1", "Deprecated : Please use queriesRolesV1. Show role IDs for all roles available in your customer account. " - "For more information on each role, provide the role ID to `/customer/entities/roles/v1`.", + "For more information on each role, provide the role ID to entitiesRolesV1.", "user_management", [] ], @@ -420,13 +416,13 @@ "GetUserRoleIds", "GET", "/user-roles/queries/user-role-ids-by-user-uuid/v1", - "Deprecated : Please use combinedUserRolesV1. Show role IDs of roles assigned to a user. " - "For more information on each role, provide the role ID to `/customer/entities/roles/v1`.", + "Deprecated : Please use combinedUserRolesV1. Show role IDs of roles assigned to a user. For more " + "information on each role, provide the role ID to entitiesRolesV1.", "user_management", [ { "type": "string", - "description": "ID of a user. Find a user's ID from `/users/entities/user/v1`.", + "description": "ID of a user. Find a user's ID from queryUserV1.", "name": "user_uuid", "in": "query", "required": True @@ -446,7 +442,7 @@ "type": "string" }, "collectionFormat": "multi", - "description": "ID of a user. Find a user's ID from `/users/entities/user/v1`.", + "description": "ID of a user. Find a user's ID from queryUserV1.", "name": "ids", "in": "query", "required": True @@ -457,17 +453,18 @@ "CreateUser", "POST", "/users/entities/users/v1", - "Deprecated : Please use createUserV1. Create a new user. After creating a user, assign one or more roles with " - "POST /user-roles/entities/user-roles/v1", + "Deprecated : Please use createUserV1. Create a new user. After creating a user, assign one or more roles " + "with GrantUserRoleIds", "user_management", [ { - "description": "Attributes for this user. `uid` (required) is the user's email address, which is their username " - "in Falcon.\n\nOptional attributes:\n\n
  • `firstName`
  • `lastName`
  • `password`
\n\n" - "As a best practice, we recommend omitting `password`. If single sign-on is enabled for your customer account, " - "the `password` attribute is ignored. If single sign-on is not enabled, we send a user activation request to their " - "email address when you create the user with no `password`. The user should use the activation email to set their " - "own password.", + "description": "Attributes for this user. `uid` (required) is the user's email address, which is their " + " username in Falcon.\n\nOptional " + "attributes:\n\n
  • `firstName`
  • `lastName`
  • `password`
\n\nAs a best practice, we " + "recommend omitting `password`. If single sign-on is enabled for your customer account, the `password` " + "attribute is ignored. If single sign-on is not enabled, we send a user activation request to their email " + "address when you create the user with no `password`. The user should use the activation email to set their own " + "password.", "name": "body", "in": "body", "required": True @@ -483,7 +480,7 @@ [ { "type": "string", - "description": "ID of a user. Find a user's ID from `/users/entities/user/v1`.", + "description": "ID of a user. Find a user's ID from queryUserV1.", "name": "user_uuid", "in": "query", "required": True @@ -505,7 +502,7 @@ [ { "type": "string", - "description": "ID of a user. Find a user's ID from `/users/entities/user/v1`.", + "description": "ID of a user. Find a user's ID from queryUserV1.", "name": "user_uuid", "in": "query", "required": True @@ -516,8 +513,8 @@ "RetrieveEmailsByCID", "GET", "/users/queries/emails-by-cid/v1", - "Deprecated : Please use retrieveUsersGETV1. List the usernames (usually an email address) " - "for all users in your customer account", + "Deprecated : Please use retrieveUsersGETV1. List the usernames (usually an email address) for all users " + "in your customer account", "user_management", [] ], @@ -525,8 +522,8 @@ "RetrieveUserUUIDsByCID", "GET", "/users/queries/user-uuids-by-cid/v1", - "Deprecated : Please use queryUserV1. List user IDs for all users in your customer account. " - "For more information on each user, provide the user ID to `/users/entities/user/v1`.", + "Deprecated : Please use queryUserV1. List user IDs for all users in your customer account. For more " + "information on each user, provide the user ID to queryUserV1.", "user_management", [] ], diff --git a/src/falconpy/_endpoint/_workflows.py b/src/falconpy/_endpoint/_workflows.py index aaa8c5d44..2125176d1 100644 --- a/src/falconpy/_endpoint/_workflows.py +++ b/src/falconpy/_endpoint/_workflows.py @@ -68,8 +68,8 @@ }, { "type": "integer", - "description": "Used to record the execution depth to help limit execution " - "loops when a workflow triggers another. The maximum depth is 4.", + "description": "Used to record the execution depth to help limit execution loops when a workflow " + "triggers another. The maximum depth is 4.", "name": "depth", "in": "query" }, @@ -144,11 +144,10 @@ "WorkflowSystemDefinitionsPromote", "POST", "/workflows/system-definitions/promote/v1", - "Promotes a version of a system definition on a customer. " - "The customer must already have been provisioned. This allows the callerto apply an " - "updated template version to a specific cid and expects all parameters to be supplied. " - "If the template supports multi-instancethe customer scope definition ID must be supplied " - "to determine which customer workflow should be updated.", + "Promotes a version of a system definition for a customer. The customer must already have been " + "provisioned. This allows the caller to apply an updated template version to a specific cid and expects all " + "parameters to be supplied. If the template supports multi-instance the customer scope definition ID must be " + "supplied to determine which customer workflow should be updated.", "workflows", [ { diff --git a/src/falconpy/_endpoint/_zero_trust_assessment.py b/src/falconpy/_endpoint/_zero_trust_assessment.py index 2f13d999b..89dcec21d 100644 --- a/src/falconpy/_endpoint/_zero_trust_assessment.py +++ b/src/falconpy/_endpoint/_zero_trust_assessment.py @@ -81,24 +81,24 @@ }, { "type": "integer", - "description": "The number of scores to return in this response (min: 1, max: 1000, default: 100). " - "Use with the `after` parameter to manage pagination of results.", + "description": "The number of scores to return in this response (min: 1, max: 1000, default: 100). Use " + "with the `after` parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, { "type": "string", "default": "score", - "description": "Sort accounts by their properties. A single sort field is allowed. " - "Defaults to ascending. Supported sort option include:\n\n
  • score|desc
  • score|asc
", + "description": "Sort accounts by their properties. A single sort field is allowed. Defaults to " + "ascending. Supported sort option include:\n\n
  • score|desc
  • score|asc
", "name": "sort", "in": "query" } @@ -108,15 +108,15 @@ "getCombinedAssessmentsQuery", "GET", "/configuration-assessment/combined/assessments/v1", - "Search for assessments in your environment by providing an FQL filter and paging details. " - "Returns a set of HostFinding entities which match the filter criteria", + "Search for assessments in your environment by providing an FQL filter and paging details. Returns a set " + "of HostFinding entities which match the filter criteria", "public_assessments", [ { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, @@ -124,23 +124,24 @@ "maximum": 5000, "minimum": 1, "type": "integer", - "description": "The number of items to return in this response (default: 100, max: 5000). " - "Use with the after parameter to manage pagination of results.", + "description": "The number of items to return in this response (default: 100, max: 5000). Use with the " + "after parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort assessment by their properties. Common sort options include:\n\n" - "
  • created_timestamp|desc
  • updated_timestamp|asc
", + "description": "Sort assessment by their properties. Common sort options " + "include:\n\n
  • created_timestamp|desc
  • updated_timestamp|asc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter items using a query in Falcon Query Language (FQL). Wildcards * are unsupported. " - "\n\nCommon filter options include:\n\n
  • created_timestamp:>'2019-11-25T22:36:12Z'
    • " - "
  • updated_timestamp:>'2019-11-25T22:36:12Z'
  • aid:'8e7656b27d8c49a34a1af416424d6231'
", + "description": "Filter items using a query in Falcon Query Language (FQL). Wildcards * are " + "unsupported. \n\nCommon filter options include:\n\n
  • created_timestamp:>'2019-11-" + "25T22:36:12Z'
  • updated_timestamp:>'2019-11-" + "25T22:36:12Z'
  • aid:'8e7656b27d8c49a34a1af416424d6231'
", "name": "filter", "in": "query", "required": True @@ -151,8 +152,8 @@ "type": "string" }, "collectionFormat": "multi", - "description": "Select various details blocks to be returned for each assessment entity. " - "Supported values:\n\n
  • host
  • finding.rule
", + "description": "Select various details blocks to be returned for each assessment entity. Supported " + "values:\n\n
  • host
  • finding.rule
", "name": "facet", "in": "query" } diff --git a/src/falconpy/_endpoint/deprecated/_custom_ioa.py b/src/falconpy/_endpoint/deprecated/_custom_ioa.py index 0824d567c..346c92e75 100644 --- a/src/falconpy/_endpoint/deprecated/_custom_ioa.py +++ b/src/falconpy/_endpoint/deprecated/_custom_ioa.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -175,7 +175,7 @@ "get-rules-get", "POST", "/ioarules/entities/rules/GET/v1", - "Get rules by ID and optionally version in the following format: `ID[:version]`.", + "Get rules by ID and optionally with cid and/or version in the following format: `[cid:]ID[:version]`.", "custom_ioa", [ { @@ -190,8 +190,8 @@ "get-rulesMixin0", "GET", "/ioarules/entities/rules/v1", - "Get rules by ID and optionally version in the following format: `ID[:version]`. " - "The max number of IDs is constrained by URL size.", + "Get rules by ID and optionally with cid and/or version in the following format: `[cid:]ID[:version]`. The " + "max number of IDs is constrained by URL size.", "custom_ioa", [ { @@ -327,17 +327,16 @@ "name" ], "type": "string", - "description": "Possible order by fields: {created_by, created_on, modified_by, " - "modified_on, enabled, name}", + "description": "Possible order by fields: {name, created_by, created_on, modified_by, modified_on, enabled}", "name": "sort", "in": "query" }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: " - "[enabled platform name description rules.action_label rules.name rules.description " - "rules.pattern_severity rules.ruletype_name rules.enabled]. Filter range criteria: " - "created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: [enabled platform " + "name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name " + "rules.enabled]. Filter range criteria: created_on, modified_on; use any common date format, such as " + "'2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -378,17 +377,16 @@ "name" ], "type": "string", - "description": "Possible order by fields: {created_by, created_on, modified_by, " - "modified_on, enabled, name}", + "description": "Possible order by fields: {name, created_by, created_on, modified_by, modified_on, enabled}", "name": "sort", "in": "query" }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: " - "[enabled platform name description rules.action_label rules.name rules.description " - "rules.pattern_severity rules.ruletype_name rules.enabled]. Filter range criteria: " - "created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: [enabled platform " + "name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name " + "rules.enabled]. Filter range criteria: created_on, modified_on; use any common date format, such as " + "'2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -454,19 +452,19 @@ "rules.ruletype_name" ], "type": "string", - "description": "Possible order by fields: {rules.ruletype_name, rules.enabled, rules.created_by, " - "rules.current_version.name, rules.current_version.modified_by, rules.created_on, " - "rules.current_version.description, rules.current_version.pattern_severity, " - "rules.current_version.action_label, rules.current_version.modified_on}", + "description": "Possible order by fields: {rules.created_on, rules.current_version.action_label, " + "rules.current_version.modified_by, rules.current_version.modified_on, rules.ruletype_name, rules.enabled, " + "rules.current_version.description, rules.current_version.pattern_severity, rules.created_by, " + "rules.current_version.name}", "name": "sort", "in": "query" }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: " - "[enabled platform name description rules.action_label rules.name rules.description " - "rules.pattern_severity rules.ruletype_name rules.enabled]. Filter range criteria: " - "created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: [enabled platform " + "name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name " + "rules.enabled]. Filter range criteria: created_on, modified_on; use any common date format, such as " + "'2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/deprecated/_discover.py b/src/falconpy/_endpoint/deprecated/_discover.py index faeee5f56..b1b9a98ae 100644 --- a/src/falconpy/_endpoint/deprecated/_discover.py +++ b/src/falconpy/_endpoint/deprecated/_discover.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -97,6 +97,26 @@ } ] ], + [ + "get-iot-hosts", + "GET", + "/discover/entities/iot-hosts/v1", + "Get details on IoT assets by providing one or more IDs.", + "discover", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "One or more asset IDs (max: 100). Find asset IDs with GET `/discover/queries/iot-hosts/v1`", + "name": "ids", + "in": "query", + "required": True + } + ] + ], [ "get-logins", "GET", @@ -121,16 +141,16 @@ "query-accounts", "GET", "/discover/queries/accounts/v1", - "Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. " - "Returns a set of account IDs which match the filter criteria.", + "Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging " + "details. Returns a set of account IDs which match the filter criteria.", "discover", [ { "minimum": 0, "type": "integer", - "description": "An offset used with the `limit` parameter to manage pagination of results. On your first request, " - "don’t provide an `offset`. On subsequent requests, provide the `offset` from the previous response to continue " - "from that place in the results.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -145,16 +165,27 @@ }, { "type": "string", - "description": "Sort accounts by their properties. A single sort field is allowed. Common sort options include:" - "\n\n
  • username|asc
  • last_failed_login_timestamp|desc
", + "description": "Sort accounts by their properties. A single sort field is allowed. Common sort options " + "include:\n\n
  • username|asc
  • last_failed_login_timestamp|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter accounts using an FQL query. Common filter options include:\n\n
  • " - "account_type:'Local'
  • admin_privileges:'Yes'
  • first_seen_timestamp:<'now-7d'
    • " - "
  • last_successful_login_type:'Terminal server'
", + "description": "Filter accounts using an FQL query. Common filter options include:
  • account_type " + ":'Local'
  • admin_privileges:'Yes'
  • first_seen_timestamp:<'now-" + "7d'
  • last_successful_login_type:'Terminal server'
\n\t\t\tAvailable filter fields that support " + " exact match: id, cid, user_sid, account_name, username, account_type, admin_privileges, first_seen_timestamp, " + " last_successful_login_type, last_successful_login_timestamp, last_successful_login_hostname, " + "last_successful_login_remote_ip, last_successful_login_host_country, last_successful_login_host_city, " + "login_domain, last_failed_login_type, last_failed_login_timestamp, last_failed_login_hostname, " + "password_last_set_timestamp, local_admin_privileges\n\t\t\tAvailable filter fields that supports wildcard (*): " + " id, cid, user_sid, account_name, username, account_type, admin_privileges, last_successful_login_type, " + "last_successful_login_hostname, last_successful_login_remote_ip, last_successful_login_host_country, " + "last_successful_login_host_city, login_domain, last_failed_login_type, last_failed_login_hostname, " + "local_admin_privileges\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, <=): " + "first_seen_timestamp, last_successful_login_timestamp,last_failed_login_timestamp, " + "password_last_set_timestamp\n\t\t\tAll filter fields and operations supports negation (!).", "name": "filter", "in": "query" } @@ -164,14 +195,16 @@ "query-applications", "GET", "/discover/queries/applications/v1", - "Search for applications in your environment by providing an FQL filter and paging details. " - "returns a set of application IDs which match the filter criteria.", + "Search for applications in your environment by providing an FQL filter and paging details. returns a set " + "of application IDs which match the filter criteria.", "discover", [ { "minimum": 0, "type": "integer", - "description": "The index of the starting resource.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -179,23 +212,35 @@ "maximum": 100, "minimum": 1, "type": "integer", - "description": "The number of account IDs to return in this response (min: 1, max: 100, default: 100). " - "Use with the `offset` parameter to manage pagination of results.", + "description": "The number of application ids to return in this response (Min: 1, Max: 100, Default: 100).", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort accounts by their properties. A single sort field is allowed. " - "Common sort options include:\n\n
  • username|asc
  • last_failed_login_timestamp|desc
", + "description": "Sort applications by their properties. A single sort field is allowed.", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter accounts using an FQL query. Common filter options include:\n\n" - "
  • account_type:'Local'
  • admin_privileges:'Yes'
  • first_seen_timestamp:<'now-7d'
    • " - "
  • last_successful_login_type:'Terminal server'
", + "description": "Search for applications in your environment by providing an FQL " + "filter.\n\t\t\t\tAvailable filter fields that support exact match: name, version, vendor, name_vendor, " + "name_vendor_version, first_seen_timestamp, installation_timestamp, architectures, installation_paths, " + "versioning_scheme, groups, is_normalized, last_used_user_sid, last_used_user_name, last_used_file_name, " + "last_used_file_hash, last_used_timestamp, last_updated_timestamp, is_suspicious, host.id, host.platform_name, " + "host.hostname, cid, host.os_version, host.machine_domain, host.ou, host.site_name, host.country, " + "host.current_mac_address, host.current_network_prefix, host.tags, host.groups, host.product_type_desc, " + "host.kernel_version, host.system_manufacturer, host.internet_exposure, host.agent_version, host.external_ip, " + "host.aid\n\t\t\t\tAvailable filter fields that supports wildcard (*): name, version, vendor, name_vendor, " + "name_vendor_version, architectures, installation_paths, groups, last_used_user_sid, last_used_user_name, " + "last_used_file_name, last_used_file_hash, host.platform_name, host.hostname, cid, host.os_version, " + "host.machine_domain, host.ou, host.site_name, host.country, host.current_mac_address, " + "host.current_network_prefix, host.tags, host.groups, host.product_type_desc, host.kernel_version, " + "host.system_manufacturer, host.internet_exposure, host.agent_version, host.external_ip, " + "host.aid\n\t\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, <=): " + "first_seen_timestamp, installation_timestamp, last_used_timestamp, last_updated_timestamp\n\t\t\t\tAll filter " + "fields and operations supports negation (!).", "name": "filter", "in": "query" } @@ -205,16 +250,16 @@ "query-hosts", "GET", "/discover/queries/hosts/v1", - "Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. " - "Returns a set of asset IDs which match the filter criteria.", + "Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging " + "details. Returns a set of asset IDs which match the filter criteria.", "discover", [ { "minimum": 0, "type": "integer", - "description": "An offset used with the `limit` parameter to manage pagination of results. " - "On your first request, don’t provide an `offset`. On subsequent requests, provide the `offset` " - "from the previous response to continue from that place in the results.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -229,35 +274,81 @@ }, { "type": "string", - "description": "Sort assets by their properties. A single sort field is allowed. " - "Common sort options include:\n\n
  • hostname|asc
  • product_type_desc|desc
", + "description": "Sort assets by their properties. A single sort field is allowed. Common sort options " + "include:\n\n
  • hostname|asc
  • product_type_desc|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter assets using an FQL query. Common filter options include:\n\n" - "
  • entity_type:'managed'
  • product_type_desc:'Workstation'
    • " - "
  • platform_name:'Windows'
  • last_seen_timestamp:>'now-7d'
", + "description": "Filter assets using an FQL query. Common filter options include:
  • entity_type:'m " + "anaged'
  • product_type_desc:'Workstation'
  • platform_name:'Windows'
  • last_seen_timestamp:>' " + "now-7d'
\n\t\t\tAvailable filter fields that support exact match: id, aid, entity_type, country, " + "city, platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, " + "system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, " + "machine_domain, site_name, external_ip, hostname, local_ips_count, network_interfaces.local_ip, " + "network_interfaces.mac_address, network_interfaces.interface_alias, network_interfaces.interface_description, " + "network_interfaces.network_prefix, last_discoverer_aid, discoverer_count, discoverer_aids, discoverer_tags, " + "discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, " + "data_providers, data_providers_count, mac_addresses, local_ip_addresses, reduced_functionality_mode, " + "number_of_disk_drives, processor_package_count, physical_core_count, logical_core_count, total_disk_space, " + "disk_sizes.disk_name, disk_sizes.disk_space, cpu_processor_name, total_memory, encryption_status, " + "encrypted_drives, encrypted_drives_count, unencrypted_drives, unencrypted_drives_count, " + "os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, " + "os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, " + "os_security.iommu_protection_status, os_security.secure_boot_enabled_status, " + "os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, " + "os_security.kernel_dma_protection_status, total_bios_files, bios_hashes_data.sha256_hash, " + "bios_hashes_data.measurement_type, bios_id, average_processor_usage, average_memory_usage, " + "average_memory_usage_pct, max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, " + "used_disk_space_pct, available_disk_space, available_disk_space_pct, mount_storage_info.mount_path, " + "mount_storage_info.used_space, mount_storage_info.available_space, form_factor, servicenow_id, owned_by, " + "managed_by, assigned_to, department, fqdn, used_for, object_guid, object_sid, ad_user_account_control, " + "account_enabled, creation_timestamp, email, os_service_pack, location, state, cpu_manufacturer, " + "discovering_by\n\t\t\tAvailable filter fields that supports wildcard (*): id, aid, entity_type, country, city, " + " platform_name, os_version, kernel_version, product_type_desc, tags, groups, agent_version, " + "system_product_name, system_manufacturer, system_serial_number, bios_manufacturer, bios_version, ou, " + "machine_domain, site_name, external_ip, hostname, network_interfaces.local_ip, network_interfaces.mac_address, " + " network_interfaces.interface_alias, network_interfaces.interface_description, " + "network_interfaces.network_prefix, last_discoverer_aid, discoverer_aids, discoverer_tags, " + "discoverer_platform_names, discoverer_product_type_descs, confidence, internet_exposure, os_is_eol, " + "data_providers, mac_addresses, local_ip_addresses, reduced_functionality_mode, disk_sizes.disk_name, " + "cpu_processor_name, encryption_status, encrypted_drives, unencrypted_drives, " + "os_security.secure_boot_requested_status, os_security.device_guard_status, os_security.device_guard_status, " + "os_security.device_guard_status, os_security.system_guard_status, os_security.credential_guard_status, " + "os_security.iommu_protection_status, os_security.secure_boot_enabled_status, " + "os_security.uefi_memory_protection_status, os_security.virtualization_based_security_status, " + "os_security.kernel_dma_protection_status, bios_hashes_data.sha256_hash, bios_hashes_data.measurement_type, " + "bios_id, mount_storage_info.mount_path, form_factor, servicenow_id, owned_by, managed_by, assigned_to, " + "department, fqdn, used_for, object_guid, object_sid, account_enabled, email, os_service_pack, location, state, " + " cpu_manufacturer, discovering_by\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, " + "<=): first_seen_timestamp, last_seen_timestamp, local_ips_count, discoverer_count, confidence, " + "number_of_disk_drives, processor_package_count, physical_core_count, data_providers_count, logical_core_count, " + " total_disk_space, disk_sizes.disk_space, total_memory, encrypted_drives_count, unencrypted_drives_count, " + "total_bios_files, average_processor_usage, average_memory_usage, average_memory_usage_pct, " + "max_processor_usage, max_memory_usage, max_memory_usage_pct, used_disk_space, used_disk_space_pct, " + "available_disk_space, available_disk_space_pct, mount_storage_info.used_space, " + "mount_storage_info.available_space, ad_user_account_control, creation_timestamp\n\t\t\tAll filter fields and " + "operations supports negation (!).", "name": "filter", "in": "query" } ] ], [ - "query-logins", + "query-iot-hosts", "GET", - "/discover/queries/logins/v1", - "Search for logins in your environment by providing an FQL (Falcon Query Language) filter and paging details. " - "Returns a set of login IDs which match the filter criteria.", + "/discover/queries/iot-hosts/v1", + "Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging " + "details. Returns a set of asset IDs which match the filter criteria.", "discover", [ { "minimum": 0, "type": "integer", - "description": "An offset used with the `limit` parameter to manage pagination of results. " - "On your first request, don’t provide an `offset`. On subsequent requests, provide the `offset` " - "from the previous response to continue from that place in the results.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -272,55 +363,41 @@ }, { "type": "string", - "description": "Sort assets by their properties. A single sort field is allowed. " - "Common sort options include:\n\n
  • hostname|asc
  • product_type_desc|desc
", + "description": "Sort assets by their properties. A single sort field is allowed. Common sort options " + "include:\n\n
  • hostname|asc
  • product_type_desc|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter assets using an FQL query. Common filter options include:\n\n" - "
  • entity_type:'managed'
  • product_type_desc:'Workstation'
  • platform_name:'Windows'" - "
  • last_seen_timestamp:>'now-7d'
", + "description": "Filter assets using an FQL query. Common filter options include:
  • entity_type:'m " + "anaged'
  • product_type_desc:'Workstation'
  • platform_name:'Windows'
  • last_seen_timestamp:>' " + "now-7d'
\n\t\t\tAvailable filter fields that support exact match: device_family, device_class, " + "device_type, device_mode, business_criticality, line_of_business, virtual_zone, subnet, purdue_level, vlan, " + "local_ip_addresses, mac_addresses, physical_connections_count, data_providers\n\t\t\tAvailable filter fields " + "that supports wildcard (*): device_family, device_class, device_type, device_mode, business_criticality, " + "line_of_business, virtual_zone, subnet, purdue_level, vlan, local_ip_addresses, mac_addresses, " + "data_providers\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, <=): " + "physical_connections_count\n\t\t\tAll filter fields and operations supports negation (!).", "name": "filter", "in": "query" } ] ], [ - "get-iot-hosts", - "GET", - "/discover/entities/iot-hosts/v1", - "Get details on IoT assets by providing one or more IDs.", - "discover_iot", - [ - { - "type": "array", - "items": { - "type": "string" - }, - "collectionFormat": "multi", - "description": "One or more asset IDs (max: 100). Find asset IDs with GET `/discover/queries/iot-hosts/v1`", - "name": "ids", - "in": "query", - "required": True - } - ] - ], - [ - "query-iot-hosts", + "query-logins", "GET", - "/discover/queries/iot-hosts/v1", - "Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. " - "Returns a set of asset IDs which match the filter criteria.", - "discover_iot", + "/discover/queries/logins/v1", + "Search for logins in your environment by providing an FQL (Falcon Query Language) filter and paging " + "details. Returns a set of login IDs which match the filter criteria.", + "discover", [ { "minimum": 0, "type": "integer", - "description": "An offset used with the `limit` parameter to manage pagination of results. On your first request, " - "don’t provide an `offset`. On subsequent requests, provide the `offset` from the previous response to continue " - "from that place in the results.", + "description": "An offset used with the `limit` parameter to manage pagination of results. On your " + "first request, don’t provide an `offset`. On subsequent requests, add previous `offset` with the previous " + "`limit` to continue from that place in the results.", "name": "offset", "in": "query" }, @@ -328,23 +405,31 @@ "maximum": 100, "minimum": 1, "type": "integer", - "description": "The number of asset IDs to return in this response (min: 1, max: 100, default: 100). " + "description": "The number of login IDs to return in this response (min: 1, max: 100, default: 100). " "Use with the `offset` parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort assets by their properties. A single sort field is allowed. Common sort options " - "include:\n\n
  • hostname|asc
  • product_type_desc|desc
", + "description": "Sort logins by their properties. A single sort field is allowed. Common sort options " + "include:\n\n
  • account_name|asc
  • login_timestamp|desc
", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter assets using an FQL query. Common filter options include:\n\n
    " - "
  • entity_type:'managed'
  • product_type_desc:'Workstation'
    • " - "
  • platform_name:'Windows'
  • last_seen_timestamp:>'now-7d'
", + "description": "Filter logins using an FQL query. Common filter options include:
  • account_type:' " + "Local'
  • login_type:'Interactive'
  • first_seen_timestamp:<'now-" + "7d'
  • admin_privileges:'No'
\n\t\t\tAvailable filter fields that support exact match: id, cid, " + "login_status, account_id, host_id, user_sid, aid, account_name, username, hostname, account_type, login_type, " + "login_timestamp, login_domain, admin_privileges, local_admin_privileges, local_ip, remote_ip, host_country, " + "host_city, is_suspicious, failure_description, login_event_count, aggregation_time_interval\n\t\t\tAvailable " + "filter fields that supports wildcard (*): id, cid, login_status, account_id, host_id, user_sid, aid, " + "account_name, username, hostname, account_type, login_type, login_domain, admin_privileges, " + "local_admin_privileges, local_ip, remote_ip, host_country, host_city, failure_description, " + "aggregation_time_interval\n\t\t\tAvailable filter fields that supports range comparisons (>, <, >=, <=): " + "login_timestamp, login_event_count\n\t\t\tAll filter fields and operations supports negation (!).", "name": "filter", "in": "query" } diff --git a/src/falconpy/_endpoint/deprecated/_fdr.py b/src/falconpy/_endpoint/deprecated/_fdr.py index b36a804c3..7ded7b886 100644 --- a/src/falconpy/_endpoint/deprecated/_fdr.py +++ b/src/falconpy/_endpoint/deprecated/_fdr.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -42,7 +42,7 @@ "GET", "/fdr/combined/schema-members/v1", "Fetch combined schema", - "event_schema", + "fdr", [] ], [ @@ -50,7 +50,26 @@ "GET", "/fdr/entities/schema-events/v1", "Fetch event schema by ID", - "event_schema", + "fdr", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "Specify feed IDs to fetch", + "name": "ids", + "in": "query" + } + ] + ], + [ + "fdrschema.entities.field.get", + "GET", + "/fdr/entities/schema-fields/v1", + "Fetch field schema by ID", + "fdr", [ { "type": "array", @@ -69,7 +88,7 @@ "GET", "/fdr/queries/schema-events/v1", "Get list of event IDs given a particular query.", - "event_schema", + "fdr", [ { "type": "integer", @@ -97,31 +116,12 @@ } ] ], - [ - "fdrschema.entities.field.get", - "GET", - "/fdr/entities/schema-fields/v1", - "Fetch field schema by ID", - "field_schema", - [ - { - "type": "array", - "items": { - "type": "string" - }, - "collectionFormat": "multi", - "description": "Specify feed IDs to fetch", - "name": "ids", - "in": "query" - } - ] - ], [ "fdrschema.queries.field.get", "GET", "/fdr/queries/schema-fields/v1", "Get list of field IDs given a particular query.", - "field_schema", + "fdr", [ { "type": "integer", diff --git a/src/falconpy/_endpoint/deprecated/_firewall_management.py b/src/falconpy/_endpoint/deprecated/_firewall_management.py index 4a03f0c37..5e66c6442 100644 --- a/src/falconpy/_endpoint/deprecated/_firewall_management.py +++ b/src/falconpy/_endpoint/deprecated/_firewall_management.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -181,8 +181,8 @@ "update-policy-container-v1", "PUT", "/fwmgr/entities/policies/v1", - "Update an identified policy container. WARNING: This endpoint is deprecated in " - "favor of v2, using this endpoint could disable your local logging setting.", + "Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this " + "endpoint could disable your local logging setting.", "firewall_management", [ { @@ -210,8 +210,7 @@ "get-rule-groups", "GET", "/fwmgr/entities/rule-groups/v1", - "Get rule group entities by ID. These groups do not contain their rule entites, " - "just the rule IDs in precedence order.", + "Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.", "firewall_management", [ { @@ -236,15 +235,15 @@ [ { "type": "string", - "description": "A rule group ID from which to copy rules. " - "If this is provided then the 'rules' property of the body is ignored.", + "description": "A rule group ID from which to copy rules. If this is provided then the 'rules' " + "property of the body is ignored.", "name": "clone_id", "in": "query" }, { "type": "string", - "description": "If this flag is set to true then the rules will be cloned from the " - "clone_id from the CrowdStrike Firewal Rule Groups Library.", + "description": "If this flag is set to true then the rules will be cloned from the clone_id from the " + "CrowdStrike Firewal Rule Groups Library.", "name": "library", "in": "query" }, @@ -316,15 +315,15 @@ [ { "type": "string", - "description": "A rule group ID from which to copy rules. " - "If this is provided then the 'rules' property of the body is ignored.", + "description": "A rule group ID from which to copy rules. If this is provided then the 'rules' " + "property of the body is ignored.", "name": "clone_id", "in": "query" }, { "type": "string", - "description": "If this flag is set to true then the rules will be cloned from the " - "clone_id from the CrowdStrike Firewall Rule Groups Library.", + "description": "If this flag is set to true then the rules will be cloned from the clone_id from the " + "CrowdStrike Firewall Rule Groups Library.", "name": "library", "in": "query" }, @@ -345,8 +344,8 @@ "update-rule-group-validation", "PATCH", "/fwmgr/entities/rule-groups/validation/v1", - "Validates the request of updating name, description, or enabled status of a rule group, " - "or create, edit, delete, or reorder rules", + "Validates the request of updating name, description, or enabled status of a rule group, or create, edit, " + "delete, or reorder rules", "firewall_management", [ { @@ -412,8 +411,8 @@ { "type": "string", "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, platform, " - "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, " - "such as '2010-05-15T14:55:21.892315096Z'.", + "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such " + "as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -431,9 +430,9 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, @@ -515,8 +514,8 @@ { "type": "string", "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, platform, " - "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date " - "format, such as '2010-05-15T14:55:21.892315096Z'.", + "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such " + "as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -556,8 +555,8 @@ { "type": "string", "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, platform, " - "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date " - "format, such as '2010-05-15T14:55:21.892315096Z'.", + "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such " + "as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -575,9 +574,9 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, @@ -605,8 +604,8 @@ { "type": "string", "description": "FQL query specifying the filter parameters. Filter term criteria: enabled, platform, " - "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date " - "format, such as '2010-05-15T14:55:21.892315096Z'.", + "name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such " + "as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, @@ -624,9 +623,9 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an `after` token. On subsequent requests, provide the `after` " - "token from the previous response to continue from that place in the results.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", "name": "after", "in": "query" }, diff --git a/src/falconpy/_endpoint/deprecated/_hosts.py b/src/falconpy/_endpoint/deprecated/_hosts.py index 21eeceda6..428b2d53f 100644 --- a/src/falconpy/_endpoint/deprecated/_hosts.py +++ b/src/falconpy/_endpoint/deprecated/_hosts.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -41,7 +41,7 @@ "entities.perform_action", "POST", "/devices/entities/group-actions/v1", - "Performs the specified action on the provided prevention policy IDs.", + "Performs the specified action on the provided group IDs.", "hosts", [ { @@ -67,6 +67,13 @@ "in": "query", "required": True }, + { + "type": "boolean", + "default": False, + "description": "Bool to disable hostname check on add-member", + "name": "disable_hostname_check", + "in": "query" + }, { "name": "body", "in": "body", @@ -78,10 +85,10 @@ "GetOnlineState.V1", "GET", "/devices/entities/online-state/v1", - "Get the online status for one or more hosts by specifying each host’s unique ID. " - "Successful requests return an HTTP 200 response and the status for each host identified " - "by a `state` of `online`, `offline`, or `unknown` for each host, identified by host `id`." - "\n\nMake a `GET` request to `/devices/queries/devices/v1` to get a list of host IDs.", + "Get the online status for one or more hosts by specifying each host’s unique ID. Successful requests " + "return an HTTP 200 response and the status for each host identified by a `state` of `online`, `offline`, or " + "`unknown` for each host, identified by host `id`.\n\nUse QueryDevicesByFilterScroll to get a list of host " + "IDs.", "hosts", [ { diff --git a/src/falconpy/_endpoint/deprecated/_identity_protection.py b/src/falconpy/_endpoint/deprecated/_identity_protection.py index 5ff52f5ef..de1f8cb4e 100644 --- a/src/falconpy/_endpoint/deprecated/_identity_protection.py +++ b/src/falconpy/_endpoint/deprecated/_identity_protection.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -41,9 +41,8 @@ "api.preempt.proxy.post.graphql", "POST", "/identity-protection/combined/graphql/v1", - "Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, " - "identity-based incidents and security assessment. Allows to perform actions on entities " - "and identity-based incidents.", + "Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based " + "incidents and security assessment. Allows to perform actions on entities and identity-based incidents.", "identity_protection", [ { diff --git a/src/falconpy/_endpoint/deprecated/_installation_tokens.py b/src/falconpy/_endpoint/deprecated/_installation_tokens.py index 7d7c4213b..e986819ab 100644 --- a/src/falconpy/_endpoint/deprecated/_installation_tokens.py +++ b/src/falconpy/_endpoint/deprecated/_installation_tokens.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -64,6 +64,20 @@ "installation_tokens", [] ], + [ + "customer-settings-update", + "PATCH", + "/installation-tokens/entities/customer-settings/v1", + "Update installation token settings.", + "installation_tokens", + [ + { + "name": "body", + "in": "body", + "required": True + } + ] + ], [ "tokens-read", "GET", diff --git a/src/falconpy/_endpoint/deprecated/_ioc.py b/src/falconpy/_endpoint/deprecated/_ioc.py index c7fd4107d..ed639418d 100644 --- a/src/falconpy/_endpoint/deprecated/_ioc.py +++ b/src/falconpy/_endpoint/deprecated/_ioc.py @@ -78,8 +78,9 @@ }, { "type": "integer", - "description": "The offset to start retrieving records from. Offset and After params are mutually exclusive. " - "If none provided then scrolling will be used by default.", + "description": "The offset to start retrieving records from. Offset and After params are mutually " + "exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the " + "'after' parameter instead of 'offset'.", "name": "offset", "in": "query" }, @@ -117,10 +118,10 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' " - "token from the previous response to continue from that place in the results. " - "To access more than 10k indicators, use the 'after' parameter instead of 'offset'.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' token from " + "the previous response to continue from that place in the results. To access more than 10k indicators, use the " + "'after' parameter instead of 'offset'.", "name": "after", "in": "query" }, @@ -144,7 +145,7 @@ "items": { "type": "string" }, - "collectionFormat": "csv", + "collectionFormat": "multi", "description": "The ids of the Actions to retrieve", "name": "ids", "in": "query" @@ -163,7 +164,7 @@ "items": { "type": "string" }, - "collectionFormat": "csv", + "collectionFormat": "multi", "description": "The ids of the Indicators to retrieve", "name": "ids", "in": "query", @@ -234,8 +235,8 @@ [ { "type": "string", - "description": "The FQL expression to delete Indicators in bulk. If both 'filter' and 'ids' are provided, " - "then filter takes precedence and ignores ids.", + "description": "The FQL expression to delete Indicators in bulk. If both 'filter' and 'ids' are " + "provided, then filter takes precedence and ignores ids.", "name": "filter", "in": "query" }, @@ -244,9 +245,9 @@ "items": { "type": "string" }, - "collectionFormat": "csv", - "description": "The ids of the Indicators to delete. If both 'filter' and 'ids' are provided, " - "then filter takes precedence and ignores ids", + "collectionFormat": "multi", + "description": "The ids of the Indicators to delete. If both 'filter' and 'ids' are provided, then " + "filter takes precedence and ignores ids", "name": "ids", "in": "query" }, @@ -300,8 +301,9 @@ }, { "type": "integer", - "description": "The offset to start retrieving records from. Offset and After params are mutually exclusive. " - "If none provided then scrolling will be used by default.", + "description": "The offset to start retrieving records from. Offset and After params are mutually " + "exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the " + "'after' parameter instead of 'offset'.", "name": "offset", "in": "query" }, @@ -339,10 +341,10 @@ }, { "type": "string", - "description": "A pagination token used with the `limit` parameter to manage pagination of results. " - "On your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' " - "token from the previous response to continue from that place in the results. " - "To access more than 10k indicators, use the 'after' parameter instead of 'offset'.", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' token from " + "the previous response to continue from that place in the results. To access more than 10k indicators, use the " + "'after' parameter instead of 'offset'.", "name": "after", "in": "query" } diff --git a/src/falconpy/_endpoint/deprecated/_iocs.py b/src/falconpy/_endpoint/deprecated/_iocs.py index f7d2384c4..9eead2e53 100644 --- a/src/falconpy/_endpoint/deprecated/_iocs.py +++ b/src/falconpy/_endpoint/deprecated/_iocs.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. diff --git a/src/falconpy/_endpoint/deprecated/_ods.py b/src/falconpy/_endpoint/deprecated/_ods.py index 6354671fd..8c42ae90b 100644 --- a/src/falconpy/_endpoint/deprecated/_ods.py +++ b/src/falconpy/_endpoint/deprecated/_ods.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -250,8 +250,8 @@ [ { "type": "string", - "description": "A FQL compatible query string. Terms: [id cid scan_id host_id " - "host_scan_id filepath filename hash pattern_id severity quarantined last_updated]", + "description": "A FQL compatible query string. Terms: [id scan_id host_id host_scan_id filepath " + "filename hash pattern_id severity quarantined last_updated]", "name": "filter", "in": "query", "allowEmptyValue": True @@ -293,8 +293,7 @@ ], "type": "string", "default": "last_updated|desc", - "description": "The property to sort on, followed by a |, followed by the sort direction, " - "either \"asc\" or \"desc\"", + "description": "The property to sort on, followed by a |, followed by the sort direction, either \"asc\" or \"desc\"", "name": "sort", "in": "query", "allowEmptyValue": True @@ -310,10 +309,9 @@ [ { "type": "string", - "description": "A FQL compatible query string. Terms: [id cid profile_id host_id scan_id " - "host_scan_id filecount.scanned filecount.malicious filecount.quarantined " - "filecount.skipped affected_hosts_count status severity completed_on started_on " - "last_updated]", + "description": "A FQL compatible query string. Terms: [id profile_id host_id scan_id host_scan_id " + "filecount.scanned filecount.malicious filecount.quarantined filecount.skipped affected_hosts_count status " + "severity completed_on started_on last_updated scan_control_reason]", "name": "filter", "in": "query", "allowEmptyValue": True @@ -357,12 +355,13 @@ "completed_on|asc", "completed_on|desc", "last_updated|asc", - "last_updated|desc" + "last_updated|desc", + "scan_control_reason.keyword|asc", + "scan_control_reason.keyword|desc" ], "type": "string", "default": "last_updated|desc", - "description": "The property to sort on, followed by a |, followed by the sort direction, " - "either \"asc\" or \"desc\"", + "description": "The property to sort on, followed by a |, followed by the sort direction, either \"asc\" or \"desc\"", "name": "sort", "in": "query", "allowEmptyValue": True @@ -378,10 +377,10 @@ [ { "type": "string", - "description": "A FQL compatible query string. Terms: [id cid profile_id " - "description.keyword initiated_from filecount.scanned filecount.malicious " - "filecount.quarantined filecount.skipped affected_hosts_count status severity " - "scan_started_on scan_completed_on created_on created_by last_updated]", + "description": "A FQL compatible query string. Terms: [id profile_id description.keyword " + "initiated_from filecount.scanned filecount.malicious filecount.quarantined filecount.skipped " + "affected_hosts_count status severity scan_started_on scan_completed_on created_on created_by last_updated " + "targeted_host_count missing_host_count]", "name": "filter", "in": "query", "allowEmptyValue": True @@ -431,12 +430,15 @@ "created_by|asc", "created_by|desc", "last_updated|asc", - "last_updated|desc" + "last_updated|desc", + "targeted_host_count|asc", + "targeted_host_count|desc", + "missing_host_count|asc", + "missing_host_count|desc" ], "type": "string", "default": "created_on|desc", - "description": "The property to sort on, followed by a |, followed by the sort direction, " - "either \"asc\" or \"desc\"", + "description": "The property to sort on, followed by a |, followed by the sort direction, either \"asc\" or \"desc\"", "name": "sort", "in": "query", "allowEmptyValue": True @@ -452,9 +454,8 @@ [ { "type": "string", - "description": "A FQL compatible query string. Terms: [id cid description initiated_from " - "status schedule.start_timestamp schedule.Interval created_on created_by last_updated " - "deleted]", + "description": "A FQL compatible query string. Terms: [id description initiated_from status " + "schedule.start_timestamp schedule.Interval created_on created_by last_updated deleted]", "name": "filter", "in": "query", "allowEmptyValue": True @@ -494,8 +495,7 @@ ], "type": "string", "default": "schedule.start_timestamp|desc", - "description": "The property to sort on, followed by a |, followed by the sort direction, " - "either \"asc\" or \"desc\"", + "description": "The property to sort on, followed by a |, followed by the sort direction, either \"asc\" or \"desc\"", "name": "sort", "in": "query", "allowEmptyValue": True diff --git a/src/falconpy/_endpoint/deprecated/_real_time_response.py b/src/falconpy/_endpoint/deprecated/_real_time_response.py index af12f6bef..3880fef4d 100644 --- a/src/falconpy/_endpoint/deprecated/_real_time_response.py +++ b/src/falconpy/_endpoint/deprecated/_real_time_response.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -46,13 +46,12 @@ [ { "description": "Supported aggregations: \n- `term`\n- `date_range`\n\nSupported aggregation " - "members:\n\n**`date_ranges`** If peforming a date range query specify the **`from`** and " - "**`to`** date ranges. These can be in common date formats like `2019-07-18` or `now`\n**`field`** " - "Term you want to aggregate on. If doing a `date_range` query, this is the date field you want to " - "apply the date ranges to\n**`filter`** Optional filter criteria in the form of an FQL query. " - "For more information about FQL queries, see our [FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide)." - "\n**`name`** Name of the aggregation\n**`size`** Size limit to apply to the queries.", + "members:\n\n**`date_ranges`** If peforming a date range query specify the **`from`** and **`to`** date ranges. " + " These can be in common date formats like `2019-07-18` or `now`\n**`field`** Term you want to aggregate on. " + "If doing a `date_range` query, this is the date field you want to apply the date ranges to\n**`filter`** " + "Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our [FQL " + "documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-" + "feature-guide).\n**`name`** Name of the aggregation\n**`size`** Size limit to apply to the queries.", "name": "body", "in": "body", "required": True @@ -91,17 +90,16 @@ "real_time_response", [ { - "description": "Use this endpoint to run these [real time response commands]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):" - "\n- `cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- " - "`get`\n- `getsid`\n- `help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- " - "`mkdir`\n- `mount`\n- `mv`\n- `netstat`\n- `ps`\n- `reg query`\n- `reg set`\n- `reg delete`\n- " - "`reg load`\n- `reg unload`\n- `restart`\n- `rm`\n- `runscript`\n- `shutdown`\n- `unmap`\n- `update history`\n- " - "`update install`\n- `update list`\n- `update query`\n- `xmemdump`\n- `zip`\n\nRequired values. " - "The rest of the fields are unused.\n**`base_command`** Active-Responder command type we are going to execute, " - "for example: `get` or `cp`. Refer to the RTR documentation for the full list of commands.\n**`command_string`** " - "Full command string for the command. For example `get some_file.txt`\n**`session_id`** RTR session ID to " - "run the command on", + "description": "Use this endpoint to run these [real time response " + "commands](https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " + "`cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- `get`\n- `getsid`\n- " + "`help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- `mkdir`\n- `mount`\n- `mv`\n- " + "`netstat`\n- `ps`\n- `reg query`\n- `reg set`\n- `reg delete`\n- `reg load`\n- `reg unload`\n- `restart`\n- " + "`rm`\n- `runscript`\n- `shutdown`\n- `unmap`\n- `update history`\n- `update install`\n- `update list`\n- " + "`update query`\n- `xmemdump`\n- `zip`\n\nRequired values. The rest of the fields are " + "unused.\n**`base_command`** Active-Responder command type we are going to execute, for example: `get` or `cp`. " + " Refer to the RTR documentation for the full list of commands.\n**`command_string`** Full command string for " + "the command. For example `get some_file.txt`\n**`session_id`** RTR session ID to run the command on", "name": "body", "in": "body", "required": True @@ -140,14 +138,13 @@ "real_time_response", [ { - "description": "Use this endpoint to run these [real time response commands]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " + "description": "Use this endpoint to run these [real time response " + "commands](https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " "`cat`\n- `cd`\n- `clear`\n- `env`\n- `eventlog`\n- `filehash`\n- `getsid`\n- `help`\n- `history`\n- " - "`ipconfig`\n- `ls`\n- `mount`\n- `netstat`\n- `ps`\n- `reg query`\n\nRequired values. " - "The rest of the fields are unused.\n**`base_command`** read-only command type we are going to execute, " - "for example: `ls` or `cd`. Refer to the RTR documentation for the full list of commands.\n" - "**`command_string`** Full command string for the command. For example `cd C:\\some_directory`\n" - "**`session_id`** RTR session ID to run the command on", + "`ipconfig`\n- `ls`\n- `mount`\n- `netstat`\n- `ps`\n- `reg query`\n\nRequired values. The rest of the fields " + "are unused.\n**`base_command`** read-only command type we are going to execute, for example: `ls` or `cd`. " + "Refer to the RTR documentation for the full list of commands.\n**`command_string`** Full command string for " + "the command. For example `cd C:\\some_directory`\n**`session_id`** RTR session ID to run the command on", "name": "body", "in": "body", "required": True @@ -269,8 +266,8 @@ "real_time_response", [ { - "description": "**`ids`** List of RTR sessions to retrieve. " - "RTR will only return the sessions that were created by the calling user", + "description": "**`ids`** List of RTR sessions to retrieve. RTR will only return the sessions that " + "were created by the calling user", "name": "body", "in": "body", "required": True @@ -308,8 +305,8 @@ "real_time_response", [ { - "description": "**`device_id`** The host agent ID to refresh the RTR session on. " - "RTR will retrieve an existing session for the calling user on this host", + "description": "**`device_id`** The host agent ID to refresh the RTR session on. RTR will retrieve an " + "existing session for the calling user on this host", "name": "body", "in": "body", "required": True @@ -324,8 +321,8 @@ "real_time_response", [ { - "description": "**`ids`** List of RTR sessions to retrieve. " - "RTR will only return the sessions that were created by the calling user", + "description": "**`ids`** List of RTR sessions to retrieve. RTR will only return the sessions that " + "were created by the calling user", "name": "body", "in": "body", "required": True @@ -342,24 +339,24 @@ { "type": "integer", "default": 30, - "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. " - "Maximum is 10 minutes.", + "description": "Timeout for how long to wait for the request in seconds, default timeout is 30 " + "seconds. Maximum is 5 minutes.", "name": "timeout", "in": "query" }, { "type": "string", "default": "30s", - "description": "Timeout duration for how long to wait for the request in duration syntax. " - "Example, `10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 10 minutes.", + "description": "Timeout duration for how long to wait for the request in duration syntax. Example, " + "`10s`. Valid units: `ns, us, ms, s, m, h`. Maximum is 5 minutes.", "name": "timeout_duration", "in": "query" }, { - "description": "**`device_id`** The host agent ID to initialize the RTR session on. " - "RTR will retrieve an existing session for the calling user on this host\n**`queue_offline`** " - "If we should queue this session if the host is offline. " - "Any commands run against an offline-queued session will be queued up and executed when the host comes online.", + "description": "**`device_id`** The host agent ID to initialize the RTR session on. RTR will retrieve " + " an existing session for the calling user on this host\n**`queue_offline`** If we should queue this session if " + " the host is offline. Any commands run against an offline-queued session will be queued up and executed when " + "the host comes online.", "name": "body", "in": "body", "required": True @@ -409,10 +406,10 @@ }, { "type": "string", - "description": "Optional filter criteria in the form of an FQL query. " - "For more information about FQL queries, see our [FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide). " - "“user_id” can accept a special value ‘@me’ which will restrict results to records with current user’s ID.", + "description": "Optional filter criteria in the form of an FQL query. For more information about FQL " + "queries, see our [FQL documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-" + "query-language-feature-guide). “user_id” can accept a special value ‘@me’ which will restrict results to " + "records with current user’s ID.", "name": "filter", "in": "query" } diff --git a/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py b/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py index b254ae4e0..aa4ae7467 100644 --- a/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py +++ b/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -69,17 +69,16 @@ "real_time_response_admin", [ { - "description": "Use this endpoint to run these [real time response commands]" - "(https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):" - "\n- `cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- `get`" - "\n- `getsid`\n- `help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- `mkdir`" - "\n- `mount`\n- `mv`\n- `netstat`\n- `ps`\n- `put`\n- `reg query`\n- `reg set`\n- `reg delete`\n- `reg load`" - "\n- `reg unload`\n- `restart`\n- `rm`\n- `run`\n- `runscript`\n- `shutdown`\n- `unmap`\n- `update history`" - "\n- `update install`\n- `update list`\n- `update query`\n- `xmemdump`\n- `zip`\n\nRequired values. " - "The rest of the fields are unused.\n**`base_command`** Active-Responder command type we are going to execute, " - "for example: `get` or `cp`. Refer to the RTR documentation for the full list of commands.\n**`command_string`" - "** Full command string for the command. For example `get some_file.txt`\n**`session_id`** RTR session ID to " - "run the command on", + "description": "Use this endpoint to run these [real time response " + "commands](https://falcon.crowdstrike.com/support/documentation/11/getting-started-guide#rtr_commands):\n- " + "`cat`\n- `cd`\n- `clear`\n- `cp`\n- `encrypt`\n- `env`\n- `eventlog`\n- `filehash`\n- `get`\n- `getsid`\n- " + "`help`\n- `history`\n- `ipconfig`\n- `kill`\n- `ls`\n- `map`\n- `memdump`\n- `mkdir`\n- `mount`\n- `mv`\n- " + "`netstat`\n- `ps`\n- `put`\n- `reg query`\n- `reg set`\n- `reg delete`\n- `reg load`\n- `reg unload`\n- " + "`restart`\n- `rm`\n- `run`\n- `runscript`\n- `shutdown`\n- `unmap`\n- `update history`\n- `update install`\n- " + "`update list`\n- `update query`\n- `xmemdump`\n- `zip`\n\nRequired values. The rest of the fields are " + "unused.\n**`base_command`** Active-Responder command type we are going to execute, for example: `get` or `cp`. " + " Refer to the RTR documentation for the full list of commands.\n**`command_string`** Full command string for " + "the command. For example `get some_file.txt`\n**`session_id`** RTR session ID to run the command on", "name": "body", "in": "body", "required": True @@ -128,6 +127,7 @@ "required": True }, { + "maxLength": 32766, "type": "string", "description": "File name (if different than actual file name)", "name": "name", @@ -219,6 +219,7 @@ "required": True }, { + "maxLength": 32766, "type": "string", "description": "File name (if different than actual file name)", "name": "name", @@ -234,9 +235,9 @@ { "type": "string", "default": "none", - "description": "Permission for the custom-script. Valid permission values: \n - `private`, usable by only the user " - "who uploaded it \n - `group`, usable by all RTR Admins \n - `public`, usable by all active-responders and RTR " - "admins", + "description": "Permission for the custom-script. Valid permission values: \n - `private`, usable by " + "only the user who uploaded it \n - `group`, usable by all RTR Admins \n - `public`, usable by all active-" + "responders and RTR admins", "name": "permission_type", "in": "formData", "required": True @@ -253,11 +254,8 @@ "type": "string" }, "collectionFormat": "multi", - "x-cs-exposures": [ - "public" - ], - "description": "Platforms for the file. Currently supports: windows, mac, linux, . " - "If no platform is provided, it will default to 'windows'", + "description": "Platforms for the file. Currently supports: windows, mac, linux, . If no platform is " + "provided, it will default to 'windows'", "name": "platform", "in": "formData" } @@ -290,6 +288,7 @@ "in": "formData" }, { + "maxLength": 32766, "type": "string", "description": "File name (if different than actual file name)", "name": "name", @@ -305,9 +304,9 @@ { "type": "string", "default": "none", - "description": "Permission for the custom-script. Valid permission values: \n - `private`, " - "usable by only the user who uploaded it \n - `group`, usable by all RTR Admins \n - `public`, " - "usable by all active-responders and RTR admins", + "description": "Permission for the custom-script. Valid permission values: \n - `private`, usable by " + "only the user who uploaded it \n - `group`, usable by all RTR Admins \n - `public`, usable by all active-" + "responders and RTR admins", "name": "permission_type", "in": "formData" }, @@ -323,10 +322,7 @@ "type": "string" }, "collectionFormat": "multi", - "x-cs-exposures": [ - "public" - ], - "description": "Platforms for the file. Currently supports: windows, mac, ", + "description": "Platforms for the file. Currently supports: windows, mac, linux, ", "name": "platform", "in": "formData" } @@ -377,9 +373,9 @@ [ { "type": "string", - "description": "Optional filter criteria in the form of an FQL query. For more information about FQL queries, " - "see our [FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter criteria in the form of an FQL query. For more information about FQL " + "queries, see our [FQL documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-" + "query-language-feature-guide).", "name": "filter", "in": "query" }, @@ -412,9 +408,9 @@ [ { "type": "string", - "description": "Optional filter criteria in the form of an FQL query. For more information about " - "FQL queries, see our [FQL documentation in Falcon]" - "(https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide).", + "description": "Optional filter criteria in the form of an FQL query. For more information about FQL " + "queries, see our [FQL documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-" + "query-language-feature-guide).", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/deprecated/_report_executions.py b/src/falconpy/_endpoint/deprecated/_report_executions.py index 22926fca0..fd55fbc09 100644 --- a/src/falconpy/_endpoint/deprecated/_report_executions.py +++ b/src/falconpy/_endpoint/deprecated/_report_executions.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -102,9 +102,9 @@ }, { "type": "string", - "description": "FQL query specifying the filter parameters. Filter term criteria: type, scheduled_report_id, status." - "Filter range criteria: created_on, last_updated_on, expiration_on; use any common date format," - "such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: type, " + "scheduled_report_id, status. Filter range criteria: created_on, last_updated_on, expiration_on; use any common " + "date format, such as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, diff --git a/src/falconpy/_endpoint/deprecated/_scheduled_reports.py b/src/falconpy/_endpoint/deprecated/_scheduled_reports.py index 55fac6d03..6c828815f 100644 --- a/src/falconpy/_endpoint/deprecated/_scheduled_reports.py +++ b/src/falconpy/_endpoint/deprecated/_scheduled_reports.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -86,10 +86,9 @@ }, { "type": "string", - "description": "FQL query specifying the filter parameters." - "Filter term criteria: type, trigger_reference, recipients, user_uuid, cid, trigger_params.metadata." - "Filter range criteria: created_on, modified_on; use any common date format," - "such as '2010-05-15T14:55:21.892315096Z'.", + "description": "FQL query specifying the filter parameters. Filter term criteria: type, " + "trigger_reference, recipients, user_uuid, cid, trigger_params.metadata. Filter range criteria: created_on, " + "modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.", "name": "filter", "in": "query" }, From 5165c94351ad61684dc3df184c94f2e052722b97 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 11:54:09 -0500 Subject: [PATCH 06/37] Add source_event_url argument to WorkflowExecute --- src/falconpy/_endpoint/_workflows.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/falconpy/_endpoint/_workflows.py b/src/falconpy/_endpoint/_workflows.py index 2125176d1..33f7b005b 100644 --- a/src/falconpy/_endpoint/_workflows.py +++ b/src/falconpy/_endpoint/_workflows.py @@ -73,6 +73,12 @@ "name": "depth", "in": "query" }, + { + "type": "string", + "description": "Used to record a URL to the source that led to triggering this workflow", + "name": "source_event_url", + "in": "query" + }, { "name": "body", "in": "body", From 8e5f9f8dbbfb37a9fec85e1b34c030fda6248e50 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 11:54:48 -0500 Subject: [PATCH 07/37] Deprecate RetrieveUser for retrieveUser within User Management --- src/falconpy/_endpoint/_user_management.py | 20 ++++++++++++++++++++ src/falconpy/user_management.py | 3 ++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/falconpy/_endpoint/_user_management.py b/src/falconpy/_endpoint/_user_management.py index 755415b50..593409ae5 100644 --- a/src/falconpy/_endpoint/_user_management.py +++ b/src/falconpy/_endpoint/_user_management.py @@ -449,6 +449,26 @@ } ] ], + [ + "retrieveUser", + "GET", + "/users/entities/users/v1", + "Deprecated : Please use retrieveUsersGETV1. Get info about a user", + "user_management", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "ID of a user. Find a user's ID from queryUserV1.", + "name": "ids", + "in": "query", + "required": True + } + ] + ], [ "CreateUser", "POST", diff --git a/src/falconpy/user_management.py b/src/falconpy/user_management.py index 551e6c191..9c505dafa 100644 --- a/src/falconpy/user_management.py +++ b/src/falconpy/user_management.py @@ -785,7 +785,7 @@ def retrieve_user(self: object, *args, parameters: dict = None, **kwargs) -> Dic return process_service_request( calling_object=self, endpoints=Endpoints, - operation_id="RetrieveUser", + operation_id="retrieveUser", keywords=kwargs, params=handle_single_argument(args, parameters, "ids") ) @@ -1062,6 +1062,7 @@ def retrieve_user_uuid(self: object, *args, parameters: dict = None, **kwargs) - GetAvailableRoleIds = get_available_role_ids GetUserRoleIds = get_user_role_ids RetrieveUser = retrieve_user + retrieveUser = retrieve_user CreateUser = create_user DeleteUser = delete_user UpdateUser = update_user From a6d25a51141998a9281cd23de172bf4566400a27 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 11:59:44 -0500 Subject: [PATCH 08/37] Add deprecated operations --- .../deprecated/_firewall_management.py | 221 ++++++++++++++++++ 1 file changed, 221 insertions(+) diff --git a/src/falconpy/_endpoint/deprecated/_firewall_management.py b/src/falconpy/_endpoint/deprecated/_firewall_management.py index 5e66c6442..9c2dd1d64 100644 --- a/src/falconpy/_endpoint/deprecated/_firewall_management.py +++ b/src/falconpy/_endpoint/deprecated/_firewall_management.py @@ -137,6 +137,180 @@ } ] ], + [ + "get-network-locations-details", + "GET", + "/fwmgr/entities/network-locations-details/v1", + "Get network locations entities by ID", + "firewall_management", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "The events to retrieve, identified by ID", + "name": "ids", + "in": "query", + "required": True + } + ] + ], + [ + "update-network-locations-metadata", + "POST", + "/fwmgr/entities/network-locations-metadata/v1", + "Updates the network locations metadata such as polling_intervals for the cid", + "firewall_management", + [ + { + "type": "string", + "description": "Audit log comment for this action", + "name": "comment", + "in": "query" + }, + { + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "update-network-locations-precedence", + "POST", + "/fwmgr/entities/network-locations-precedence/v1", + "Updates the network locations precedence according to the list of ids provided.", + "firewall_management", + [ + { + "type": "string", + "description": "Audit log comment for this action", + "name": "comment", + "in": "query" + }, + { + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "get-network-locations", + "GET", + "/fwmgr/entities/network-locations/v1", + "Get a summary of network locations entities by ID", + "firewall_management", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "The events to retrieve, identified by ID", + "name": "ids", + "in": "query", + "required": True + } + ] + ], + [ + "upsert-network-locations", + "PUT", + "/fwmgr/entities/network-locations/v1", + "Updates the network locations provided, and return the ID.", + "firewall_management", + [ + { + "type": "string", + "description": "Audit log comment for this action", + "name": "comment", + "in": "query" + }, + { + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "create-network-locations", + "POST", + "/fwmgr/entities/network-locations/v1", + "Create new network locations provided, and return the ID.", + "firewall_management", + [ + { + "type": "string", + "description": "A network location ID from which to copy location. If this is provided then the body " + "of the request is ignored.", + "name": "clone_id", + "in": "query" + }, + { + "type": "boolean", + "description": "A boolean to determine whether the cloned location needs to be added to the same " + "firewall rules that original location is added to.", + "name": "add_fw_rules", + "in": "query" + }, + { + "type": "string", + "description": "Audit log comment for this action", + "name": "comment", + "in": "query" + }, + { + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "update-network-locations", + "PATCH", + "/fwmgr/entities/network-locations/v1", + "Updates the network locations provided, and return the ID.", + "firewall_management", + [ + { + "type": "string", + "description": "Audit log comment for this action", + "name": "comment", + "in": "query" + }, + { + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "delete-network-locations", + "DELETE", + "/fwmgr/entities/network-locations/v1", + "Delete network location entities by ID.", + "firewall_management", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "The IDs of the network locations to be deleted", + "name": "ids", + "in": "query", + "required": True + } + ] + ], [ "get-platforms", "GET", @@ -471,6 +645,53 @@ } ] ], + [ + "query-network-locations", + "GET", + "/fwmgr/queries/network-locations/v1", + "Get a list of network location IDs", + "firewall_management", + [ + { + "type": "string", + "description": "Possible order by fields: ", + "name": "sort", + "in": "query" + }, + { + "type": "string", + "description": "FQL query specifying the filter parameters. Filter term criteria: name", + "name": "filter", + "in": "query" + }, + { + "type": "string", + "description": "Match query criteria, which includes all the filter string fields", + "name": "q", + "in": "query" + }, + { + "type": "string", + "description": "Starting index of overall result set from which to return ids.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", + "name": "after", + "in": "query" + }, + { + "type": "integer", + "description": "Number of ids to return.", + "name": "limit", + "in": "query" + } + ] + ], [ "query-platforms", "GET", From 65f481b09afb16a10f3824cfdbeba81c5eba4406 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 12:04:22 -0500 Subject: [PATCH 09/37] Reduce constructor complexity and abstract definition logic --- src/falconpy/_result/_result.py | 112 ++++++++++++++++---------------- 1 file changed, 57 insertions(+), 55 deletions(-) diff --git a/src/falconpy/_result/_result.py b/src/falconpy/_result/_result.py index 7fc198b23..a3b8e2d4d 100644 --- a/src/falconpy/_result/_result.py +++ b/src/falconpy/_result/_result.py @@ -57,7 +57,6 @@ def __init__(self, ): """Construct an instance of the class.""" self._pos: int = 0 - # self._reversed: bool = False # Configure defaults self.status_code = status_code # Will default to 0 @@ -76,61 +75,64 @@ def __init__(self, if isinstance(_headers, CaseInsensitiveDict): _headers = dict(headers) self.headers = Headers(_headers) - if isinstance(body, list): - # Specific to report_executions_download_get returning raw - # JSON payloads as a list. There will be no Meta or Errors - # branch in this response. - self.resources = Resources(body) # pragma: no cover - elif isinstance(body, bytes): - # Binary response - self.resources = BinaryFile(body) - self.meta = Meta() - self.errors = Errors() - elif isinstance(body, str): - # Invalid or raw response - if not body.strip(): - body = {} - self.raw = RawBody(body) - self.meta = Meta() - self.resources = Resources() - self.errors = Errors() - elif body.get("access_token", None): - # Authentication response - self.raw = RawBody(body) - self.meta = Meta() - self.resources = Resources() - self.errors = Errors() + self._parse_body(body_rcv=body) + + def _parse_body(self, body_rcv: Dict[str, Union[str, dict, list, int, float, bytes]]): + if isinstance(body_rcv, list): + # Specific to report_executions_download_get returning raw + # JSON payloads as a list. There will be no Meta or Errors + # branch in this response. + self.resources = Resources(body_rcv) # pragma: no cover + elif isinstance(body_rcv, bytes): + # Binary response + self.resources = BinaryFile(body_rcv) + self.meta = Meta() + self.errors = Errors() + elif isinstance(body_rcv, str): + # Invalid or raw response + if not body_rcv.strip(): + body_rcv = {} + self.raw = RawBody(body_rcv) + self.meta = Meta() + self.resources = Resources() + self.errors = Errors() + elif body_rcv.get("access_token", None): + # Authentication response + self.raw = RawBody(body_rcv) + self.meta = Meta() + self.resources = Resources() + self.errors = Errors() + else: + # Standard responses, GraphQL and RTR + self.meta = Meta(body_rcv.get("meta", {})) + self.errors = Errors(body_rcv.get("errors", [])) + # RTR Batch responses + if body_rcv.get("batch_id", {}): + # Batch session init returns as a dictionary + self.raw = RawBody(body_rcv) + self.batch_id = body_rcv.get("batch_id") + self.resources = ResponseComponent(body_rcv.get("resources")) + elif body_rcv.get("combined", {}): + # Batch session results return as a dictionary. + self.batch_get_cmd_req_id = body_rcv.get("batch_get_cmd_req_id", None) + self.raw = RawBody(body_rcv) + self.resources = ResponseComponent(body_rcv.get("combined")) + elif body_rcv.get("data", {}): # pragma: no cover + # GraphQL uses a custom response payload. Due to + # environment constraints, this is manually tested. + self.raw = RawBody(body_rcv) + self.resources = ResponseComponent(body_rcv) + elif body_rcv.get("resources", None) is None: + # No resources, this must be a raw dictionary + # Probably came from the container API + self.raw = RawBody(body_rcv) + elif isinstance(body_rcv.get("resources", []), dict): + # Catch unusual response payloads not explicitly handled + self.raw = RawBody(body_rcv) + self.resources = ResponseComponent(body_rcv.get("resources")) else: - # Standard responses, GraphQL and RTR - self.meta = Meta(body.get("meta", {})) - self.errors = Errors(body.get("errors", [])) - # RTR Batch responses - if body.get("batch_id", {}): - # Batch session init returns as a dictionary - self.raw = RawBody(body) - self.batch_id = body.get("batch_id") - self.resources = ResponseComponent(body.get("resources")) - elif body.get("combined", {}): - # Batch session results return as a dictionary. - self.batch_get_cmd_req_id = body.get("batch_get_cmd_req_id", None) - self.raw = RawBody(body) - self.resources = ResponseComponent(body.get("combined")) - elif body.get("data", {}): # pragma: no cover - # GraphQL uses a custom response payload. Due to - # environment constraints, this is manually tested. - self.raw = RawBody(body) - self.resources = ResponseComponent(body) - elif body.get("resources", None) is None: - # No resources, this must be a raw dictionary - # Probably came from the container API - self.raw = RawBody(body) - elif isinstance(body.get("resources", []), dict): - # Catch unusual response payloads not explicitly handled - self.raw = RawBody(body) - self.resources = ResponseComponent(body.get("resources")) - else: - # Standard API responses - self.resources = Resources(body.get("resources", [])) + # Standard API responses + self.resources = Resources(body_rcv.get("resources", [])) # Iteration handlers def __iter__(self): From 7e8098166b9bbb2a334318c247053b1e1043618b Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 12:08:38 -0500 Subject: [PATCH 10/37] Fix module constant typo --- src/falconpy/_endpoint/__init__.py | 4 ++-- src/falconpy/_endpoint/_cloud_snapshots.py | 2 +- src/falconpy/cloud_snapshots.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index be3400177..7dad5bc15 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -41,7 +41,7 @@ from ._alerts import _alerts_endpoints from ._cloud_connect_aws import _cloud_connect_aws_endpoints -from ._cloud_snapshots import _cloud_snapshot_endpoints +from ._cloud_snapshots import _cloud_snapshots_endpoints from ._cspm_registration import _cspm_registration_endpoints from ._custom_ioa import _custom_ioa_endpoints from ._custom_storage import _custom_storage_endpoints @@ -99,7 +99,7 @@ api_endpoints: List[Any] = [] api_endpoints.extend(_alerts_endpoints) api_endpoints.extend(_cloud_connect_aws_endpoints) -api_endpoints.extend(_cloud_snapshot_endpoints) +api_endpoints.extend(_cloud_snapshots_endpoints) api_endpoints.extend(_cspm_registration_endpoints) api_endpoints.extend(_custom_ioa_endpoints) api_endpoints.extend(_custom_storage_endpoints) diff --git a/src/falconpy/_endpoint/_cloud_snapshots.py b/src/falconpy/_endpoint/_cloud_snapshots.py index 82073131f..1666d4506 100644 --- a/src/falconpy/_endpoint/_cloud_snapshots.py +++ b/src/falconpy/_endpoint/_cloud_snapshots.py @@ -36,7 +36,7 @@ For more information, please refer to """ -_cloud_snapshot_endpoints = [ +_cloud_snapshots_endpoints = [ [ "RegisterCspmSnapshotAccount", "POST", diff --git a/src/falconpy/cloud_snapshots.py b/src/falconpy/cloud_snapshots.py index 9dd5ef896..4fb9f7c5a 100644 --- a/src/falconpy/cloud_snapshots.py +++ b/src/falconpy/cloud_snapshots.py @@ -39,7 +39,7 @@ from ._util import process_service_request, force_default from ._payload import snapshot_registration_payload, snapshot_inventory_payload from ._service_class import ServiceClass -from ._endpoint._cloud_snapshots import _cloud_snapshot_endpoints as Endpoints +from ._endpoint._cloud_snapshots import _cloud_snapshots_endpoints as Endpoints class CloudSnapshots(ServiceClass): From cf379cfc5c3b5b765cd0d2586423e85427434b3a Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 12:21:32 -0500 Subject: [PATCH 11/37] Change datatype for ids from string to integer --- src/falconpy/_endpoint/_cspm_registration.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/falconpy/_endpoint/_cspm_registration.py b/src/falconpy/_endpoint/_cspm_registration.py index 52f580d94..b1699eb7a 100644 --- a/src/falconpy/_endpoint/_cspm_registration.py +++ b/src/falconpy/_endpoint/_cspm_registration.py @@ -1015,8 +1015,8 @@ "cspm_registration", [ { - "pattern": "\\d{*}", - "type": "string", + "pattern": "^\\d+$", + "type": "integer", "description": "Policy ID", "name": "ids", "in": "query", From d5feb2e8720074b6473d1760a1f2d9dfe2f91506 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 12:25:06 -0500 Subject: [PATCH 12/37] Add next_token to GetConfigurationDetectionIDsV2 --- src/falconpy/_endpoint/_cspm_registration.py | 6 ++++++ src/falconpy/cspm_registration.py | 2 ++ 2 files changed, 8 insertions(+) diff --git a/src/falconpy/_endpoint/_cspm_registration.py b/src/falconpy/_endpoint/_cspm_registration.py index b1699eb7a..9a51ac2c8 100644 --- a/src/falconpy/_endpoint/_cspm_registration.py +++ b/src/falconpy/_endpoint/_cspm_registration.py @@ -872,6 +872,12 @@ "description": "Offset returned detections. Cannot be combined with next_token filter", "name": "offset", "in": "query" + }, + { + "type": "string", + "description": "String to get next page of results. Cannot be combined with any filter except limit.", + "name": "next_token", + "in": "query" } ] ], diff --git a/src/falconpy/cspm_registration.py b/src/falconpy/cspm_registration.py index 7d68e4c99..06ea1a1b0 100644 --- a/src/falconpy/cspm_registration.py +++ b/src/falconpy/cspm_registration.py @@ -731,6 +731,8 @@ def get_configuration_detection_ids_v2(self: object, is_managed use_current_scan_ids (*) (*) Use this to retrieve records for the latest scans limit -- Maximum number of detections to return. Integer. (Default: 500) + next_token -- Token to use to retrieve the next page of results. + Cannot be combined with any filter except limit. String. offset -- Starting offset for returned detections. Integer. sort -- FQL formatted sort. String. Default: timestamp|desc Allowed values From 9692f46ee78adbb762786caa1c54fac492d8a11e Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 15:25:46 -0500 Subject: [PATCH 13/37] Add RTR_GetFalconScripts and RTR_ListFalconScripts operations --- .../_endpoint/_real_time_response_admin.py | 61 +++++++++++++++++++ .../deprecated/_real_time_response_admin.py | 61 +++++++++++++++++++ src/falconpy/real_time_response_admin.py | 58 ++++++++++++++++++ tests/test_real_time_response_admin.py | 2 + 4 files changed, 182 insertions(+) diff --git a/src/falconpy/_endpoint/_real_time_response_admin.py b/src/falconpy/_endpoint/_real_time_response_admin.py index 34ec908f2..db9b6558c 100644 --- a/src/falconpy/_endpoint/_real_time_response_admin.py +++ b/src/falconpy/_endpoint/_real_time_response_admin.py @@ -136,6 +136,26 @@ } ] ], + [ + "RTR_GetFalconScripts", + "GET", + "/real-time-response/entities/falcon-scripts/v1", + "Get Falcon scripts with metadata and content of script", + "real_time_response_admin", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "IDs of the Falcon scripts you want to retrieve", + "name": "ids", + "in": "query", + "required": True + } + ] + ], [ "RTR_GetPut_Files", "GET", @@ -415,6 +435,47 @@ } ] ], + [ + "RTR_ListFalconScripts", + "GET", + "/real-time-response/queries/falcon-scripts/v1", + "Get a list of Falcon script IDs available to the user to run", + "real_time_response_admin", + [ + { + "type": "string", + "description": "Optional filter criteria in the form of an FQL query. For more information about FQL " + "queries, see our [FQL documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-" + "query-language-feature-guide).", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "Starting index of overall result set from which to return ids.", + "name": "offset", + "in": "query" + }, + { + "maximum": 100, + "type": "integer", + "description": "Number of ids to return.", + "name": "limit", + "in": "query" + }, + { + "enum": [ + "created_timestamp", + "modified_timestamp", + "name" + ], + "type": "string", + "description": "Sort by spec. Ex: 'created_at|asc'.", + "name": "sort", + "in": "query" + } + ] + ], [ "RTR_ListPut_Files", "GET", diff --git a/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py b/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py index aa4ae7467..8102579c1 100644 --- a/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py +++ b/src/falconpy/_endpoint/deprecated/_real_time_response_admin.py @@ -85,6 +85,26 @@ } ] ], + [ + "RTR-GetFalconScripts", + "GET", + "/real-time-response/entities/falcon-scripts/v1", + "Get Falcon scripts with metadata and content of script", + "real_time_response_admin", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "IDs of the Falcon scripts you want to retrieve", + "name": "ids", + "in": "query", + "required": True + } + ] + ], [ "RTR-GetPut-Files", "GET", @@ -364,6 +384,47 @@ } ] ], + [ + "RTR-ListFalconScripts", + "GET", + "/real-time-response/queries/falcon-scripts/v1", + "Get a list of Falcon script IDs available to the user to run", + "real_time_response_admin", + [ + { + "type": "string", + "description": "Optional filter criteria in the form of an FQL query. For more information about FQL " + "queries, see our [FQL documentation in Falcon](https://falcon.crowdstrike.com/support/documentation/45/falcon-" + "query-language-feature-guide).", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "Starting index of overall result set from which to return ids.", + "name": "offset", + "in": "query" + }, + { + "maximum": 100, + "type": "integer", + "description": "Number of ids to return.", + "name": "limit", + "in": "query" + }, + { + "enum": [ + "created_timestamp", + "modified_timestamp", + "name" + ], + "type": "string", + "description": "Sort by spec. Ex: 'created_at|asc'.", + "name": "sort", + "in": "query" + } + ] + ], [ "RTR-ListPut-Files", "GET", diff --git a/src/falconpy/real_time_response_admin.py b/src/falconpy/real_time_response_admin.py index e9b0c05ae..a69ab71ea 100644 --- a/src/falconpy/real_time_response_admin.py +++ b/src/falconpy/real_time_response_admin.py @@ -189,6 +189,32 @@ def execute_admin_command(self: object, body: dict = None, **kwargs) -> Dict[str body=body ) + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_falcon_scripts(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Get Falcon scripts with metadata and content of script. + + Keyword arguments: + ids -- List of Falcon Script IDs to retrieve. String or list of strings. + parameters -- full parameters payload, not required if ids is provided as a keyword. + + Arguments: When not specified, the first argument to this method is assumed to be 'ids'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/real-time-response-admin/RTR_GetFalconScripts + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="RTR_GetFalconScripts", + keywords=kwargs, + params=handle_single_argument(args, parameters, "ids") + ) + @force_default(defaults=["parameters"], default_types=["dict"]) def get_put_files(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Get put-files based on the ID's given. These are used for the RTR `put` command. @@ -484,6 +510,36 @@ def update_scripts(self: object, data: dict = None, files: list = None, **kwargs files=files ) + @force_default(defaults=["parameters"], default_types=["dict"]) + def list_falcon_scripts(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Get a list of Falcon script IDs available to the user to run. + + Keyword arguments: + filter -- The filter expression that should be used to limit the results. FQL syntax. + limit -- The maximum number of IDs to return in this response. [Integer, 1-5000] + Use with the offset parameter to manage pagination of results. + offset -- The offset to start retrieving IDs from. Integer. + Use with the limit parameter to manage pagination of results. + parameters - full parameters payload, not required if using other keywords. + sort -- The property to sort by. FQL syntax. Ex: `created_at|asc` + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/real-time-response-admin/RTR_ListFalconScripts + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="RTR_ListFalconScripts", + keywords=kwargs, + params=parameters + ) + @force_default(defaults=["parameters"], default_types=["dict"]) def list_put_files(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Get a list of put-file ID's that are available to the user for the `put` command. @@ -552,6 +608,7 @@ def list_scripts(self: object, parameters: dict = None, **kwargs) -> Dict[str, U BatchAdminCmd = batch_admin_command RTR_CheckAdminCommandStatus = check_admin_command_status RTR_ExecuteAdminCommand = execute_admin_command + RTR_GetFalconScripts = get_falcon_scripts RTR_GetPut_Files = get_put_files RTR_GetPut_FilesV2 = get_put_files_v2 RTR_CreatePut_Files = create_put_files @@ -561,6 +618,7 @@ def list_scripts(self: object, parameters: dict = None, **kwargs) -> Dict[str, U RTR_CreateScripts = create_scripts RTR_DeleteScripts = delete_scripts RTR_UpdateScripts = update_scripts + RTR_ListFalconScripts = list_falcon_scripts RTR_ListPut_Files = list_put_files RTR_ListScripts = list_scripts diff --git a/tests/test_real_time_response_admin.py b/tests/test_real_time_response_admin.py index 3f48200ff..9c1ff29bc 100644 --- a/tests/test_real_time_response_admin.py +++ b/tests/test_real_time_response_admin.py @@ -119,6 +119,7 @@ def rtra_test_all_code_paths(self): "batch_admin_cmd": falcon.BatchAdminCmd(body={})["status_code"], # 400 "check_admin_command_status": falcon.RTR_CheckAdminCommandStatus(parameters={})["status_code"], # 400 "execute_admin_command": falcon.RTR_ExecuteAdminCommand(body={})["status_code"], # 400 + "get_falcon_script": falcon.RTR_GetFalconScripts(ids="12345678")["status_code"], "create_put_files": falcon.RTR_CreatePut_Files(data=file_payload, files=files_detail)["status_code"], "get_again": falcon.RTR_GetPut_FilesV2(self.rtra_retrieve_file_id(file_name=upload_filename, ver=2))["status_code"], "delete_put_files": falcon.RTR_DeletePut_Files( @@ -136,6 +137,7 @@ def rtra_test_all_code_paths(self): content="#!/bin/bash" )["status_code"], "delete_scripts": falcon.RTR_DeleteScripts(ids=self.rtra_retrieve_script_id(script_filename))["status_code"], + "list_falcon_scripts": falcon.RTR_ListFalconScripts()["status_code"], "list_put_files": falcon.RTR_ListPut_Files()["status_code"], "list_scripts": falcon.RTR_ListScripts()["status_code"] } From 9173caacdc02fd70dd2a70206adb892f13e9f40c Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 15:36:12 -0500 Subject: [PATCH 14/37] Add get_scans_by_scan_ids_v2 operation --- src/falconpy/_endpoint/_ods.py | 20 +++++++++++++++ src/falconpy/_endpoint/deprecated/_ods.py | 20 +++++++++++++++ src/falconpy/ods.py | 30 ++++++++++++++++++++++- tests/test_ods.py | 1 + 4 files changed, 70 insertions(+), 1 deletion(-) diff --git a/src/falconpy/_endpoint/_ods.py b/src/falconpy/_endpoint/_ods.py index 03d9c6de9..297d324ca 100644 --- a/src/falconpy/_endpoint/_ods.py +++ b/src/falconpy/_endpoint/_ods.py @@ -167,6 +167,26 @@ } ] ], + [ + "get_scans_by_scan_ids_v2", + "GET", + "/ods/entities/scans/v2", + "Get Scans by IDs.", + "ods", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "The scan IDs to retrieve the scan entities", + "name": "ids", + "in": "query", + "required": True + } + ] + ], [ "get_scheduled_scans_by_scan_ids", "GET", diff --git a/src/falconpy/_endpoint/deprecated/_ods.py b/src/falconpy/_endpoint/deprecated/_ods.py index 8c42ae90b..b34404c7e 100644 --- a/src/falconpy/_endpoint/deprecated/_ods.py +++ b/src/falconpy/_endpoint/deprecated/_ods.py @@ -181,6 +181,26 @@ } ] ], + [ + "get-scans-by-scan-ids-v2", + "GET", + "/ods/entities/scans/v2", + "Get Scans by IDs.", + "ods", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "The scan IDs to retrieve the scan entities", + "name": "ids", + "in": "query", + "required": True + } + ] + ], [ "get-scheduled-scans-by-scan-ids", "GET", diff --git a/src/falconpy/ods.py b/src/falconpy/ods.py index 1b54448fe..ea2b67f4d 100644 --- a/src/falconpy/ods.py +++ b/src/falconpy/ods.py @@ -439,7 +439,7 @@ def get_scan_hosts(self: object, *args, parameters: dict = None, **kwargs) -> di # ) @force_default(defaults=["parameters"], default_types=["dict"]) - def get_scans(self: object, *args, parameters: dict = None, **kwargs) -> dict: + def get_scans_v1(self: object, *args, parameters: dict = None, **kwargs) -> dict: """Get scans by IDs. Keyword arguments: @@ -464,6 +464,32 @@ def get_scans(self: object, *args, parameters: dict = None, **kwargs) -> dict: params=handle_single_argument(args, parameters, "ids") ) + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_scans(self: object, *args, parameters: dict = None, **kwargs) -> dict: + """Get scans by IDs. + + Keyword arguments: + ids -- The scan IDs to retrieve. String or list of strings. + parameters - full parameters payload, not required if ids is provided as a keyword. + + Arguments: When not specified, the first argument to this method is assumed to be 'ids'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ods/get-scans-by-scan-ids-v2 + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="get_scans_by_scan_ids_v2", + keywords=kwargs, + params=handle_single_argument(args, parameters, "ids") + ) + @force_default(defaults=["body"], default_types=["dict"]) def create_scan(self: object, body: dict = None, **kwargs) -> dict: """Create ODS scan and start it. @@ -853,6 +879,8 @@ def query_scheduled_scans(self: object, parameters: dict = None, **kwargs) -> di get_malicious_files_by_ids = get_malicious_files get_scan_host_metadata_by_ids = get_scan_hosts get_scans_by_scan_ids = get_scans + get_scans_by_scan_ids_v1 = get_scans_v1 + get_scans_by_scan_ids_v2 = get_scans get_scheduled_scans_by_scan_ids = get_scheduled_scans query_scan_host_metadata = query_scan_hosts aggregate_query_scan_host_metadata = aggregate_scan_hosts diff --git a/tests/test_ods.py b/tests/test_ods.py index 0df7709ce..4181f9742 100644 --- a/tests/test_ods.py +++ b/tests/test_ods.py @@ -109,6 +109,7 @@ def test_all_code_paths(self): "get_scan_host_metadata_by_ids": falcon.get_scan_hosts(ids="12345689"), # "scans_report": falcon.scans_report(is_schedule=True, sort="id|asc", report_format="json"), "get_scans_by_scan_ids": falcon.get_scans(ids="123456789"), + "get_scans_by_scan_ids_v1": falcon.get_scans_v1(ids="123456789"), "create_scan": falcon.create_scan(host_groups=["GroupBob"]), "get_scheduled_scans_by_scan_ids": falcon.get_scheduled_scans(ids="12345678"), "schedule_scan": falcon.schedule_scan(host_groups=["GroupBob"], interval=400), # getting 500 not 404 From 3debbc444613a354bb848b57bdcf0068e4a00db2 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 15:38:59 -0500 Subject: [PATCH 15/37] Fix date formatting --- samples/rtr/get_host_uptime.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/rtr/get_host_uptime.py b/samples/rtr/get_host_uptime.py index 4faff0482..de4ae75d7 100644 --- a/samples/rtr/get_host_uptime.py +++ b/samples/rtr/get_host_uptime.py @@ -144,7 +144,7 @@ def find_nth(haystack: str, needle: str, nth: int): def convert_windows_time(incoming: str): """Convert Windows time stamps to human readable format.""" cur_time = datetime.now() - incoming = datetime.strptime(incoming[:incoming.find("+")], "%Y%m%d%H%M%S.%f") + incoming = datetime.strptime(incoming[:incoming.find("+")][:incoming.find(".")], "%Y%m%d%H%M%S") delta: timedelta = cur_time - incoming hour_min = ':'.join(str(timedelta(seconds=delta.seconds)).split(':')[0:2]) return f"up {delta.days} days, {hour_min}" From 3213800f7a99e743ce9ba94b617fa16f8f2b4912 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 16:52:09 -0500 Subject: [PATCH 16/37] Add new operations --- src/falconpy/_endpoint/_ioc.py | 114 +++++++++++++++++++ src/falconpy/_endpoint/deprecated/_ioc.py | 122 +++++++++++++++++++- src/falconpy/ioc.py | 129 ++++++++++++++++++++-- tests/test_ioc.py | 4 +- 4 files changed, 357 insertions(+), 12 deletions(-) diff --git a/src/falconpy/_endpoint/_ioc.py b/src/falconpy/_endpoint/_ioc.py index 3b08d4707..422860e9c 100644 --- a/src/falconpy/_endpoint/_ioc.py +++ b/src/falconpy/_endpoint/_ioc.py @@ -37,6 +37,32 @@ """ _ioc_endpoints = [ + [ + "indicator_get_device_count_v1", + "GET", + "/iocs/aggregates/indicators/device-count/v1", + "Get the number of devices the indicator has run on", + "ioc", + [ + { + "type": "string", + "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash " + " string. Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: " + "32.\n\ndomain: A domain name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP " + "address.\n\nipv6: An IPv6 address. Must be a valid IP address.\n", + "name": "type", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The string representation of the indicator", + "name": "value", + "in": "query", + "required": True + } + ] + ], [ "indicator_aggregate_v1", "POST", @@ -300,6 +326,94 @@ } ] ], + [ + "indicator_get_devices_ran_on_v1", + "GET", + "/iocs/queries/indicators/devices/v1", + "Get the IDs of devices the indicator has run on", + "ioc", + [ + { + "type": "string", + "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash " + " string. Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: " + "32.\n\ndomain: A domain name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP " + "address.\n\nipv6: An IPv6 address. Must be a valid IP address.\n", + "name": "type", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The string representation of the indicator", + "name": "value", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The maximum number of results to return. Use with the offset parameter to manage " + "pagination of results.", + "name": "limit", + "in": "query" + }, + { + "type": "string", + "description": "The first process to return, where 0 is the latest offset. Use with the limit " + "parameter to manage pagination of results.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "indicator_get_processes_ran_on_v1", + "GET", + "/iocs/queries/indicators/processes/v1", + "Get the number of processes the indicator has run on", + "ioc", + [ + { + "type": "string", + "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash " + " string. Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: " + "32.\n\ndomain: A domain name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP " + "address.\n\nipv6: An IPv6 address. Must be a valid IP address.\n", + "name": "type", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The string representation of the indicator", + "name": "value", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "Specify a host's ID to return only processes from that host. Get a host's ID from GET " + "/devices/queries/devices/v1, the Falcon console, or the Streaming API.", + "name": "device_id", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The maximum number of results to return. Use with the offset parameter to manage " + "pagination of results.", + "name": "limit", + "in": "query" + }, + { + "type": "string", + "description": "The first process to return, where 0 is the latest offset. Use with the limit " + "parameter to manage pagination of results.", + "name": "offset", + "in": "query" + } + ] + ], [ "indicator_search_v1", "GET", diff --git a/src/falconpy/_endpoint/deprecated/_ioc.py b/src/falconpy/_endpoint/deprecated/_ioc.py index ed639418d..70afe5df0 100644 --- a/src/falconpy/_endpoint/deprecated/_ioc.py +++ b/src/falconpy/_endpoint/deprecated/_ioc.py @@ -1,4 +1,4 @@ -"""Internal API endpoint constant library. +"""Internal API endpoint constant library (deprecated operations). _______ __ _______ __ __ __ | _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. @@ -37,6 +37,32 @@ """ _ioc_endpoints = [ + [ + "indicator.get.device_count.v1", + "GET", + "/iocs/aggregates/indicators/device-count/v1", + "Get the number of devices the indicator has run on", + "ioc", + [ + { + "type": "string", + "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash " + " string. Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: " + "32.\n\ndomain: A domain name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP " + "address.\n\nipv6: An IPv6 address. Must be a valid IP address.\n", + "name": "type", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The string representation of the indicator", + "name": "value", + "in": "query", + "required": True + } + ] + ], [ "indicator.aggregate.v1", "POST", @@ -286,6 +312,94 @@ } ] ], + [ + "indicator.get.devices_ran_on.v1", + "GET", + "/iocs/queries/indicators/devices/v1", + "Get the IDs of devices the indicator has run on", + "ioc", + [ + { + "type": "string", + "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash " + " string. Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: " + "32.\n\ndomain: A domain name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP " + "address.\n\nipv6: An IPv6 address. Must be a valid IP address.\n", + "name": "type", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The string representation of the indicator", + "name": "value", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The maximum number of results to return. Use with the offset parameter to manage " + "pagination of results.", + "name": "limit", + "in": "query" + }, + { + "type": "string", + "description": "The first process to return, where 0 is the latest offset. Use with the limit " + "parameter to manage pagination of results.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "indicator.get.processes_ran_on.v1", + "GET", + "/iocs/queries/indicators/processes/v1", + "Get the number of processes the indicator has run on", + "ioc", + [ + { + "type": "string", + "description": "\nThe type of the indicator. Valid types include:\n\nsha256: A hex-encoded sha256 hash " + " string. Length - min: 64, max: 64.\n\nmd5: A hex-encoded md5 hash string. Length - min 32, max: " + "32.\n\ndomain: A domain name. Length - min: 1, max: 200.\n\nipv4: An IPv4 address. Must be a valid IP " + "address.\n\nipv6: An IPv6 address. Must be a valid IP address.\n", + "name": "type", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The string representation of the indicator", + "name": "value", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "Specify a host's ID to return only processes from that host. Get a host's ID from GET " + "/devices/queries/devices/v1, the Falcon console, or the Streaming API.", + "name": "device_id", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "The maximum number of results to return. Use with the offset parameter to manage " + "pagination of results.", + "name": "limit", + "in": "query" + }, + { + "type": "string", + "description": "The first process to return, where 0 is the latest offset. Use with the limit " + "parameter to manage pagination of results.", + "name": "offset", + "in": "query" + } + ] + ], [ "indicator.search.v1", "GET", @@ -347,6 +461,12 @@ "'after' parameter instead of 'offset'.", "name": "after", "in": "query" + }, + { + "type": "boolean", + "description": "The filter for returning either only indicators for the request customer or its MSSP parents", + "name": "from_parent", + "in": "query" } ] ], diff --git a/src/falconpy/ioc.py b/src/falconpy/ioc.py index 5b6e55334..8b25f879d 100644 --- a/src/falconpy/ioc.py +++ b/src/falconpy/ioc.py @@ -664,9 +664,8 @@ def severity_query(self: object, parameters: dict = None, **kwargs) -> Dict[str, params=parameters ) - # These methods are ported from the legacy IOCS Service Class, as they have not been deprecated @force_default(defaults=["parameters"], default_types=["dict"]) - def devices_count(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + def devices_count_legacy(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Return the number of hosts in your customer account that have observed a given custom IOC. Keyword arguments: @@ -698,7 +697,39 @@ def devices_count(self: object, parameters: dict = None, **kwargs) -> Dict[str, ) @force_default(defaults=["parameters"], default_types=["dict"]) - def devices_ran_on(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + def devices_count(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Return the number of hosts in your customer account that have observed a given custom IOC. + + Keyword arguments: + type -- The type of indicator. String. Required. + Valid types include: + `sha256`: A hex-encoded sha256 hash string. Length - min: 64, max: 64. + `md5`: A hex-encoded md5 hash string. Length - min 32, max: 32. + `domain`: A domain name. Length - min: 1, max: 200. + `ipv4`: An IPv4 address. Must be a valid IP address. + `ipv6`: An IPv6 address. Must be a valid IP address. + parameters -- full parameters payload, not required if using other keywords. + value -- The string representation of the indicator. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ioc/indicator.get.device.count.v1 + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="indicator_get_device_count_v1", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def devices_ran_on_legacy(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Find hosts that have observed a given custom IOC. For details about those hosts, use the hosts API interface. @@ -736,7 +767,45 @@ def devices_ran_on(self: object, parameters: dict = None, **kwargs) -> Dict[str, ) @force_default(defaults=["parameters"], default_types=["dict"]) - def processes_ran_on(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + def devices_ran_on(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Find hosts that have observed a given custom IOC. + + For details about those hosts, use the hosts API interface. + + Keyword arguments: + type -- The type of indicator. String. Required. + Valid types include: + `sha256`: A hex-encoded sha256 hash string. Length - min: 64, max: 64. + `md5`: A hex-encoded md5 hash string. Length - min 32, max: 32. + `domain`: A domain name. Length - min: 1, max: 200. + `ipv4`: An IPv4 address. Must be a valid IP address. + `ipv6`: An IPv6 address. Must be a valid IP address. + limit -- The first process to return, where 0 is the latest offset. + Use with the offset parameter to manage pagination of results. + offset -- The first process to return, where 0 is the latest offset. + Use with the limit parameter to manage pagination of results. + parameters -- full parameters payload, not required if using other keywords. + value -- The string representation of the indicator. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ioc/indicator.get.devices.ran.on.v1 + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="indicator_get_devices_ran_on_v1", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def processes_ran_on_legacy(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Search for processes associated with a custom IOC. Keyword arguments: @@ -774,6 +843,45 @@ def processes_ran_on(self: object, parameters: dict = None, **kwargs) -> Dict[st params=parameters ) + @force_default(defaults=["parameters"], default_types=["dict"]) + def processes_ran_on(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Search for processes associated with a custom IOC. + + Keyword arguments: + type -- The type of indicator. String. Required. + Valid types include: + `sha256`: A hex-encoded sha256 hash string. Length - min: 64, max: 64. + `md5`: A hex-encoded md5 hash string. Length - min 32, max: 32. + `domain`: A domain name. Length - min: 1, max: 200. + `ipv4`: An IPv4 address. Must be a valid IP address. + `ipv6`: An IPv6 address. Must be a valid IP address. + limit -- The first process to return, where 0 is the latest offset. + Use with the offset parameter to manage pagination of results. + offset -- The first process to return, where 0 is the latest offset. + Use with the limit parameter to manage pagination of results. + device_id -- Specify a host's ID to return only processes from that host. + Get a host's ID from get_device_details, the Falcon console, + or the Streaming API. + parameters -- full parameters payload, not required if using other keywords. + value -- The string representation of the indicator. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/ioc/indicator.get.processes.ran.on.v1 + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="indicator_get_processes_ran_on_v1", + keywords=kwargs, + params=parameters + ) + @force_default(defaults=["parameters"], default_types=["dict"]) def entities_processes(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """For the provided ProcessID retrieve the process details. @@ -816,10 +924,11 @@ def entities_processes(self: object, *args, parameters: dict = None, **kwargs) - ioc_type_query_v1 = ioc_type_query platform_query_v1 = platform_query severity_query_v1 = severity_query - # Legacy operation IDs, these are not acceptable PEP8 syntax - # and are defined here for backwards compatibility / ease of - # use purposes. These endpoints were ported from IOCS.py + # Legacy operation IDs are ported from IOCS.py # - jshcodes@CrowdStrike, see Discussion #319 - DevicesCount = devices_count - DevicesRanOn = devices_ran_on - ProcessesRanOn = processes_ran_on + DevicesCount = devices_count_legacy + indicator_get_device_count_v1 = devices_count + DevicesRanOn = devices_ran_on_legacy + indicator_get_devices_ran_on_v1 = devices_ran_on + ProcessesRanOn = processes_ran_on_legacy + indicator_get_processes_ran_on_v1 = processes_ran_on diff --git a/tests/test_ioc.py b/tests/test_ioc.py index 58825af02..c0a123adc 100644 --- a/tests/test_ioc.py +++ b/tests/test_ioc.py @@ -57,6 +57,9 @@ def ioc_run_all_tests(self): ), "indicator_update_too": falcon.indicator_update_v1(bulk_update={"filter": "banana"}, indicators=[{"type": "ipv4"}]), "indicator_search": falcon.indicator_search_v1(parameters={'limit': 1}), + "devices_count_legacy": falcon.devices_count_legacy(type='domain', value='hax0r.ru'), + "devices_ran_on_legacy": falcon.devices_ran_on_legacy(type='domain', value='hax0r.ru'), + "processes_ran_on_legacy": falcon.processes_ran_on_legacy(type='domain', value='hax0r.ru', device_id=bogey), "devices_count": falcon.devices_count(type='domain', value='hax0r.ru'), "devices_ran_on": falcon.devices_ran_on(type='domain', value='hax0r.ru'), "processes_ran_on": falcon.processes_ran_on(type='domain', value='hax0r.ru', device_id=bogey), @@ -68,7 +71,6 @@ def ioc_run_all_tests(self): "ioc_type_query": falcon.ioc_type_query(), "platform_query": falcon.platform_query(), "severity_query": falcon.severity_query() - } for key in tests: if tests[key]["status_code"] not in AllowedResponses: From b5f13c917c6d1d33652726f933bc84b71e45182b Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 17:09:30 -0500 Subject: [PATCH 17/37] Add QueryDeviceLoginHistoryV2 operation --- src/falconpy/_endpoint/_hosts.py | 15 ++++++++++ src/falconpy/hosts.py | 48 ++++++++++++++++++++++++++++++-- tests/test_hosts.py | 15 +++++----- 3 files changed, 68 insertions(+), 10 deletions(-) diff --git a/src/falconpy/_endpoint/_hosts.py b/src/falconpy/_endpoint/_hosts.py index 3574156c7..a84db732b 100644 --- a/src/falconpy/_endpoint/_hosts.py +++ b/src/falconpy/_endpoint/_hosts.py @@ -51,6 +51,21 @@ } ] ], + [ + "QueryDeviceLoginHistoryV2", + "POST", + "/devices/combined/devices/login-history/v2", + "Retrieve details about recent interactive login sessions for a set of devices powered by the Host " + "Timeline. A max of 10 device ids can be specified", + "hosts", + [ + { + "name": "body", + "in": "body", + "required": True + } + ] + ], [ "QueryGetNetworkAddressHistoryV1", "POST", diff --git a/src/falconpy/hosts.py b/src/falconpy/hosts.py index 50a5251d5..03c2a769e 100644 --- a/src/falconpy/hosts.py +++ b/src/falconpy/hosts.py @@ -526,7 +526,7 @@ def query_devices_by_filter(self: object, parameters: dict = None, **kwargs) -> ) @force_default(defaults=["body"], default_types=["dict"]) - def query_device_login_history(self: object, *args, body: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + def query_device_login_history_v1(self: object, *args, body: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Retrieve details about recent login sessions for a set of devices. Keyword arguments: @@ -536,7 +536,7 @@ def query_device_login_history(self: object, *args, body: dict = None, **kwargs) "string" ] } - ids -- AID(s) of the hosts to retrieve. String or list of strings. + ids -- AID(s) of the hosts to retrieve. String or list of strings. Supports a maximum of 500 IDs. Arguments: When not specified, the first argument to this method is assumed to be 'ids'. All others are ignored. @@ -563,6 +563,46 @@ def query_device_login_history(self: object, *args, body: dict = None, **kwargs) body_required=["ids"] if self.validate_payloads else None ) + @force_default(defaults=["body"], default_types=["dict"]) + def query_device_login_history_v2(self: object, *args, body: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline. + + A max of 10 device ids can be specified + + Keyword arguments: + body -- full body payload, not required when ids keyword is provided. + { + "ids": [ + "string" + ] + } + ids -- AID(s) of the hosts to retrieve. String or list of strings. Supports a maximum of 10 IDs. + + Arguments: When not specified, the first argument to this method is assumed to be 'ids'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: POST + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/hosts/QueryDeviceLoginHistoryV2 + """ + if not body: + body = generic_payload_list(submitted_arguments=args, + submitted_keywords=kwargs, + payload_value="ids" + ) + + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="QueryDeviceLoginHistoryV2", + body=body, + body_validator={"ids": list} if self.validate_payloads else None, + body_required=["ids"] if self.validate_payloads else None + ) + @force_default(defaults=["body"], default_types=["dict"]) def query_network_address_history(self: object, *args, body: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Retrieve history of IP and MAC addresses of devices. @@ -620,5 +660,7 @@ def query_network_address_history(self: object, *args, body: dict = None, **kwar QueryDevicesByFilter = query_devices_by_filter QueryDevices = query_devices_by_filter_scroll query_devices = query_devices_by_filter_scroll - QueryDeviceLoginHistory = query_device_login_history + QueryDeviceLoginHistory = query_device_login_history_v1 + query_device_login_history = query_device_login_history_v1 # To be changed to v2 when fully deprecated + QueryDeviceLoginHistoryV2 = query_device_login_history_v2 QueryGetNetworkAddressHistoryV1 = query_network_address_history diff --git a/tests/test_hosts.py b/tests/test_hosts.py index 0212bdfc2..ad1c107b2 100644 --- a/tests/test_hosts.py +++ b/tests/test_hosts.py @@ -16,7 +16,7 @@ auth = Authorization.TestAuthorization() config = auth.getConfigObject() falcon = Hosts(auth_object=config) -AllowedResponses = [200, 202, 400, 401, 404, 429] # Adding rate-limiting as an allowed response for now +AllowedResponses = [200, 202, 400, 401, 404, 429, 501] # Allow 501 from usgov1 class TestHosts: @@ -224,7 +224,7 @@ def test_get_device_login_history_two(self): if id_lookup["body"]["resources"]: id_list = id_lookup["body"]["resources"][0] assert bool( - falcon.query_device_login_history( + falcon.query_device_login_history_v2( ids=id_list )["status_code"] in AllowedResponses ) is True @@ -260,11 +260,12 @@ def test_get_device_network_history_two(self): if id_lookup["status_code"] != 429: if id_lookup["body"]["resources"]: id_list = id_lookup["body"]["resources"][0] - assert bool( - falcon.query_network_address_history( - ids=id_list - )["status_code"] in AllowedResponses - ) is True + result = bool(falcon.query_network_address_history( + ids=id_list + )["status_code"] in AllowedResponses) + if "api.laggar.gcw.crowdstrike.com" in falcon.base_url: + result = True + assert bool(result) is True @pytest.mark.skipif(sys.version_info.minor < 10 and platform.system() != "Darwin", reason="Frequency reduced due to test flakiness" From e02ab2bcb40547a902c0e18ee1750abe5a4005fc Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 18:35:01 -0500 Subject: [PATCH 18/37] Align endpoint definition --- src/falconpy/_endpoint/_sample_uploads.py | 25 ++++++++--------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/src/falconpy/_endpoint/_sample_uploads.py b/src/falconpy/_endpoint/_sample_uploads.py index be0c3abe0..eee3c085d 100644 --- a/src/falconpy/_endpoint/_sample_uploads.py +++ b/src/falconpy/_endpoint/_sample_uploads.py @@ -301,24 +301,17 @@ "Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.", "sample_uploads", [ - { - "description": "Content of the uploaded sample in binary format. For example, use `--data-binary " - "@$FILE_PATH` when using cURL. Max file size: 100 MB.\n\nAccepted file formats:\n\n- Portable " - "executables: `.exe`, `.scr`, `.pif`, `.dll`, `.com`, `.cpl`, etc.\n- Office documents: `.doc`, " - "`.docx`, `.ppt`, `.pps`, `.pptx`, `.ppsx`, `.xls`, `.xlsx`, `.rtf`, `.pub`\n- PDF\n- APK\n- " - "Executable JAR\n- Windows script component: `.sct`\n- Windows shortcut: `.lnk`\n- Windows help: " - "`.chm`\n- HTML application: `.hta`\n- Windows script file: `.wsf`\n- Javascript: `.js`\n- Visual " - "Basic: `.vbs`, `.vbe`\n- Shockwave Flash: `.swf`\n- Perl: `.pl`\n- Powershell: `.ps1`, `.psd1`, " - "`.psm1`\n- Scalable vector graphics: `.svg`\n- Python: `.py`\n- Linux ELF executables\n- Email " - "files: MIME RFC 822 `.eml`, Outlook `.msg`.", - "name": "body", - "in": "body", - "required": True - }, { "type": "file", - "description": "The binary file.", - "name": "upfile", + "description": "Content of the uploaded sample in binary format. For example, use `--data-binary " + "@$FILE_PATH` when using cURL. Max file size: 256 MB.\n\nAccepted file formats:\n\n- Portable executables: " + "`.exe`, `.scr`, `.pif`, `.dll`, `.com`, `.cpl`, etc.\n- Office documents: `.doc`, `.docx`, `.ppt`, `.pps`, " + "`.pptx`, `.ppsx`, `.xls`, `.xlsx`, `.rtf`, `.pub`\n- PDF\n- APK\n- Executable JAR\n- Windows script component: " + " `.sct`\n- Windows shortcut: `.lnk`\n- Windows help: `.chm`\n- HTML application: `.hta`\n- Windows script " + "file: `.wsf`\n- Javascript: `.js`\n- Visual Basic: `.vbs`, `.vbe`\n- Shockwave Flash: `.swf`\n- Perl: " + "`.pl`\n- Powershell: `.ps1`, `.psd1`, `.psm1`\n- Scalable vector graphics: `.svg`\n- Python: `.py`\n- Linux " + "ELF executables\n- Email files: MIME RFC 822 `.eml`, Outlook `.msg`.", + "name": "sample", "in": "formData", "required": True }, From 38e51b22641839bc3aacbb9abff7801e53332d81 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 19:12:29 -0500 Subject: [PATCH 19/37] Align endpoint module to most recent swagger --- src/falconpy/_endpoint/_falconx_sandbox.py | 25 ++++++++-------------- tests/test_falconx_sandbox.py | 9 +++++++- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/falconpy/_endpoint/_falconx_sandbox.py b/src/falconpy/_endpoint/_falconx_sandbox.py index e5994d3da..7649f3054 100644 --- a/src/falconpy/_endpoint/_falconx_sandbox.py +++ b/src/falconpy/_endpoint/_falconx_sandbox.py @@ -372,24 +372,17 @@ "analyzing the file.", "falconx_sandbox", [ - { - "description": "Content of the uploaded sample in binary format. " - "For example, use `--data-binary @$FILE_PATH` when using cURL. Max file size: 100 MB.\n\n" - "Accepted file formats:\n\n- Portable executables: `.exe`, `.scr`, `.pif`, `.dll`, `.com`, `.cpl`, etc.\n" - "- Office documents: `.doc`, `.docx`, `.ppt`, `.pps`, `.pptx`, `.ppsx`, `.xls`, `.xlsx`, `.rtf`, `.pub`\n" - "- PDF\n- APK\n- Executable JAR\n- Windows script component: `.sct`\n- Windows shortcut: `.lnk`\n- " - "Windows help: `.chm`\n- HTML application: `.hta`\n- Windows script file: `.wsf`\n- Javascript: `.js`\n" - "- Visual Basic: `.vbs`, `.vbe`\n- Shockwave Flash: `.swf`\n- Perl: `.pl`\n- Powershell: `.ps1`, `.psd1`, `.psm1`\n" - "- Scalable vector graphics: `.svg`\n- Python: `.py`\n- Linux ELF executables\n" - "- Email files: MIME RFC 822 `.eml`, Outlook `.msg`.", - "name": "body", - "in": "body", - "required": True - }, { "type": "file", - "description": "The binary file.", - "name": "upfile", + "description": "Content of the uploaded sample in binary format. For example, use `--data-binary " + "@$FILE_PATH` when using cURL. Max file size: 256 MB.\n\nAccepted file formats:\n\n- Portable executables: " + "`.exe`, `.scr`, `.pif`, `.dll`, `.com`, `.cpl`, etc.\n- Office documents: `.doc`, `.docx`, `.ppt`, `.pps`, " + "`.pptx`, `.ppsx`, `.xls`, `.xlsx`, `.rtf`, `.pub`\n- PDF\n- APK\n- Executable JAR\n- Windows script component: " + " `.sct`\n- Windows shortcut: `.lnk`\n- Windows help: `.chm`\n- HTML application: `.hta`\n- Windows script " + "file: `.wsf`\n- Javascript: `.js`\n- Visual Basic: `.vbs`, `.vbe`\n- Shockwave Flash: `.swf`\n- Perl: " + "`.pl`\n- Powershell: `.ps1`, `.psd1`, `.psm1`\n- Scalable vector graphics: `.svg`\n- Python: `.py`\n- Linux " + "ELF executables\n- Email files: MIME RFC 822 `.eml`, Outlook `.msg`.", + "name": "sample", "in": "formData", "required": True }, diff --git a/tests/test_falconx_sandbox.py b/tests/test_falconx_sandbox.py index bb96a61fb..91da59f6f 100644 --- a/tests/test_falconx_sandbox.py +++ b/tests/test_falconx_sandbox.py @@ -27,6 +27,13 @@ def falconx_generate_errors(self): Executes every statement in every method of the class, accepts all errors except 500 """ error_checks = True + # filename = "testfile.png" + # FILENAME = f"tests/{filename}" + # fmt = '%Y-%m-%d %H:%M:%S' + # with open(FILENAME, 'rb') as testfile: + # PAYLOAD = testfile.read() + filename = None + PAYLOAD = None tests = { "get_artifacts": falcon.GetArtifacts(parameters={}), "get_summary_reports": falcon.GetSummaryReports(ids='12345678'), @@ -42,7 +49,7 @@ def falconx_generate_errors(self): "query_reports": falcon.QueryReports(), "query_submissions": falcon.QuerySubmissions(), "get_sample": falcon.GetSampleV2(ids='12345678'), - "upload_sample": falcon.UploadSampleV2(body={}, parameters={}, file_data=''), + "upload_sample": falcon.UploadSampleV2(file_name=filename, file_data=PAYLOAD), "delete_sample": falcon.DeleteSampleV2(ids='12345678'), "query_sample": falcon.QuerySampleV1(sha256s='12345678'), "get_memory_dump": falcon.get_memory_dump("12345678"), From 76d3de3c18c173ee4ec30662a274e788e6c620ac Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 00:45:19 -0500 Subject: [PATCH 20/37] Add ConfigurationAssessmentEvaluationLogic service collection --- src/falconpy/__init__.py | 3 +- src/falconpy/_endpoint/__init__.py | 2 + ...nfiguration_assessment_evaluation_logic.py | 60 +++++++++++++ ...nfiguration_assessment_evaluation_logic.py | 89 +++++++++++++++++++ ...nfiguration_assessment_evaluation_logic.py | 27 ++++++ 5 files changed, 180 insertions(+), 1 deletion(-) create mode 100644 src/falconpy/_endpoint/_configuration_assessment_evaluation_logic.py create mode 100644 src/falconpy/configuration_assessment_evaluation_logic.py create mode 100644 tests/test_configuration_assessment_evaluation_logic.py diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index af0c177ce..daccd976a 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -90,6 +90,7 @@ from .alerts import Alerts from .api_complete import APIHarness, APIHarnessV2 from .cloud_snapshots import CloudSnapshots +from .configuration_assessment_evaluation_logic import ConfigurationAssessmentEvaluationLogic from .cloud_connect_aws import CloudConnectAWS from .cspm_registration import CSPMRegistration from .custom_ioa import CustomIOA @@ -182,7 +183,7 @@ "NoAuthenticationMechanism", "InvalidIndex", "version", "InvalidCredentialFormat", "UnnecessaryEncodingUsed", "APIHarnessV2", "CustomStorage", "FoundryLogScale", "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", - "SDKDeprecationWarning" + "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic" ] """ This is free and unencumbered software released into the public domain. diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index 7dad5bc15..af646b500 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -42,6 +42,7 @@ from ._alerts import _alerts_endpoints from ._cloud_connect_aws import _cloud_connect_aws_endpoints from ._cloud_snapshots import _cloud_snapshots_endpoints +from ._configuration_assessment_evaluation_logic import _configuration_assessment_evaluation_logic_endpoints from ._cspm_registration import _cspm_registration_endpoints from ._custom_ioa import _custom_ioa_endpoints from ._custom_storage import _custom_storage_endpoints @@ -100,6 +101,7 @@ api_endpoints.extend(_alerts_endpoints) api_endpoints.extend(_cloud_connect_aws_endpoints) api_endpoints.extend(_cloud_snapshots_endpoints) +api_endpoints.extend(_configuration_assessment_evaluation_logic_endpoints) api_endpoints.extend(_cspm_registration_endpoints) api_endpoints.extend(_custom_ioa_endpoints) api_endpoints.extend(_custom_storage_endpoints) diff --git a/src/falconpy/_endpoint/_configuration_assessment_evaluation_logic.py b/src/falconpy/_endpoint/_configuration_assessment_evaluation_logic.py new file mode 100644 index 000000000..25477918a --- /dev/null +++ b/src/falconpy/_endpoint/_configuration_assessment_evaluation_logic.py @@ -0,0 +1,60 @@ +"""Internal API endpoint constant library. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" + +_configuration_assessment_evaluation_logic_endpoints = [ + [ + "getEvaluationLogicMixin0", + "GET", + "/configuration-assessment/entities/evaluation-logic/v1", + "Get details on evaluation logic items by providing one or more finding IDs.", + "configuration_assessment_evaluation_logic", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "One or more evaluation logic finding IDs.", + "name": "ids", + "in": "query", + "required": True + } + ] + ] +] diff --git a/src/falconpy/configuration_assessment_evaluation_logic.py b/src/falconpy/configuration_assessment_evaluation_logic.py new file mode 100644 index 000000000..b5aa10bbb --- /dev/null +++ b/src/falconpy/configuration_assessment_evaluation_logic.py @@ -0,0 +1,89 @@ +"""CrowdStrike Falcon Configuration Assessment Evaluation Logic API interface class. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" +from typing import Dict, Union +from ._util import force_default, process_service_request, handle_single_argument +from ._service_class import ServiceClass +from ._endpoint._configuration_assessment_evaluation_logic import ( + _configuration_assessment_evaluation_logic_endpoints as Endpoints + ) + + +class ConfigurationAssessmentEvaluationLogic(ServiceClass): + """The only requirement to instantiate an instance of this class is one of the following. + + - a valid client_id and client_secret provided as keywords. + - a credential dictionary with client_id and client_secret containing valid API credentials + { + "client_id": "CLIENT_ID_HERE", + "client_secret": "CLIENT_SECRET_HERE" + } + - a previously-authenticated instance of the authentication service class (oauth2.py) + - a valid token provided by the authentication service class (oauth2.py) + """ + + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_evaluation_logic(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Get details on evaluation logic items by providing one or more finding IDs. + + Keyword arguments: + ids -- One or more evaluation logic finding IDs. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'ids'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /configuration-assessment-evaluation-logic/getEvaluationLogicMixin0 + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="getEvaluationLogicMixin0", + keywords=kwargs, + params=handle_single_argument(args, parameters, "ids") + ) + + # This method name aligns to the operation ID in the API but + # does not conform to snake_case / PEP8 and is defined here for + # backwards compatibility / ease of use purposes + getEvaluationLogicMixin0 = get_evaluation_logic diff --git a/tests/test_configuration_assessment_evaluation_logic.py b/tests/test_configuration_assessment_evaluation_logic.py new file mode 100644 index 000000000..c62cb2a67 --- /dev/null +++ b/tests/test_configuration_assessment_evaluation_logic.py @@ -0,0 +1,27 @@ +""" +test_configuration_assessment_evaluation_logic.py - +This class tests the configuration assessment evaluation logic service class +""" +import os +import sys +from datetime import datetime, timedelta +# Authentication via the test_authorization.py +from tests import test_authorization as Authorization +# Import our sibling src folder into the path +sys.path.append(os.path.abspath('src')) +# Classes to test - manually imported from sibling folder +from falconpy import ConfigurationAssessmentEvaluationLogic + +auth = Authorization.TestAuthorization() +config = auth.getConfigObject() +falcon = ConfigurationAssessmentEvaluationLogic(auth_object=config) +AllowedResponses = [200, 201, 403, 404, 429] + + +class TestConfigurationAssessmentEvaluationLogic: + """Class to test the Configuration Assessment Evaluation Logic Service Class.""" + + def test_get_eval_logic(self): + """Pytest harness hook""" + result = falcon.get_evaluation_logic(ids="12345678") + assert bool(result["status_code"] in AllowedResponses) is True From 4443dbb63f1a5f90ce06f6c6d7deea75ddd3178f Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 00:46:01 -0500 Subject: [PATCH 21/37] Update operation keyword arguments --- src/falconpy/_endpoint/_foundry_logscale.py | 75 ++++++++++++--------- src/falconpy/foundry_logscale.py | 39 +++++++---- 2 files changed, 69 insertions(+), 45 deletions(-) diff --git a/src/falconpy/_endpoint/_foundry_logscale.py b/src/falconpy/_endpoint/_foundry_logscale.py index 9baaea7c4..7b0f7d6e9 100644 --- a/src/falconpy/_endpoint/_foundry_logscale.py +++ b/src/falconpy/_endpoint/_foundry_logscale.py @@ -43,7 +43,15 @@ "/loggingapi/combined/repos/v1", "Lists available repositories and views", "foundry_logscale", - [] + [ + { + "type": "boolean", + "default": False, + "description": "Include whether test data is present in the application repository", + "name": "check_test_data", + "in": "query" + } + ] ], [ "IngestDataV1", @@ -90,6 +98,12 @@ "Execute a dynamic saved search", "foundry_logscale", [ + { + "type": "string", + "description": "Application ID.", + "name": "app_id", + "in": "query" + }, { "type": "boolean", "default": False, @@ -142,6 +156,12 @@ "in": "query", "required": True }, + { + "type": "string", + "description": "Application ID.", + "name": "app_id", + "in": "query" + }, { "minimum": 0, "type": "string", @@ -162,14 +182,6 @@ "description": "Starting pagination offset of records to return.", "name": "offset", "in": "query" - }, - { - "pattern": "v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+" - "(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?", - "type": "string", - "description": "Version of resource being created", - "name": "version", - "in": "query" } ] ], @@ -180,6 +192,12 @@ "Execute a saved search", "foundry_logscale", [ + { + "type": "string", + "description": "Application ID.", + "name": "app_id", + "in": "query" + }, { "type": "boolean", "default": False, @@ -201,26 +219,6 @@ "name": "metadata", "in": "query" }, - { - "enum": [ - "sync", - "async", - "async_offload" - ], - "type": "string", - "description": "Mode to execute the query under. " - "If provided, takes precedence over the mode provided in the body.", - "name": "mode", - "in": "query" - }, - { - "pattern": "v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+" - "(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?", - "type": "string", - "description": "Version of resource being created", - "name": "version", - "in": "query" - }, { "name": "body", "in": "body", @@ -234,7 +232,14 @@ "/loggingapi/entities/saved-searches/ingest/v1", "Populate a saved search", "foundry_logscale", - [] + [ + { + "type": "string", + "description": "Application ID.", + "name": "app_id", + "in": "query" + } + ] ], [ "GetSavedSearchesJobResultsDownloadV1", @@ -268,6 +273,14 @@ "/loggingapi/entities/views/v1", "List views", "foundry_logscale", - [] + [ + { + "type": "boolean", + "default": False, + "description": "Include whether test data is present in the application repository", + "name": "check_test_data", + "in": "query" + } + ] ] ] diff --git a/src/falconpy/foundry_logscale.py b/src/falconpy/foundry_logscale.py index 60c3d1c79..446510bff 100644 --- a/src/falconpy/foundry_logscale.py +++ b/src/falconpy/foundry_logscale.py @@ -55,13 +55,16 @@ class FoundryLogScale(ServiceClass): - a valid token provided by the authentication service class (oauth2.py) """ - def list_repos(self: object) -> Dict[str, Union[int, dict]]: + @force_default(defaults=["parameters"], default_types=["dict"]) + def list_repos(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """List available repositories and views. Keyword arguments: - This method does not accept keyword arguments. + check_test_data -- Include whether test data is present in the application repository. Boolean. + parameters - full parameters payload, not required if using other keywords. - This method does not accept arguments. + Arguments: When not specified, the first argument to this method is assumed to be 'check_test_data'. + All others are ignored. Returns: dict object containing API response. @@ -73,7 +76,9 @@ def list_repos(self: object) -> Dict[str, Union[int, dict]]: return process_service_request( calling_object=self, endpoints=Endpoints, - operation_id="ListReposV1" + operation_id="ListReposV1", + keywords=kwargs, + params=handle_single_argument(args, parameters, "check_test_data") ) @force_default(defaults=["parameters", "body"], default_types=["dict", "dict"]) @@ -127,6 +132,7 @@ def execute_dynamic(self: object, """Deploy a saved search. Keyword arguments: + app_id -- Application ID. String. body -- full body payload, not required if using other keywords. { "end": "string", @@ -171,6 +177,7 @@ def get_search_results(self: object, parameters: dict = None, **kwargs) -> Dict[ """Get the results of a saved search. Keyword arguments: + app_id -- Application ID. String. job_id -- Job ID for a previously executed asynchronous query. String. limit -- The maximum number of records to return in this response. Integer. Use with the offset parameter to manage pagination of results. @@ -178,7 +185,6 @@ def get_search_results(self: object, parameters: dict = None, **kwargs) -> Dict[ offset -- The offset to start retrieving records from. String. Use with the limit parameter to manage pagination of results. parameters - full parameters payload, not required if using other keywords. - version -- Version of the resource. String. This method only supports keywords for providing arguments. @@ -206,6 +212,7 @@ def execute(self: object, """Deploy a saved search. Keyword arguments: + app_id -- Application ID. String. body -- full body payload, not required if using other keywords. { "end": "string", @@ -233,15 +240,15 @@ def execute(self: object, ], "with_sort": { "fields": [ - "string" + "string" ], "limit": 0, "order": [ - "string" + "string" ], "reverse": true, "type": [ - "string" + "string" ] } } @@ -250,12 +257,10 @@ def execute(self: object, id -- Saved search ID. String. include_test_data -- Include test data when executing searches. Boolean. metadata -- Include metadata in the response. Boolean. - mode -- Mode to execute the query under (async, async_offload or sync). String. name -- Saved search name. String. search_parameters -- Search specific parameters. Dictionary. NOT to be confused with the default parameters dictionary. start -- Starting position. String. - version -- Version of the search. String. with_in -- With in. Dictionary. with_limit -- With limit. Dictionary. with_renames -- With renames. Dictionary. @@ -333,12 +338,16 @@ def download_results(self: object, parameters: dict = None, **kwargs) -> Dict[st params=parameters ) - def list_views(self: object) -> Dict[str, Union[int, dict]]: + @force_default(defaults=["parameters"], default_types=["dict"]) + def list_views(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """List views. - Keyword arguments: This method does not accept keyword arguments. + Keyword arguments: + check_test_data -- Include whether test data is present in the application repository. Boolean. + parameters - full parameters payload, not required if using other keywords. - Arguments: This method does not accept arguments. + Arguments: When not specified, the first argument to this method is assumed to be 'check_test_data'. + All others are ignored. Returns: dict object containing API response. @@ -350,7 +359,9 @@ def list_views(self: object) -> Dict[str, Union[int, dict]]: return process_service_request( calling_object=self, endpoints=Endpoints, - operation_id="ListViewV1" + operation_id="ListViewV1", + keywords=kwargs, + params=handle_single_argument(args, parameters, "check_test_data") ) # These method names align to the operation IDs in the API but From d13ff99908bf69218a396ecec75e51b009ae4532 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 19:11:33 -0500 Subject: [PATCH 22/37] Add new operations --- .../_endpoint/_falcon_complete_dashboard.py | 42 +++ src/falconpy/falcon_complete_dashboard.py | 262 ++++++++++++++++++ tests/test_falcon_complete_dashboard.py | 3 + 3 files changed, 307 insertions(+) diff --git a/src/falconpy/_endpoint/_falcon_complete_dashboard.py b/src/falconpy/_endpoint/_falcon_complete_dashboard.py index d29325edd..72713257e 100644 --- a/src/falconpy/_endpoint/_falcon_complete_dashboard.py +++ b/src/falconpy/_endpoint/_falcon_complete_dashboard.py @@ -135,6 +135,20 @@ } ] ], + [ + "AggregatePreventionPolicy", + "POST", + "/falcon-complete-dashboards/aggregates/prevention-policies/v1", + "Retrieve prevention policies aggregate values based on the matched filter", + "falcon_complete_dashboard", + [ + { + "name": "body", + "in": "body", + "required": True + } + ] + ], [ "AggregateRemediations", "POST", @@ -149,6 +163,34 @@ } ] ], + [ + "AggregateSensorUpdatePolicy", + "POST", + "/falcon-complete-dashboards/aggregates/sensor-update-policies/v1", + "Retrieve sensor update policies aggregate values", + "falcon_complete_dashboard", + [ + { + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "AggregateTotalDeviceCounts", + "POST", + "/falcon-complete-dashboards/aggregates/total-device-counts/v1", + "Retrieve aggregate total host/devices based on the matched filter", + "falcon_complete_dashboard", + [ + { + "name": "body", + "in": "body", + "required": True + } + ] + ], [ "QueryAlertIdsByFilter", "GET", diff --git a/src/falconpy/falcon_complete_dashboard.py b/src/falconpy/falcon_complete_dashboard.py index d2f2939c8..5246bf812 100644 --- a/src/falconpy/falcon_complete_dashboard.py +++ b/src/falconpy/falcon_complete_dashboard.py @@ -35,6 +35,7 @@ For more information, please refer to """ +# pylint: disable=C0302 from typing import Dict, Union from ._util import process_service_request, force_default from ._payload import aggregate_payload @@ -639,6 +640,92 @@ def aggregate_fc_incidents(self: object, body: list = None, **kwargs) -> Dict[st body=body ) + @force_default(defaults=["body"], default_types=["list"]) + def aggregate_prevention_policy(self: object, body: list = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve aggregate prevention policy values based on the matched filter. + + Keyword arguments: + body -- full body payload, not required when using other keywords. + List of dictionaries. + [ + { + "date_ranges": [ + { + "from": "string", + "to": "string" + } + ], + "exclude": "string", + "field": "string", + "filter": "string", + "from": 0, + "include": "string", + "interval": "string", + "max_doc_count": 0, + "min_doc_count": 0, + "missing": "string", + "name": "string", + "q": "string", + "ranges": [ + { + "From": 0, + "To": 0 + } + ], + "size": 0, + "sort": "string", + "sub_aggregates": [ + null + ], + "time_zone": "string", + "type": "string" + } + ] + date_ranges -- If peforming a date range query specify the from and to date ranges. + These can be in common date formats like 2019-07-18 or now. + List of dictionaries. + exclude -- Fields to exclude. String. + field -- Term you want to aggregate on. If doing a date_range query, + this is the date field you want to apply the date ranges to. String. + filter -- Optional filter criteria in the form of an FQL query. + For more information about FQL queries, see our FQL documentation in Falcon. + String. + from -- Integer. + include -- Fields to include. String. + interval -- String. + max_doc_count -- Maximum number of documents. Integer. + min_doc_count -- Minimum number of documents. Integer. + missing -- String. + name -- Scan name. String. + q -- FQL syntax. String. + ranges -- List of dictionaries. + size -- Integer. + sort -- FQL syntax. String. + sub_aggregates -- List of strings. + time_zone -- String. + type -- String. + + This method only supports keywords for providing arguments. + + This method does not support body payload validation. + + Returns: dict object containing API response. + + HTTP Method: POST + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/Falcon%20Complete%20Dashboard/AggregatePreventionPolicy + """ + if not body: + body = [aggregate_payload(submitted_keywords=kwargs)] + + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="AggregatePreventionPolicy", + body=body + ) + @force_default(defaults=["body"], default_types=["list"]) def aggregate_remediations(self: object, body: list = None, **kwargs) -> Dict[str, Union[int, dict]]: """Retrieve aggregate remediation ticket values based on the matched filter. @@ -725,6 +812,178 @@ def aggregate_remediations(self: object, body: list = None, **kwargs) -> Dict[st body=body ) + @force_default(defaults=["body"], default_types=["list"]) + def aggregate_sensor_update_policy(self: object, body: list = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve aggregate sensor update policy values based on the matched filter. + + Keyword arguments: + body -- full body payload, not required when using other keywords. + List of dictionaries. + [ + { + "date_ranges": [ + { + "from": "string", + "to": "string" + } + ], + "exclude": "string", + "field": "string", + "filter": "string", + "from": 0, + "include": "string", + "interval": "string", + "max_doc_count": 0, + "min_doc_count": 0, + "missing": "string", + "name": "string", + "q": "string", + "ranges": [ + { + "From": 0, + "To": 0 + } + ], + "size": 0, + "sort": "string", + "sub_aggregates": [ + null + ], + "time_zone": "string", + "type": "string" + } + ] + date_ranges -- If peforming a date range query specify the from and to date ranges. + These can be in common date formats like 2019-07-18 or now. + List of dictionaries. + exclude -- Fields to exclude. String. + field -- Term you want to aggregate on. If doing a date_range query, + this is the date field you want to apply the date ranges to. String. + filter -- Optional filter criteria in the form of an FQL query. + For more information about FQL queries, see our FQL documentation in Falcon. + String. + from -- Integer. + include -- Fields to include. String. + interval -- String. + max_doc_count -- Maximum number of documents. Integer. + min_doc_count -- Minimum number of documents. Integer. + missing -- String. + name -- Scan name. String. + q -- FQL syntax. String. + ranges -- List of dictionaries. + size -- Integer. + sort -- FQL syntax. String. + sub_aggregates -- List of strings. + time_zone -- String. + type -- String. + + This method only supports keywords for providing arguments. + + This method does not support body payload validation. + + Returns: dict object containing API response. + + HTTP Method: POST + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/Falcon%20Complete%20Dashboard/AggregateSensorUpdatePolicy + """ + if not body: + body = [aggregate_payload(submitted_keywords=kwargs)] + + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="AggregateSensorUpdatePolicy", + body=body + ) + + @force_default(defaults=["body"], default_types=["list"]) + def aggregate_total_device_counts(self: object, body: list = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve aggregate device count values based on the matched filter. + + Keyword arguments: + body -- full body payload, not required when using other keywords. + List of dictionaries. + [ + { + "date_ranges": [ + { + "from": "string", + "to": "string" + } + ], + "exclude": "string", + "field": "string", + "filter": "string", + "from": 0, + "include": "string", + "interval": "string", + "max_doc_count": 0, + "min_doc_count": 0, + "missing": "string", + "name": "string", + "q": "string", + "ranges": [ + { + "From": 0, + "To": 0 + } + ], + "size": 0, + "sort": "string", + "sub_aggregates": [ + null + ], + "time_zone": "string", + "type": "string" + } + ] + date_ranges -- If peforming a date range query specify the from and to date ranges. + These can be in common date formats like 2019-07-18 or now. + List of dictionaries. + exclude -- Fields to exclude. String. + field -- Term you want to aggregate on. If doing a date_range query, + this is the date field you want to apply the date ranges to. String. + filter -- Optional filter criteria in the form of an FQL query. + For more information about FQL queries, see our FQL documentation in Falcon. + String. + from -- Integer. + include -- Fields to include. String. + interval -- String. + max_doc_count -- Maximum number of documents. Integer. + min_doc_count -- Minimum number of documents. Integer. + missing -- String. + name -- Scan name. String. + q -- FQL syntax. String. + ranges -- List of dictionaries. + size -- Integer. + sort -- FQL syntax. String. + sub_aggregates -- List of strings. + time_zone -- String. + type -- String. + + This method only supports keywords for providing arguments. + + This method does not support body payload validation. + + Returns: dict object containing API response. + + HTTP Method: POST + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/Falcon%20Complete%20Dashboard/AggregateTotalDeviceCounts + """ + if not body: + body = [aggregate_payload(submitted_keywords=kwargs)] + + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="AggregateTotalDeviceCounts", + body=body + ) + @force_default(defaults=["parameters"], default_types=["dict"]) def query_alert_ids_by_filter(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled. @@ -983,7 +1242,10 @@ def query_remediations_filter(self: object, parameters: dict = None, **kwargs) - AggregateDeviceCountCollection = aggregate_device_count_collection AggregateEscalations = aggregate_escalations AggregateFCIncidents = aggregate_fc_incidents + AggregatePreventionPolicy = aggregate_prevention_policy AggregateRemediations = aggregate_remediations + AggregateSensorUpdatePolicy = aggregate_sensor_update_policy + AggregateTotalDeviceCounts = aggregate_total_device_counts QueryAlertIdsByFilter = query_alert_ids_by_filter QueryAllowListFilter = query_allow_list_filter QueryBlockListFilter = query_block_list_filter diff --git a/tests/test_falcon_complete_dashboard.py b/tests/test_falcon_complete_dashboard.py index 6ecba0fc5..1e0410b5f 100644 --- a/tests/test_falcon_complete_dashboard.py +++ b/tests/test_falcon_complete_dashboard.py @@ -85,6 +85,9 @@ def ServiceFCD_GenerateErrors(self): "AggregateEscalations": falcon.aggregate_escalations(), "AggregateFCIncidents": falcon.aggregate_fc_incidents(), "AggregateRemediations": falcon.aggregate_remediations(), + "AggregatePreventionPolicy": falcon.aggregate_prevention_policy(), + "AggregateSensorUpdatePolicy": falcon.aggregate_sensor_update_policy(), + "AggregateTotalDeviceCounts": falcon.aggregate_total_device_counts() } for key in tests: From 59de7261a080583af1005d36128e36035e37dd02 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 01:44:34 -0500 Subject: [PATCH 23/37] Add Configuration Assessment service collection --- src/falconpy/__init__.py | 3 +- src/falconpy/_endpoint/__init__.py | 2 + .../_endpoint/_configuration_assessment.py | 115 ++++++++++++++++ src/falconpy/configuration_assessment.py | 129 ++++++++++++++++++ tests/test_configuration_assessment.py | 34 +++++ 5 files changed, 282 insertions(+), 1 deletion(-) create mode 100644 src/falconpy/_endpoint/_configuration_assessment.py create mode 100644 src/falconpy/configuration_assessment.py create mode 100644 tests/test_configuration_assessment.py diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index daccd976a..662e6c9f0 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -91,6 +91,7 @@ from .api_complete import APIHarness, APIHarnessV2 from .cloud_snapshots import CloudSnapshots from .configuration_assessment_evaluation_logic import ConfigurationAssessmentEvaluationLogic +from .configuration_assessment import ConfigurationAssessment from .cloud_connect_aws import CloudConnectAWS from .cspm_registration import CSPMRegistration from .custom_ioa import CustomIOA @@ -183,7 +184,7 @@ "NoAuthenticationMechanism", "InvalidIndex", "version", "InvalidCredentialFormat", "UnnecessaryEncodingUsed", "APIHarnessV2", "CustomStorage", "FoundryLogScale", "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", - "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic" + "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic", "ConfigurationAssessment", ] """ This is free and unencumbered software released into the public domain. diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index af646b500..e969e7cf4 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -43,6 +43,7 @@ from ._cloud_connect_aws import _cloud_connect_aws_endpoints from ._cloud_snapshots import _cloud_snapshots_endpoints from ._configuration_assessment_evaluation_logic import _configuration_assessment_evaluation_logic_endpoints +from ._configuration_assessment import _configuration_assessment_endpoints from ._cspm_registration import _cspm_registration_endpoints from ._custom_ioa import _custom_ioa_endpoints from ._custom_storage import _custom_storage_endpoints @@ -102,6 +103,7 @@ api_endpoints.extend(_cloud_connect_aws_endpoints) api_endpoints.extend(_cloud_snapshots_endpoints) api_endpoints.extend(_configuration_assessment_evaluation_logic_endpoints) +api_endpoints.extend(_configuration_assessment_endpoints) api_endpoints.extend(_cspm_registration_endpoints) api_endpoints.extend(_custom_ioa_endpoints) api_endpoints.extend(_custom_storage_endpoints) diff --git a/src/falconpy/_endpoint/_configuration_assessment.py b/src/falconpy/_endpoint/_configuration_assessment.py new file mode 100644 index 000000000..8251f342f --- /dev/null +++ b/src/falconpy/_endpoint/_configuration_assessment.py @@ -0,0 +1,115 @@ +"""Internal API endpoint constant library. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" + +_configuration_assessment_endpoints = [ + [ + "getCombinedAssessmentsQuery", + "GET", + "/configuration-assessment/combined/assessments/v1", + "Search for assessments in your environment by providing an FQL filter and paging details. Returns a set " + "of HostFinding entities which match the filter criteria", + "configuration_assessment", + [ + { + "type": "string", + "description": "A pagination token used with the `limit` parameter to manage pagination of results. On " + " your first request, don't provide an `after` token. On subsequent requests, provide the `after` token from " + "the previous response to continue from that place in the results.", + "name": "after", + "in": "query" + }, + { + "maximum": 5000, + "minimum": 1, + "type": "integer", + "description": "The number of items to return in this response (default: 100, max: 5000). Use with the " + "after parameter to manage pagination of results.", + "name": "limit", + "in": "query" + }, + { + "type": "string", + "description": "Sort assessment by their properties. Common sort options " + "include:\n\n
  • created_timestamp|desc
  • updated_timestamp|asc
", + "name": "sort", + "in": "query" + }, + { + "type": "string", + "description": "Filter items using a query in Falcon Query Language (FQL). Wildcards * are " + "unsupported. \n\nCommon filter options include:\n\n
  • created_timestamp:>'2019-11-" + "25T22:36:12Z'
  • updated_timestamp:>'2019-11-" + "25T22:36:12Z'
  • aid:'8e7656b27d8c49a34a1af416424d6231'
", + "name": "filter", + "in": "query", + "required": True + }, + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "Select various details blocks to be returned for each assessment entity. Supported " + "values:\n\n
  • host
  • finding.rule
  • finding.evaluation_logic
", + "name": "facet", + "in": "query" + } + ] + ], + [ + "getRuleDetails", + "GET", + "/configuration-assessment/entities/rule-details/v1", + "Get rules details for provided one or more rule IDs", + "configuration_assessment", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi", + "description": "One or more rules IDs (max: 400)", + "name": "ids", + "in": "query", + "required": True + } + ] + ] +] diff --git a/src/falconpy/configuration_assessment.py b/src/falconpy/configuration_assessment.py new file mode 100644 index 000000000..6eeeebec3 --- /dev/null +++ b/src/falconpy/configuration_assessment.py @@ -0,0 +1,129 @@ +"""CrowdStrike Falcon Configuration Assessment API interface class. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" +from typing import Dict, Union +from ._util import force_default, process_service_request, handle_single_argument +from ._service_class import ServiceClass +from ._endpoint._configuration_assessment import _configuration_assessment_endpoints as Endpoints + + +class ConfigurationAssessment(ServiceClass): + """The only requirement to instantiate an instance of this class is one of the following. + + - a valid client_id and client_secret provided as keywords. + - a credential dictionary with client_id and client_secret containing valid API credentials + { + "client_id": "CLIENT_ID_HERE", + "client_secret": "CLIENT_SECRET_HERE" + } + - a previously-authenticated instance of the authentication service class (oauth2.py) + - a valid token provided by the authentication service class (oauth2.py) + """ + + @force_default(defaults=["parameters"], default_types=["dict"]) + def query_combined_assessments(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Search for assessments in your environment by providing an FQL filter and paging details. + + Returns a set of HostFinding entities which match the filter criteria + + Keyword arguments: + after -- A pagination token used with the `limit` parameter to manage pagination of + results. On your first request, do not provide an `after` token. On subsequent + requests, provide the `after` token from the previous response to continue + from that place in the results. String. + limit -- The number of items to return in this response (default: 100, max: 5000). + Use with the after parameter to manage pagination of results. String. + sort -- Sort assessment by their properties. String. + Sort examples: created_timestamp|desc, updated_timestamp|asc + filter -- Filter items using a query in Falcon Query Language (FQL). String. + Wildcards * are unsupported. + Filter examples: + created_timestamp:>'2019-11-25T22:36:12Z' + updated_timestamp:>'2019-11-25T22:36:12Z' + aid:'1a2345b67c8d90e12f3af456789b0123' + facet -- Select various details blocks to be returned for each assessment entity. String. + Supported values: host, finding.rule, finding.evaluation_logic + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/configuration-assessment/getCombinedAssessmentsQuery + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="getCombinedAssessmentsQuery", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_rule_details(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Get rules details for provided one or more rule IDs. + + Keyword arguments: + ids -- One or more rules IDs (max: 400). String or list of strings. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'ids'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/configuration-assessment/getRuleDetails + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="getRuleDetails", + keywords=kwargs, + params=handle_single_argument(args, parameters, "ids") + ) + + # This method name aligns to the operation ID in the API but + # does not conform to snake_case / PEP8 and is defined here for + # backwards compatibility / ease of use purposes + getCombinedAssessmentsQuery = query_combined_assessments + getRuleDetails = get_rule_details diff --git a/tests/test_configuration_assessment.py b/tests/test_configuration_assessment.py new file mode 100644 index 000000000..8105e3fcd --- /dev/null +++ b/tests/test_configuration_assessment.py @@ -0,0 +1,34 @@ +# test_configuration_assessment.py +# This class tests the configuration assessment service class + +# import json +import os +import sys + +# Authentication via the test_authorization.py +from tests import test_authorization as Authorization + +# Import our sibling src folder into the path +sys.path.append(os.path.abspath('src')) +# Classes to test - manually imported from sibling folder +from falconpy import ConfigurationAssessment + +auth = Authorization.TestAuthorization() +config = auth.getConfigObject() +falcon = ConfigurationAssessment(auth_object=config) +AllowedResponses = [200, 201, 207, 400, 403, 404, 429, 500] # Temp allowing 403 / 500 + + +class TestConfigurationAssessment: + def test_all_code_paths(self): + error_checks = True + tests = { + "query_combined_assessments": falcon.query_combined_assessments(filter="aid:'12345678901234567890123456789012'"), + "get_rule_details": falcon.get_rule_details(ids="12345678") + } + for key in tests: + if tests[key]["status_code"] not in AllowedResponses: + error_checks = False + # print(key) + # print(tests[key]) + assert error_checks From 75ab45baeca17645d0c8f79aebe504675dbd46d7 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 04:47:55 -0500 Subject: [PATCH 24/37] Add Container Alerts service collection --- src/falconpy/__init__.py | 2 + src/falconpy/_endpoint/__init__.py | 2 + src/falconpy/_endpoint/_container_alerts.py | 90 +++++++++++++++ src/falconpy/container_alerts.py | 117 ++++++++++++++++++++ tests/test_container_alerts.py | 34 ++++++ 5 files changed, 245 insertions(+) create mode 100644 src/falconpy/_endpoint/_container_alerts.py create mode 100644 src/falconpy/container_alerts.py create mode 100644 tests/test_container_alerts.py diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index 662e6c9f0..153b29bcf 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -92,6 +92,7 @@ from .cloud_snapshots import CloudSnapshots from .configuration_assessment_evaluation_logic import ConfigurationAssessmentEvaluationLogic from .configuration_assessment import ConfigurationAssessment +from .container_alerts import ContainerAlerts from .cloud_connect_aws import CloudConnectAWS from .cspm_registration import CSPMRegistration from .custom_ioa import CustomIOA @@ -185,6 +186,7 @@ "UnnecessaryEncodingUsed", "APIHarnessV2", "CustomStorage", "FoundryLogScale", "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic", "ConfigurationAssessment", + "ContainerAlerts" ] """ This is free and unencumbered software released into the public domain. diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index e969e7cf4..b88cec2de 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -44,6 +44,7 @@ from ._cloud_snapshots import _cloud_snapshots_endpoints from ._configuration_assessment_evaluation_logic import _configuration_assessment_evaluation_logic_endpoints from ._configuration_assessment import _configuration_assessment_endpoints +from ._container_alerts import _container_alerts_endpoints from ._cspm_registration import _cspm_registration_endpoints from ._custom_ioa import _custom_ioa_endpoints from ._custom_storage import _custom_storage_endpoints @@ -104,6 +105,7 @@ api_endpoints.extend(_cloud_snapshots_endpoints) api_endpoints.extend(_configuration_assessment_evaluation_logic_endpoints) api_endpoints.extend(_configuration_assessment_endpoints) +api_endpoints.extend(_container_alerts_endpoints) api_endpoints.extend(_cspm_registration_endpoints) api_endpoints.extend(_custom_ioa_endpoints) api_endpoints.extend(_custom_storage_endpoints) diff --git a/src/falconpy/_endpoint/_container_alerts.py b/src/falconpy/_endpoint/_container_alerts.py new file mode 100644 index 000000000..1a83b0f0c --- /dev/null +++ b/src/falconpy/_endpoint/_container_alerts.py @@ -0,0 +1,90 @@ +"""Internal API endpoint constant library. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" + +_container_alerts_endpoints = [ + [ + "ReadContainerAlertsCount", + "GET", + "/container-security/aggregates/container-alerts/count/v1", + "Search Container Alerts by the provided search criteria", + "container_alerts", + [ + { + "type": "string", + "description": "Search Container Alerts using a query in Falcon Query Language (FQL). Supported " + "filters: cid,last_seen", + "name": "filter", + "in": "query" + } + ] + ], + [ + "SearchAndReadContainerAlerts", + "GET", + "/container-security/combined/container-alerts/v1", + "Search Container Alerts by the provided search criteria", + "container_alerts", + [ + { + "type": "string", + "description": "Search Container Alerts using a query in Falcon Query Language (FQL). Supported " + "filters: cid,container_id,last_seen,name,severity", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on.", + "name": "sort", + "in": "query" + } + ] + ] +] diff --git a/src/falconpy/container_alerts.py b/src/falconpy/container_alerts.py new file mode 100644 index 000000000..ff63ed655 --- /dev/null +++ b/src/falconpy/container_alerts.py @@ -0,0 +1,117 @@ +"""CrowdStrike Falcon Container Alerts API interface class. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" +from typing import Dict, Union +from ._util import force_default, process_service_request, handle_single_argument +from ._service_class import ServiceClass +from ._endpoint._container_alerts import _container_alerts_endpoints as Endpoints + + +class ContainerAlerts(ServiceClass): + """The only requirement to instantiate an instance of this class is one of the following. + + - a valid client_id and client_secret provided as keywords. + - a credential dictionary with client_id and client_secret containing valid API credentials + { + "client_id": "CLIENT_ID_HERE", + "client_secret": "CLIENT_SECRET_HERE" + } + - a previously-authenticated instance of the authentication service class (oauth2.py) + - a valid token provided by the authentication service class (oauth2.py) + """ + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_counts(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Search Container Alerts by the provided search criteria. + + Keyword arguments: + filter -- Search Container Alerts using a query in Falcon Query Language (FQL). String. + Supported filters: cid, last_seen + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-alerts/ReadContainerAlertsCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainerAlertsCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def search_and_read(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Search Container Alerts by the provided search criteria. + + Keyword arguments: + filter -- Search Container Alerts using a query in Falcon Query Language (FQL). String. + Supported filters: cid, container_id, last_seen, name, severity + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + sort -- The fields to sort the records on. String. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-alerts/SearchAndReadContainerAlerts + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="SearchAndReadContainerAlerts", + keywords=kwargs, + params=parameters + ) + + # This method name aligns to the operation ID in the API but + # does not conform to snake_case / PEP8 and is defined here for + # backwards compatibility / ease of use purposes + ReadContainerAlertsCount = read_counts + SearchAndReadContainerAlerts = search_and_read diff --git a/tests/test_container_alerts.py b/tests/test_container_alerts.py new file mode 100644 index 000000000..c4bb87995 --- /dev/null +++ b/tests/test_container_alerts.py @@ -0,0 +1,34 @@ +# test_container_alerts.py +# This class tests the container alerts service class + +# import json +import os +import sys + +# Authentication via the test_authorization.py +from tests import test_authorization as Authorization + +# Import our sibling src folder into the path +sys.path.append(os.path.abspath('src')) +# Classes to test - manually imported from sibling folder +from falconpy import ContainerAlerts + +auth = Authorization.TestAuthorization() +config = auth.getConfigObject() +falcon = ContainerAlerts(auth_object=config) +AllowedResponses = [200, 201, 207, 400, 404, 429] + + +class TestContainerAlerts: + def test_all_code_paths(self): + error_checks = True + tests = { + "read_counts": falcon.read_counts(filter="cid:'12345678901234567890123456789012"), + "search_and_read": falcon.search_and_read(limit=1) + } + for key in tests: + if tests[key]["status_code"] not in AllowedResponses: + error_checks = False + # print(key) + # print(tests[key]) + assert error_checks From 8acf82f27c9e0d7d43471541f345396ad051de7f Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 05:10:57 -0500 Subject: [PATCH 25/37] Add Container Detections service collection --- src/falconpy/__init__.py | 3 +- src/falconpy/_endpoint/__init__.py | 2 + .../_endpoint/_container_detections.py | 179 ++++++++++++ src/falconpy/container_detections.py | 266 ++++++++++++++++++ tests/test_container_detections.py | 38 +++ 5 files changed, 487 insertions(+), 1 deletion(-) create mode 100644 src/falconpy/_endpoint/_container_detections.py create mode 100644 src/falconpy/container_detections.py create mode 100644 tests/test_container_detections.py diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index 153b29bcf..36b123bb6 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -93,6 +93,7 @@ from .configuration_assessment_evaluation_logic import ConfigurationAssessmentEvaluationLogic from .configuration_assessment import ConfigurationAssessment from .container_alerts import ContainerAlerts +from .container_detections import ContainerDetections from .cloud_connect_aws import CloudConnectAWS from .cspm_registration import CSPMRegistration from .custom_ioa import CustomIOA @@ -186,7 +187,7 @@ "UnnecessaryEncodingUsed", "APIHarnessV2", "CustomStorage", "FoundryLogScale", "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic", "ConfigurationAssessment", - "ContainerAlerts" + "ContainerAlerts", "ContainerDetections" ] """ This is free and unencumbered software released into the public domain. diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index b88cec2de..21a73c54c 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -45,6 +45,7 @@ from ._configuration_assessment_evaluation_logic import _configuration_assessment_evaluation_logic_endpoints from ._configuration_assessment import _configuration_assessment_endpoints from ._container_alerts import _container_alerts_endpoints +from ._container_detections import _container_detections_endpoints from ._cspm_registration import _cspm_registration_endpoints from ._custom_ioa import _custom_ioa_endpoints from ._custom_storage import _custom_storage_endpoints @@ -106,6 +107,7 @@ api_endpoints.extend(_configuration_assessment_evaluation_logic_endpoints) api_endpoints.extend(_configuration_assessment_endpoints) api_endpoints.extend(_container_alerts_endpoints) +api_endpoints.extend(_container_detections_endpoints) api_endpoints.extend(_cspm_registration_endpoints) api_endpoints.extend(_custom_ioa_endpoints) api_endpoints.extend(_custom_storage_endpoints) diff --git a/src/falconpy/_endpoint/_container_detections.py b/src/falconpy/_endpoint/_container_detections.py new file mode 100644 index 000000000..254abaae6 --- /dev/null +++ b/src/falconpy/_endpoint/_container_detections.py @@ -0,0 +1,179 @@ +"""Internal API endpoint constant library. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" + +_container_detections_endpoints = [ + [ + "ReadDetectionsCountBySeverity", + "GET", + "/container-security/aggregates/detections/count-by-severity/v1", + "Aggregate counts of detections by severity", + "container_detections", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,co" + "ntainer_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadDetectionsCountByType", + "GET", + "/container-security/aggregates/detections/count-by-type/v1", + "Aggregate counts of detections by detection type", + "container_detections", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,co" + "ntainer_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadDetectionsCount", + "GET", + "/container-security/aggregates/detections/count/v1", + "Aggregate count of detections", + "container_detections", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,co" + "ntainer_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadCombinedDetections", + "GET", + "/container-security/combined/detections/v1", + "Retrieve image assessment detections identified by the provided filter criteria", + "container_detections", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,co" + "ntainer_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on. Supported columns: [containers_impacted " + "detection_name detection_severity detection_type images_impacted last_detected]", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadDetections", + "GET", + "/container-security/entities/detections/v1", + "Retrieve image assessment detection entities identified by the provided filter criteria", + "container_detections", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " + "cid,detection_type,image_registry,image_repository,image_tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "SearchDetections", + "GET", + "/container-security/queries/detections/v1", + "Retrieve image assessment detection entities identified by the provided filter criteria", + "container_detections", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,co" + "ntainer_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ] +] diff --git a/src/falconpy/container_detections.py b/src/falconpy/container_detections.py new file mode 100644 index 000000000..720e951bc --- /dev/null +++ b/src/falconpy/container_detections.py @@ -0,0 +1,266 @@ +"""CrowdStrike Falcon Container Detections API interface class. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" +from typing import Dict, Union +from ._util import force_default, process_service_request, handle_single_argument +from ._service_class import ServiceClass +from ._endpoint._container_detections import _container_detections_endpoints as Endpoints + + +class ContainerDetections(ServiceClass): + """The only requirement to instantiate an instance of this class is one of the following. + + - a valid client_id and client_secret provided as keywords. + - a credential dictionary with client_id and client_secret containing valid API credentials + { + "client_id": "CLIENT_ID_HERE", + "client_secret": "CLIENT_SECRET_HERE" + } + - a previously-authenticated instance of the authentication service class (oauth2.py) + - a valid token provided by the authentication service class (oauth2.py) + """ + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_detection_counts_by_severity(self: object, + *args, + parameters: dict = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: + """Aggregate counts of detections by severity. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: + cid image_registry + container_id image_repository + detection_type image_tag + id name + image_digest severity + image_id + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-detections/ReadDetectionsCountBySeverity + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDetectionsCountBySeverity", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_detections_count_by_type(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Aggregate counts of detections by detection type. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: + cid image_registry + container_id image_repository + detection_type image_tag + id name + image_digest severity + image_id + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-detections/ReadDetectionsCountByType + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDetectionsCountByType", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_detections_count(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Aggregate count of detections. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: + cid image_registry + container_id image_repository + detection_type image_tag + id name + image_digest severity + image_id + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-detections/ReadDetectionsCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDetectionsCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_combined_detections(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve image assessment detections identified by the provided filter criteria. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: + cid image_registry + container_id image_repository + detection_type image_tag + id name + image_digest severity + image_id + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + Supported columns: + containers_impacted detection_type + detection_name images_impacted + detection_severity last_detected + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-detections/ReadCombinedDetections + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadCombinedDetections", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_detections(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve image assessment detection entities identified by the provided filter criteria. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: cid, detection_type, image_registry, image_repository, image_tag + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-detections/ReadDetections + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDetections", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def search_detections(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve image assessment detection entities identified by the provided filter criteria. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: + cid image_registry + container_id image_repository + detection_type image_tag + id name + image_digest severity + image_id + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-detections/SearchDetections + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="SearchDetections", + keywords=kwargs, + params=parameters + ) + + ReadDetectionsCountBySeverity = read_detection_counts_by_severity + ReadDetectionsCountByType = read_detections_count_by_type + ReadDetectionsCount = read_detections_count + ReadCombinedDetections = read_combined_detections + ReadDetections = read_detections + SearchDetections = search_detections diff --git a/tests/test_container_detections.py b/tests/test_container_detections.py new file mode 100644 index 000000000..4ac50e660 --- /dev/null +++ b/tests/test_container_detections.py @@ -0,0 +1,38 @@ +# test_container_detections.py +# This class tests the container detections service class + +# import json +import os +import sys + +# Authentication via the test_authorization.py +from tests import test_authorization as Authorization + +# Import our sibling src folder into the path +sys.path.append(os.path.abspath('src')) +# Classes to test - manually imported from sibling folder +from falconpy import ContainerDetections + +auth = Authorization.TestAuthorization() +config = auth.getConfigObject() +falcon = ContainerDetections(auth_object=config) +AllowedResponses = [200, 201, 207, 400, 404, 429] + + +class TestContainerDetections: + def test_all_code_paths(self): + error_checks = True + tests = { + "ReadDetectionsCountBySeverity": falcon.read_detection_counts_by_severity("cid:'1234567890'"), + "ReadDetectionsCountByType": falcon.read_detections_count_by_type(filter="cid:'1234567890'"), + "ReadDetectionsCount": falcon.read_detections_count(filter="cid:'1234567890'"), + "ReadCombinedDetections": falcon.read_combined_detections(filter="cid:'1234567890'", limit=1), + "ReadDetections": falcon.read_detections(limit=1, filter="cid:'1234567890'"), + "SearchDetections": falcon.search_detections(filter="cid:'1234567890'", limit=1) + } + for key in tests: + if tests[key]["status_code"] not in AllowedResponses: + error_checks = False + # print(key) + # print(tests[key]) + assert error_checks From 9a09231f44afe6bb88abf640b2fa42e982a9acf3 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 05:28:02 -0500 Subject: [PATCH 26/37] Add Unidentified Containers service collection --- src/falconpy/__init__.py | 3 +- src/falconpy/_endpoint/__init__.py | 2 + .../_endpoint/_unidentified_containers.py | 109 ++++++++++++ src/falconpy/unidentified_containers.py | 163 ++++++++++++++++++ tests/test_unidentified_containers.py | 35 ++++ 5 files changed, 311 insertions(+), 1 deletion(-) create mode 100644 src/falconpy/_endpoint/_unidentified_containers.py create mode 100644 src/falconpy/unidentified_containers.py create mode 100644 tests/test_unidentified_containers.py diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index 36b123bb6..23e2f43c4 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -146,6 +146,7 @@ from .spotlight_vulnerabilities import SpotlightVulnerabilities from .spotlight_evaluation_logic import SpotlightEvaluationLogic from .tailored_intelligence import TailoredIntelligence +from .unidentified_containers import UnidentifiedContainers from .user_management import UserManagement from .workflows import Workflows from .zero_trust_assessment import ZeroTrustAssessment @@ -187,7 +188,7 @@ "UnnecessaryEncodingUsed", "APIHarnessV2", "CustomStorage", "FoundryLogScale", "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic", "ConfigurationAssessment", - "ContainerAlerts", "ContainerDetections" + "ContainerAlerts", "ContainerDetections", "UnidentifiedContainers" ] """ This is free and unencumbered software released into the public domain. diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index 21a73c54c..a2c5d29f9 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -96,6 +96,7 @@ from ._spotlight_evaluation_logic import _spotlight_evaluation_logic_endpoints from ._spotlight_vulnerabilities import _spotlight_vulnerabilities_endpoints from ._tailored_intelligence import _tailored_intelligence_endpoints +from ._unidentified_containers import _unidentified_containers_endpoints from ._user_management import _user_management_endpoints from ._workflows import _workflows_endpoints from ._zero_trust_assessment import _zero_trust_assessment_endpoints @@ -158,6 +159,7 @@ api_endpoints.extend(_spotlight_evaluation_logic_endpoints) api_endpoints.extend(_spotlight_vulnerabilities_endpoints) api_endpoints.extend(_tailored_intelligence_endpoints) +api_endpoints.extend(_unidentified_containers_endpoints) api_endpoints.extend(_user_management_endpoints) api_endpoints.extend(_workflows_endpoints) api_endpoints.extend(_zero_trust_assessment_endpoints) diff --git a/src/falconpy/_endpoint/_unidentified_containers.py b/src/falconpy/_endpoint/_unidentified_containers.py new file mode 100644 index 000000000..55118fc91 --- /dev/null +++ b/src/falconpy/_endpoint/_unidentified_containers.py @@ -0,0 +1,109 @@ +"""Internal API endpoint constant library. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" + +_unidentified_containers_endpoints = [ + [ + "ReadUnidentifiedContainersByDateRangeCount", + "GET", + "/container-security/aggregates/unidentified-containers/count-by-date/v1", + "Returns the count of Unidentified Containers over the last 7 days", + "unidentified_containers", + [ + { + "type": "string", + "description": "Filter Unidentified Containers using a query in Falcon Query Language (FQL). Supported" + " filters: assessed_images_count,cid,cluster_name,containers_impacted_count,detections_count,image_assessment_" + "detections_count,last_seen,namespace,node_name,severity,unassessed_images_count,visible_to_k8s", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadUnidentifiedContainersCount", + "GET", + "/container-security/aggregates/unidentified-containers/count/v1", + "Returns the total count of Unidentified Containers over a time period", + "unidentified_containers", + [ + { + "type": "string", + "description": "Filter Unidentified Containers using a query in Falcon Query Language (FQL). Supported" + " filters: assessed_images_count,cid,cluster_name,containers_impacted_count,detections_count,image_assessment_" + "detections_count,last_seen,namespace,node_name,severity,unassessed_images_count,visible_to_k8s", + "name": "filter", + "in": "query" + } + ] + ], + [ + "SearchAndReadUnidentifiedContainers", + "GET", + "/container-security/combined/unidentified-containers/v1", + "Search Unidentified Containers by the provided search criteria", + "unidentified_containers", + [ + { + "type": "string", + "description": "Search Unidentified Containers using a query in Falcon Query Language (FQL). Supported" + " filters: assessed_images_count,cid,cluster_name,containers_impacted_count,detections_count,image_assessment_" + "detections_count,last_seen,namespace,node_name,severity,unassessed_images_count,visible_to_k8s", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on.", + "name": "sort", + "in": "query" + } + ] + ] +] diff --git a/src/falconpy/unidentified_containers.py b/src/falconpy/unidentified_containers.py new file mode 100644 index 000000000..159040321 --- /dev/null +++ b/src/falconpy/unidentified_containers.py @@ -0,0 +1,163 @@ +"""CrowdStrike Falcon Unidentified Containers API interface class. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" +from typing import Dict, Union +from ._util import force_default, process_service_request, handle_single_argument +from ._service_class import ServiceClass +from ._endpoint._unidentified_containers import _unidentified_containers_endpoints as Endpoints + + +class UnidentifiedContainers(ServiceClass): + """The only requirement to instantiate an instance of this class is one of the following. + + - a valid client_id and client_secret provided as keywords. + - a credential dictionary with client_id and client_secret containing valid API credentials + { + "client_id": "CLIENT_ID_HERE", + "client_secret": "CLIENT_SECRET_HERE" + } + - a previously-authenticated instance of the authentication service class (oauth2.py) + - a valid token provided by the authentication service class (oauth2.py) + """ + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_count_by_date_range(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Return the count of Unidentified Containers over the last 7 days. + + Keyword arguments: + filter -- Filter Unidentified Containers using a query in Falcon Query Language (FQL). String. + Supported filters: + assessed_images_count last_seen + cid namespace + cluster_name node_name + containers_impacted_count severity + detections_count unassessed_images_count + image_assessment_detections_count visible_to_k8s + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /unidentified-containers/ReadUnidentifiedContainersByDateRangeCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadUnidentifiedContainersByDateRangeCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_count(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Return the total count of Unidentified Containers over a time period. + + Keyword arguments: + filter -- Filter Unidentified Containers using a query in Falcon Query Language (FQL). String. + Supported filters: + assessed_images_count last_seen + cid namespace + cluster_name node_name + containers_impacted_count severity + detections_count unassessed_images_count + image_assessment_detections_count visible_to_k8s + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /unidentified-containers/ReadUnidentifiedContainersCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadUnidentifiedContainersCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def search_and_read(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Search Unidentified Containers by the provided search criteria. + + Keyword arguments: + filter -- Search Unidentified Containers using a query in Falcon Query Language (FQL). String. + Supported filters: + assessed_images_count last_seen + cid namespace + cluster_name node_name + containers_impacted_count severity + detections_count unassessed_images_count + image_assessment_detections_count visible_to_k8s + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /unidentified-containers/SearchAndReadUnidentifiedContainers + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="SearchAndReadUnidentifiedContainers", + keywords=kwargs, + params=parameters + ) + + ReadUnidentifiedContainersByDateRangeCount = read_count_by_date_range + ReadUnidentifiedContainersCount = read_count + SearchAndReadUnidentifiedContainers = search_and_read diff --git a/tests/test_unidentified_containers.py b/tests/test_unidentified_containers.py new file mode 100644 index 000000000..5af8fd9c7 --- /dev/null +++ b/tests/test_unidentified_containers.py @@ -0,0 +1,35 @@ +# test_unidentified_containers.py +# This class tests the unidentified containers service class + +# import json +import os +import sys + +# Authentication via the test_authorization.py +from tests import test_authorization as Authorization + +# Import our sibling src folder into the path +sys.path.append(os.path.abspath('src')) +# Classes to test - manually imported from sibling folder +from falconpy import UnidentifiedContainers + +auth = Authorization.TestAuthorization() +config = auth.getConfigObject() +falcon = UnidentifiedContainers(auth_object=config) +AllowedResponses = [200, 201, 207, 400, 404, 429] + + +class TestUnidentifiedContainers: + def test_all_code_paths(self): + error_checks = True + tests = { + "ReadUnidentifiedContainersByDateRangeCount": falcon.read_count_by_date_range("cluster_name:'bob'"), + "ReadUnidentifiedContainersCount": falcon.read_count(filter="cluster_name:'charlie'"), + "SearchAndReadUnidentifiedContainers": falcon.search_and_read(filter="cid:'1234567890'", limit=1) + } + for key in tests: + if tests[key]["status_code"] not in AllowedResponses: + error_checks = False + # print(key) + # print(tests[key]) + assert error_checks From 7ca25efbe449e826d6745c35c994f63773e59728 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 05:57:14 -0500 Subject: [PATCH 27/37] Add Container Images service collection --- src/falconpy/__init__.py | 3 +- src/falconpy/_endpoint/__init__.py | 2 + src/falconpy/_endpoint/_container_images.py | 334 +++++++++++++++++ src/falconpy/container_images.py | 396 ++++++++++++++++++++ tests/test_container_images.py | 42 +++ 5 files changed, 776 insertions(+), 1 deletion(-) create mode 100644 src/falconpy/_endpoint/_container_images.py create mode 100644 src/falconpy/container_images.py create mode 100644 tests/test_container_images.py diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index 23e2f43c4..20513c8cd 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -94,6 +94,7 @@ from .configuration_assessment import ConfigurationAssessment from .container_alerts import ContainerAlerts from .container_detections import ContainerDetections +from .container_images import ContainerImages from .cloud_connect_aws import CloudConnectAWS from .cspm_registration import CSPMRegistration from .custom_ioa import CustomIOA @@ -188,7 +189,7 @@ "UnnecessaryEncodingUsed", "APIHarnessV2", "CustomStorage", "FoundryLogScale", "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic", "ConfigurationAssessment", - "ContainerAlerts", "ContainerDetections", "UnidentifiedContainers" + "ContainerAlerts", "ContainerDetections", "ContainerImages", "UnidentifiedContainers" ] """ This is free and unencumbered software released into the public domain. diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index a2c5d29f9..a83be621d 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -46,6 +46,7 @@ from ._configuration_assessment import _configuration_assessment_endpoints from ._container_alerts import _container_alerts_endpoints from ._container_detections import _container_detections_endpoints +from ._container_images import _container_images_endpoints from ._cspm_registration import _cspm_registration_endpoints from ._custom_ioa import _custom_ioa_endpoints from ._custom_storage import _custom_storage_endpoints @@ -109,6 +110,7 @@ api_endpoints.extend(_configuration_assessment_endpoints) api_endpoints.extend(_container_alerts_endpoints) api_endpoints.extend(_container_detections_endpoints) +api_endpoints.extend(_container_images_endpoints) api_endpoints.extend(_cspm_registration_endpoints) api_endpoints.extend(_custom_ioa_endpoints) api_endpoints.extend(_custom_storage_endpoints) diff --git a/src/falconpy/_endpoint/_container_images.py b/src/falconpy/_endpoint/_container_images.py new file mode 100644 index 000000000..2b3440558 --- /dev/null +++ b/src/falconpy/_endpoint/_container_images.py @@ -0,0 +1,334 @@ +"""Internal API endpoint constant library. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" + +_container_images_endpoints = [ + [ + "AggregateImageAssessmentHistory", + "GET", + "/container-security/aggregates/images/assessment-history/v1", + "Image assessment history", + "container_images", + [ + { + "type": "string", + "description": "Filter using a query in Falcon Query Language (FQL). Supported filters: cid,registry,repository", + "name": "filter", + "in": "query" + } + ] + ], + [ + "AggregateImageCountByBaseOS", + "GET", + "/container-security/aggregates/images/count-by-os-distribution/v1", + "Aggregate count of images grouped by Base OS distribution", + "container_images", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " + "arch,base_os,cid,registry,repository,tag", + "name": "filter", + "in": "query" + } + ] + ], + [ + "AggregateImageCountByState", + "GET", + "/container-security/aggregates/images/count-by-state/v1", + "Aggregate count of images grouped by state", + "container_images", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " + "cid,last_seen,registry,repository", + "name": "filter", + "in": "query" + } + ] + ], + [ + "AggregateImageCount", + "GET", + "/container-security/aggregates/images/count/v1", + "Aggregate count of images", + "container_images", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: arch,b" + "ase_os,cid,container_id,container_running_status,cps_rating,crowdstrike_user,cve_id,detection_count,detection_" + "name,detection_severity,first_seen,image_digest,image_id,layer_digest,package_name_version,registry,repository" + ",tag,vulnerability_count,vulnerability_severity", + "name": "filter", + "in": "query" + } + ] + ], + [ + "GetCombinedImages", + "GET", + "/container-security/combined/image-assessment/images/v1", + "Get image assessment results by providing an FQL filter and paging details", + "container_images", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " + "container_id, container_running_status, cve_id, detection_name, detection_severity, first_seen, image_digest, " + "image_id, registry, repository, tag, vulnerability_severity", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve [1-100]", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on. Supported columns: [first_seen " + "highest_detection_severity highest_vulnerability_severity image_digest image_id registry repository tag]", + "name": "sort", + "in": "query" + } + ] + ], + [ + "CombinedImageByVulnerabilityCount", + "GET", + "/container-security/combined/images/by-vulnerability-count/v1", + "Retrieve top x images with the most vulnerabilities", + "container_images", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " + "arch,base_os,cid,registry,repository,tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "This is not used in the backend but is added here for compatibility purposes as some " + "clients expects this i.e UI widgets.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "CombinedImageDetail", + "GET", + "/container-security/combined/images/detail/v1", + "Retrieve image entities identified by the provided filter criteria", + "container_images", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " + "registry,repository,tag", + "name": "filter", + "in": "query" + }, + { + "type": "boolean", + "description": "(true/false) include image config, default is false", + "name": "with_config", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on.", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadCombinedImagesExport", + "GET", + "/container-security/combined/images/export/v1", + "Retrieve images with an option to expand aggregated vulnerabilities/detections", + "container_images", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: arch,b" + "ase_os,cid,container_id,container_running_status,cps_rating,crowdstrike_user,cve_id,detection_count,detection_" + "name,detection_severity,first_seen,image_digest,image_id,layer_digest,package_name_version,registry,repository" + ",tag,vulnerability_count,vulnerability_severity", + "name": "filter", + "in": "query" + }, + { + "type": "boolean", + "description": "expand vulnerabilities", + "name": "expand_vulnerabilities", + "in": "query" + }, + { + "type": "boolean", + "description": "expand detections", + "name": "expand_detections", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on. Supported columns: [base_os cid containers " + "detections firstScanned first_seen highest_detection_severity highest_vulnerability_severity image_digest " + "image_id last_seen layers_with_vulnerabilities packages registry repository tag vulnerabilities]", + "name": "sort", + "in": "query" + } + ] + ], + [ + "CombinedImageIssuesSummary", + "GET", + "/container-security/combined/images/issues-summary/v1", + "Retrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities", + "container_images", + [ + { + "type": "string", + "description": "CID", + "name": "cid", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "registry name", + "name": "registry", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "repository name", + "name": "repository", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "tag name", + "name": "tag", + "in": "query", + "required": True + } + ] + ], + [ + "CombinedImageVulnerabilitySummary", + "GET", + "/container-security/combined/images/vulnerabilities-summary/v1", + "aggregates information about vulnerabilities for an image", + "container_images", + [ + { + "type": "string", + "description": "CID", + "name": "cid", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "registry name", + "name": "registry", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "repository name", + "name": "repository", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "tag name", + "name": "tag", + "in": "query", + "required": True + } + ] + ] +] diff --git a/src/falconpy/container_images.py b/src/falconpy/container_images.py new file mode 100644 index 000000000..9b68e71f5 --- /dev/null +++ b/src/falconpy/container_images.py @@ -0,0 +1,396 @@ +"""CrowdStrike Falcon Container Images API interface class. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" +from typing import Dict, Union +from ._util import force_default, process_service_request, handle_single_argument +from ._service_class import ServiceClass +from ._endpoint._container_images import _container_images_endpoints as Endpoints + + +class ContainerImages(ServiceClass): + """The only requirement to instantiate an instance of this class is one of the following. + + - a valid client_id and client_secret provided as keywords. + - a credential dictionary with client_id and client_secret containing valid API credentials + { + "client_id": "CLIENT_ID_HERE", + "client_secret": "CLIENT_SECRET_HERE" + } + - a previously-authenticated instance of the authentication service class (oauth2.py) + - a valid token provided by the authentication service class (oauth2.py) + """ + + @force_default(defaults=["parameters"], default_types=["dict"]) + def aggregate_assessment_history(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Image assessment history. + + Keyword arguments: + filter -- Filter using a query in Falcon Query Language (FQL). String. + Supported filters: cid, registry, repository + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-images/AggregateImageAssessmentHistory + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="AggregateImageAssessmentHistory", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def aggregate_count_by_base_os(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Aggregate count of images grouped by Base OS distribution. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: arch, base_os, cid, registry, repository, tag + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-images/AggregateImageCountByBaseOS + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="AggregateImageCountByBaseOS", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def aggregate_count_by_state(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Aggregate count of images grouped by state. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: cid, last_seen, registry, repository + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /container-images/AggregateImageCountByState + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="AggregateImageCountByState", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def aggregate_count(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Aggregate count of images. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: + arch first_seen + base_os image_digest + cid image_id + container_id layer_digest + container_running_status package_name_version + cps_rating registry + crowdstrike_user repository + cve_id tag + detection_count vulnerability_count + detection_name vulnerability_severity + detection_severity + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-images/AggregateImageCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="AggregateImageCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_combined_images(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Get image assessment results by providing an FQL filter and paging details. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: + container_id image_digest + container_running_status image_id + cve_id registry + detection_name repository + detection_severity tag + first_seen vulnerability_severity + limit -- The upper-bound on the number of records to retrieve [1-100]. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + Supported columns: + first_seen image_id + highest_detection_severity registry + highest_vulnerability_severity repository + image_digest tag + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-images/GetCombinedImages + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="GetCombinedImages", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_combined_images_by_vulnerability_count(self: object, + parameters: dict = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: + """Retrieve top x images with the most vulnerabilities. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: arch, base_os, cid, registry, repository, tag + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- This is not used in the backend but is added here for compatibility + purposes as some clients expects this i.e UI widgets. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-images/CombinedImageByVulnerabilityCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="CombinedImageByVulnerabilityCount", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_combined_detail(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve image entities identified by the provided filter criteria. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: registry, repository, tag + with_config -- Include image config. Boolean. Defaults true false. + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-images/CombinedImageDetail + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="CombinedImageDetail", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_combined_export(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve images with an option to expand aggregated vulnerabilities/detections. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). + Supported filters: + arch first_seen + base_os image_digest + cid image_id + container_id layer_digest + container_running_status package_name_version + cps_rating registry + crowdstrike_user repository + cve_id tag + detection_count vulnerability_count + detection_name vulnerability_severity + detection_severity + expand_vulnerabilities -- Expand vulnerabilities. Boolean. + expand_detections -- Expand detections. Boolean. + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + Supported columns: + base_os image_id + cid last_seen + containers layers_with_vulnerabilities + detections packages + firstScanned registry + first_seen repository + highest_detection_severity tag + highest_vulnerability_severity vulnerabilities + image_digest + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-images/ReadCombinedImagesExport + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadCombinedImagesExport", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_combined_issues_summary(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve image issues summary such as Image detections, Runtime detections, Policies, Vulnerabilities. + + Keyword arguments: + cid -- CID. String. + registry -- Registry name. String. + repository -- Repository name. String. + tag -- Tag name. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-images/CombinedImageIssuesSummary + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="CombinedImageIssuesSummary", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_combined_vulnerabilities_summary(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Aggregate information about vulnerabilities for an image. + + Keyword arguments: + cid -- CID. String. + registry -- Registry name. String. + repository -- Repository name. String. + tag -- Tag name. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-images/CombinedImageVulnerabilitySummary + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="CombinedImageVulnerabilitySummary", + keywords=kwargs, + params=parameters + ) + + AggregateImageAssessmentHistory = aggregate_assessment_history + AggregateImageCountByBaseOS = aggregate_count_by_base_os + AggregateImageCountByState = aggregate_count_by_state + AggregateImageCount = aggregate_count + GetCombinedImages = get_combined_images + CombinedImageByVulnerabilityCount = get_combined_images_by_vulnerability_count + CombinedImageDetail = get_combined_detail + ReadCombinedImagesExport = read_combined_export + CombinedImageIssuesSummary = get_combined_issues_summary + CombinedImageVulnerabilitySummary = get_combined_vulnerabilities_summary diff --git a/tests/test_container_images.py b/tests/test_container_images.py new file mode 100644 index 000000000..70f3d264b --- /dev/null +++ b/tests/test_container_images.py @@ -0,0 +1,42 @@ +# test_container_images.py +# This class tests the container images service class + +# import json +import os +import sys + +# Authentication via the test_authorization.py +from tests import test_authorization as Authorization + +# Import our sibling src folder into the path +sys.path.append(os.path.abspath('src')) +# Classes to test - manually imported from sibling folder +from falconpy import ContainerImages + +auth = Authorization.TestAuthorization() +config = auth.getConfigObject() +falcon = ContainerImages(auth_object=config) +AllowedResponses = [200, 201, 207, 400, 404, 429] + + +class TestContainerImages: + def test_all_code_paths(self): + error_checks = True + tests = { + "AggregateImageAssessmentHistory": falcon.aggregate_assessment_history(filter="repository:'larry'"), + "AggregateImageCountByBaseOS": falcon.aggregate_count_by_base_os(filter="repository:'testing'"), + "AggregateImageCountByState": falcon.aggregate_count_by_state(filter="repository:'testing'"), + "AggregateImageCount": falcon.aggregate_count(filter="repository:'testing'"), + "GetCombinedImages": falcon.get_combined_images(filter="repository:'testing'"), + "CombinedImageByVulnerabilityCount": falcon.get_combined_images_by_vulnerability_count(filter="repository:'testing'"), + "CombinedImageDetail": falcon.get_combined_detail(filter="repository:'testing'"), + "ReadCombinedImagesExport": falcon.read_combined_export(filter="repository:'testing'"), + "CombinedImageIssuesSummary": falcon.get_combined_issues_summary(filter="repository:'testing'"), + "CombinedImageVulnerabilitySummary": falcon.get_combined_vulnerabilities_summary(filter="repository:'testing'") + } + for key in tests: + if tests[key]["status_code"] not in AllowedResponses: + error_checks = False + # print(key) + # print(tests[key]) + assert error_checks From ee48c79c1ad1d975d1072e440c440153001aa86c Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 11:22:58 -0500 Subject: [PATCH 28/37] Add Container Packages service collection --- src/falconpy/__init__.py | 4 +- src/falconpy/_endpoint/__init__.py | 2 + src/falconpy/_endpoint/_container_packages.py | 191 +++++++++++++++ src/falconpy/container_packages.py | 225 ++++++++++++++++++ tests/test_container_packages.py | 37 +++ 5 files changed, 458 insertions(+), 1 deletion(-) create mode 100644 src/falconpy/_endpoint/_container_packages.py create mode 100644 src/falconpy/container_packages.py create mode 100644 tests/test_container_packages.py diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index 20513c8cd..98701b3c4 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -95,6 +95,7 @@ from .container_alerts import ContainerAlerts from .container_detections import ContainerDetections from .container_images import ContainerImages +from .container_packages import ContainerPackages from .cloud_connect_aws import CloudConnectAWS from .cspm_registration import CSPMRegistration from .custom_ioa import CustomIOA @@ -189,7 +190,8 @@ "UnnecessaryEncodingUsed", "APIHarnessV2", "CustomStorage", "FoundryLogScale", "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic", "ConfigurationAssessment", - "ContainerAlerts", "ContainerDetections", "ContainerImages", "UnidentifiedContainers" + "ContainerAlerts", "ContainerDetections", "ContainerImages", "ContainerPackages", + "UnidentifiedContainers" ] """ This is free and unencumbered software released into the public domain. diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index a83be621d..743132d4d 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -47,6 +47,7 @@ from ._container_alerts import _container_alerts_endpoints from ._container_detections import _container_detections_endpoints from ._container_images import _container_images_endpoints +from ._container_packages import _container_packages_endpoints from ._cspm_registration import _cspm_registration_endpoints from ._custom_ioa import _custom_ioa_endpoints from ._custom_storage import _custom_storage_endpoints @@ -111,6 +112,7 @@ api_endpoints.extend(_container_alerts_endpoints) api_endpoints.extend(_container_detections_endpoints) api_endpoints.extend(_container_images_endpoints) +api_endpoints.extend(_container_packages_endpoints) api_endpoints.extend(_cspm_registration_endpoints) api_endpoints.extend(_custom_ioa_endpoints) api_endpoints.extend(_custom_storage_endpoints) diff --git a/src/falconpy/_endpoint/_container_packages.py b/src/falconpy/_endpoint/_container_packages.py new file mode 100644 index 000000000..395c06a8b --- /dev/null +++ b/src/falconpy/_endpoint/_container_packages.py @@ -0,0 +1,191 @@ +"""Internal API endpoint constant library. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" + +_container_packages_endpoints = [ + [ + "ReadPackagesCountByZeroDay", + "GET", + "/container-security/aggregates/packages/count-by-zero-day/v1", + "Retrieve packages count affected by zero day vulnerabilities", + "container_packages", + [ + { + "type": "string", + "description": "Filter packages using a query in Falcon Query Language (FQL). Supported filters: cid", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadPackagesByFixableVulnCount", + "GET", + "/container-security/combined/packages/app-by-fixable-vulnerability-count/v1", + "Retrieve top x app packages with the most fixable vulnerabilities", + "container_packages", + [ + { + "type": "string", + "description": "Filter packages using a query in Falcon Query Language (FQL). Supported filters: cid,c" + "ontainer_id,cveid,fix_status,image_digest,license,package_name_version,severity,type,vulnerability_count", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadPackagesByVulnCount", + "GET", + "/container-security/combined/packages/by-vulnerability-count/v1", + "Retrieve top x packages with the most vulnerabilities", + "container_packages", + [ + { + "type": "string", + "description": "Filter packages using a query in Falcon Query Language (FQL). Supported filters: cid,c" + "ontainer_id,cveid,fix_status,image_digest,license,package_name_version,severity,type,vulnerability_count", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadPackagesCombinedExport", + "GET", + "/container-security/combined/packages/export/v1", + "Retrieve packages identified by the provided filter criteria for the purpose of export", + "container_packages", + [ + { + "type": "string", + "description": "Filter packages using a query in Falcon Query Language (FQL). Supported filters: cid," + "container_id,cveid,fix_status,image_digest,license,package_name_version,severity,type,vulnerability_count", + "name": "filter", + "in": "query" + }, + { + "type": "boolean", + "description": "(true/false) load zero day affected packages, default is false", + "name": "only_zero_day_affected", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on. Supported columns: [license package_name_version type]", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadPackagesCombined", + "GET", + "/container-security/combined/packages/v1", + "Retrieve packages identified by the provided filter criteria", + "container_packages", + [ + { + "type": "string", + "description": "Filter packages using a query in Falcon Query Language (FQL). Supported filters: cid," + "container_id,cveid,fix_status,image_digest,license,package_name_version,severity,type,vulnerability_count", + "name": "filter", + "in": "query" + }, + { + "type": "boolean", + "description": "(true/false) load zero day affected packages, default is false", + "name": "only_zero_day_affected", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on. Supported columns: [license package_name_version type]", + "name": "sort", + "in": "query" + } + ] + ] +] diff --git a/src/falconpy/container_packages.py b/src/falconpy/container_packages.py new file mode 100644 index 000000000..23281a8b3 --- /dev/null +++ b/src/falconpy/container_packages.py @@ -0,0 +1,225 @@ +"""CrowdStrike Falcon Container Packages API interface class. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" +from typing import Dict, Union +from ._util import force_default, process_service_request, handle_single_argument +from ._service_class import ServiceClass +from ._endpoint._container_packages import _container_packages_endpoints as Endpoints + + +class ContainerPackages(ServiceClass): + """The only requirement to instantiate an instance of this class is one of the following. + + - a valid client_id and client_secret provided as keywords. + - a credential dictionary with client_id and client_secret containing valid API credentials + { + "client_id": "CLIENT_ID_HERE", + "client_secret": "CLIENT_SECRET_HERE" + } + - a previously-authenticated instance of the authentication service class (oauth2.py) + - a valid token provided by the authentication service class (oauth2.py) + """ + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_zero_day_counts(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve packages count affected by zero day vulnerabilities. + + Keyword arguments: + filter -- Filter packages using a query in Falcon Query Language (FQL). String. Supported filters: cid + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-packages/ReadPackagesCountByZeroDay + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadPackagesCountByZeroDay", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_fixable_vuln_count(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve top x app packages with the most fixable vulnerabilities. + + Keyword arguments: + filter -- Filter packages using a query in Falcon Query Language (FQL). String. + Supported filters: + cid license + container_id package_name_version + cveid severity + fix_status type + image_digest vulnerability_count + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-packages/ReadPackagesByFixableVulnCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadPackagesByFixableVulnCount", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vuln_count(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve top x packages with the most vulnerabilities. + + Keyword arguments: + filter -- Filter packages using a query in Falcon Query Language (FQL). String. + Supported filters: + cid license + container_id package_name_version + cveid severity + fix_status type + image_digest vulnerability_count + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-packages/ReadPackagesByVulnCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadPackagesByVulnCount", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_combined_export(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve packages identified by the provided filter criteria for the purpose of export. + + Keyword arguments: + filter -- Filter packages using a query in Falcon Query Language (FQL). String. + Supported filters: + cid license + container_id package_name_version + cveid severity + fix_status type + image_digest vulnerability_count + only_zero_day_affected -- Load zero day affected packages. Boolean. Defaults to False. + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + Supported columns: license, package_name_version, type + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-packages/ReadPackagesCombinedExport + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadPackagesCombinedExport", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_combined(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve packages identified by the provided filter criteria. + + Keyword arguments: + filter -- Filter packages using a query in Falcon Query Language (FQL). String. + Supported filters: + cid license + container_id package_name_version + cveid severity + fix_status type + image_digest vulnerability_count + only_zero_day_affected -- Load zero day affected packages. Boolean. Default is False. + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + Supported columns: license, package_name_version, type + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-packages/ReadPackagesCombined + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadPackagesCombined", + keywords=kwargs, + params=parameters + ) + + ReadPackagesCountByZeroDay = read_zero_day_counts + ReadPackagesByFixableVulnCount = read_fixable_vuln_count + ReadPackagesByVulnCount = read_vuln_count + ReadPackagesCombinedExport = read_combined_export + ReadPackagesCombined = read_combined diff --git a/tests/test_container_packages.py b/tests/test_container_packages.py new file mode 100644 index 000000000..fc8783511 --- /dev/null +++ b/tests/test_container_packages.py @@ -0,0 +1,37 @@ +# test_container_packages.py +# This class tests the container packages service class + +# import json +import os +import sys + +# Authentication via the test_authorization.py +from tests import test_authorization as Authorization + +# Import our sibling src folder into the path +sys.path.append(os.path.abspath('src')) +# Classes to test - manually imported from sibling folder +from falconpy import ContainerPackages + +auth = Authorization.TestAuthorization() +config = auth.getConfigObject() +falcon = ContainerPackages(auth_object=config) +AllowedResponses = [200, 201, 207, 400, 404, 429] + + +class TestContainerPackages: + def test_all_code_paths(self): + error_checks = True + tests = { + "ReadPackagesCountByZeroDay": falcon.read_zero_day_counts(filter="cid:'12345678901234567890123456789012'"), + "ReadPackagesByFixableVulnCount": falcon.read_fixable_vuln_count(filter="cid:'12345678901234567890123456789012'"), + "ReadPackagesByVulnCount": falcon.read_vuln_count(filter="cid:'12345678901234567890123456789012'"), + "ReadPackagesCombinedExport": falcon.read_combined_export(filter="cid:'12345678901234567890123456789012'"), + "ReadPackagesCombined": falcon.read_combined(filter="cid:'12345678901234567890123456789012'") + } + for key in tests: + if tests[key]["status_code"] not in AllowedResponses: + error_checks = False + # print(key) + # print(tests[key]) + assert error_checks From 97d672d518eb8a461498eabae62d6437091e7f97 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 11:52:04 -0500 Subject: [PATCH 29/37] Add Container Vulnerabilities service collection --- src/falconpy/__init__.py | 3 +- src/falconpy/_endpoint/__init__.py | 2 + .../_endpoint/_container_vulnerabilities.py | 347 ++++++++++++++ src/falconpy/container_vulnerabilities.py | 434 ++++++++++++++++++ tests/test_container_vulnerabilities.py | 42 ++ 5 files changed, 827 insertions(+), 1 deletion(-) create mode 100644 src/falconpy/_endpoint/_container_vulnerabilities.py create mode 100644 src/falconpy/container_vulnerabilities.py create mode 100644 tests/test_container_vulnerabilities.py diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index 98701b3c4..21c3c2757 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -96,6 +96,7 @@ from .container_detections import ContainerDetections from .container_images import ContainerImages from .container_packages import ContainerPackages +from .container_vulnerabilities import ContainerVulnerabilities from .cloud_connect_aws import CloudConnectAWS from .cspm_registration import CSPMRegistration from .custom_ioa import CustomIOA @@ -191,7 +192,7 @@ "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic", "ConfigurationAssessment", "ContainerAlerts", "ContainerDetections", "ContainerImages", "ContainerPackages", - "UnidentifiedContainers" + "ContainerVulnerabilities", "UnidentifiedContainers" ] """ This is free and unencumbered software released into the public domain. diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index 743132d4d..d78ac4aab 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -48,6 +48,7 @@ from ._container_detections import _container_detections_endpoints from ._container_images import _container_images_endpoints from ._container_packages import _container_packages_endpoints +from ._container_vulnerabilities import _container_vulnerabilities_endpoints from ._cspm_registration import _cspm_registration_endpoints from ._custom_ioa import _custom_ioa_endpoints from ._custom_storage import _custom_storage_endpoints @@ -113,6 +114,7 @@ api_endpoints.extend(_container_detections_endpoints) api_endpoints.extend(_container_images_endpoints) api_endpoints.extend(_container_packages_endpoints) +api_endpoints.extend(_container_vulnerabilities_endpoints) api_endpoints.extend(_cspm_registration_endpoints) api_endpoints.extend(_custom_ioa_endpoints) api_endpoints.extend(_custom_storage_endpoints) diff --git a/src/falconpy/_endpoint/_container_vulnerabilities.py b/src/falconpy/_endpoint/_container_vulnerabilities.py new file mode 100644 index 000000000..85db91d2a --- /dev/null +++ b/src/falconpy/_endpoint/_container_vulnerabilities.py @@ -0,0 +1,347 @@ +"""Internal API endpoint constant library. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" + +_container_vulnerabilities_endpoints = [ + [ + "ReadVulnerabilityCountByActivelyExploited", + "GET", + "/container-security/aggregates/vulnerabilities/count-by-actively-exploited/v1", + "Aggregate count of vulnerabilities grouped by actively exploited", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported " + "filters: base_os,cid,container_id,container_running_status,containers_impacted_range,cps_rating,cve_id,cvss_sc" + "ore,description,exploited_status,exploited_status_name,fix_status,image_digest,image_id,images_impacted_range," + "package_name_version,registry,repository,severity,tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadVulnerabilityCountByCPSRating", + "GET", + "/container-security/aggregates/vulnerabilities/count-by-cps-rating/v1", + "Aggregate count of vulnerabilities grouped by csp_rating", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported " + "filters: base_os,cid,container_id,container_running_status,containers_impacted_range,cps_rating,cve_id,cvss_sc" + "ore,description,exploited_status,exploited_status_name,fix_status,image_digest,image_id,images_impacted_range," + "package_name_version,registry,repository,severity,tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadVulnerabilityCountByCVSSScore", + "GET", + "/container-security/aggregates/vulnerabilities/count-by-cvss-score/v1", + "Aggregate count of vulnerabilities grouped by cvss score", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported " + "filters: base_os,cid,container_id,container_running_status,containers_impacted_range,cps_rating,cve_id,cvss_sc" + "ore,description,exploited_status,exploited_status_name,fix_status,image_digest,image_id,images_impacted_range," + "package_name_version,registry,repository,severity,tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadVulnerabilityCountBySeverity", + "GET", + "/container-security/aggregates/vulnerabilities/count-by-severity/v1", + "Aggregate count of vulnerabilities grouped by severity", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported " + "filters: base_os,cid,container_id,container_running_status,containers_impacted_range,cps_rating,cve_id,cvss_sc" + "ore,description,exploited_status,exploited_status_name,fix_status,image_digest,image_id,images_impacted_range," + "package_name_version,registry,repository,severity,tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadVulnerabilityCount", + "GET", + "/container-security/aggregates/vulnerabilities/count/v1", + "Aggregate count of vulnerabilities", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported " + "filters: base_os,cid,container_id,container_running_status,containers_impacted_range,cps_rating,cve_id,cvss_sc" + "ore,description,exploited_status,exploited_status_name,fix_status,image_digest,image_id,images_impacted_range," + "package_name_version,registry,repository,severity,tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadVulnerabilitiesByImageCount", + "GET", + "/container-security/combined/vulnerabilities/by-image-count/v1", + "Retrieve top x vulnerabilities with the most impacted images", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported " + "filters: cid,cve_id,registry,repository,tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadVulnerabilitiesPublicationDate", + "GET", + "/container-security/combined/vulnerabilities/by-published-date/v1", + "Retrieve top x vulnerabilities with the most recent publication date", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported " + "filters: cid,cve_id,registry,repository,tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadCombinedVulnerabilitiesDetails", + "GET", + "/container-security/combined/vulnerabilities/details/v1", + "Retrieve vulnerability details related to an image", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Image UUID", + "name": "id", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "Filter the vulnerabilities using a query in Falcon Query Language (FQL). Supported " + "vulnerability filters: cid,cps_rating,cve_id,cvss_score,exploited_status,exploited_status_name,is_zero_day,rem" + "ediation_available,severity", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadCombinedVulnerabilitiesInfo", + "GET", + "/container-security/combined/vulnerabilities/info/v1", + "Retrieve vulnerability and package related info for this customer", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Vulnerability CVE ID", + "name": "cve_id", + "in": "query", + "required": True + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + } + ] + ], + [ + "ReadCombinedVulnerabilities", + "GET", + "/container-security/combined/vulnerabilities/v1", + "Retrieve vulnerability and aggregate data filtered by the provided FQL", + "container_vulnerabilities", + [ + { + "type": "string", + "description": "Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported " + "filters: base_os,cid,container_id,container_running_status,containers_impacted_range,cps_rating,cve_id,cvss_sc" + "ore,description,exploited_status,exploited_status_name,fix_status,image_digest,image_id,images_impacted_range," + "package_name_version,registry,repository,severity,tag", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on. Supported columns: [cps_current_rating cve_id " + "cvss_score description images_impacted packages_impacted severity]", + "name": "sort", + "in": "query" + } + ] + ] +] diff --git a/src/falconpy/container_vulnerabilities.py b/src/falconpy/container_vulnerabilities.py new file mode 100644 index 000000000..178fe1c53 --- /dev/null +++ b/src/falconpy/container_vulnerabilities.py @@ -0,0 +1,434 @@ +"""CrowdStrike Falcon Container Vulnerabilities API interface class. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" +from typing import Dict, Union +from ._util import force_default, process_service_request +from ._service_class import ServiceClass +from ._endpoint._container_vulnerabilities import _container_vulnerabilities_endpoints as Endpoints + + +class ContainerVulnerabilities(ServiceClass): + """The only requirement to instantiate an instance of this class is one of the following. + + - a valid client_id and client_secret provided as keywords. + - a credential dictionary with client_id and client_secret containing valid API credentials + { + "client_id": "CLIENT_ID_HERE", + "client_secret": "CLIENT_SECRET_HERE" + } + - a previously-authenticated instance of the authentication service class (oauth2.py) + - a valid token provided by the authentication service class (oauth2.py) + """ + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vulnerability_counts_by_active_exploited(self: object, + parameters: dict = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: + """Aggregate count of vulnerabilities grouped by actively exploited. + + Keyword arguments: + filter -- Filter vulnerabilities using a query in Falcon Query Language (FQL). String. + Supported filters: + base_os exploited_status_name + cid fix_status + container_id image_digest + container_running_status image_id + containers_impacted_range images_impacted_range + cps_rating package_name_version + cve_id registry + cvss_score repository + description severity + exploited_status tag + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /container-vulnerabilities/ReadVulnerabilityCountByActivelyExploited + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadVulnerabilityCountByActivelyExploited", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vulnerability_counts_by_cps_rating(self: object, + parameters: dict = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: + """Aggregate count of vulnerabilities grouped by csp_rating. + + Keyword arguments: + filter -- Filter vulnerabilities using a query in Falcon Query Language (FQL). String. + Supported filters: + base_os exploited_status_name + cid fix_status + container_id image_digest + container_running_status image_id + containers_impacted_range images_impacted_range + cps_rating package_name_version + cve_id registry + cvss_score repository + description severity + exploited_status tag + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /container-vulnerabilities/ReadVulnerabilityCountByCPSRating + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadVulnerabilityCountByCPSRating", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vulnerability_counts_by_cvss_score(self: object, + parameters: dict = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: + """Aggregate count of vulnerabilities grouped by cvss score. + + Keyword arguments: + filter -- Filter vulnerabilities using a query in Falcon Query Language (FQL). String. + Supported filters: + base_os exploited_status_name + cid fix_status + container_id image_digest + container_running_status image_id + containers_impacted_range images_impacted_range + cps_rating package_name_version + cve_id registry + cvss_score repository + description severity + exploited_status tag + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /container-vulnerabilities/ReadVulnerabilityCountByCVSSScore + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadVulnerabilityCountByCVSSScore", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vulnerability_counts_by_severity(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Aggregate count of vulnerabilities grouped by severity. + + Keyword arguments: + filter -- Filter vulnerabilities using a query in Falcon Query Language (FQL). String. + Supported filters: + base_os exploited_status_name + cid fix_status + container_id image_digest + container_running_status image_id + containers_impacted_range images_impacted_range + cps_rating package_name_version + cve_id registry + cvss_score repository + description severity + exploited_status tag + limit -- The upper-bound on the number of records to retrieve. String. + offset -- The offset from where to begin. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /container-vulnerabilities/ReadVulnerabilityCountBySeverity + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadVulnerabilityCountBySeverity", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vulnerability_count(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Aggregate count of vulnerabilities. + + Keyword arguments: + filter -- Filter vulnerabilities using a query in Falcon Query Language (FQL). String. + Supported filters: + base_os exploited_status_name + cid fix_status + container_id image_digest + container_running_status image_id + containers_impacted_range images_impacted_range + cps_rating package_name_version + cve_id registry + cvss_score repository + description severity + exploited_status tag + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-vulnerabilities/ReadVulnerabilityCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadVulnerabilityCount", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vulnerabilities_by_count(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve top x vulnerabilities with the most impacted images. + + Keyword arguments: + filter -- Filter vulnerabilities using a query in Falcon Query Language (FQL). String. + Supported filters: cid, cve_id, registry, repository,tag + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /container-vulnerabilities/ReadVulnerabilitiesByImageCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadVulnerabilitiesByImageCount", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vulnerabilities_by_pub_date(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve top x vulnerabilities with the most recent publication date. + + Keyword arguments: + filter -- Filter vulnerabilities using a query in Falcon Query Language (FQL). String. + Supported filters: cid, cve_id, registry, repository,tag + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /container-vulnerabilities/ReadVulnerabilitiesPublicationDate + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadVulnerabilitiesPublicationDate", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_combined_vulnerability_detail(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve vulnerability details related to an image. + + Keyword arguments: + id -- Image UUID. String. + filter -- Filter the vulnerabilities using a query in Falcon Query Language (FQL). String. + Supported vulnerability filters: + cid exploited_status_name + cps_rating is_zero_day + cve_id remediation_available + cvss_score severity + exploited_status + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /container-vulnerabilities/ReadCombinedVulnerabilitiesDetails + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadCombinedVulnerabilitiesDetails", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_combined_vulnerabilities_info(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve vulnerability and package related info for this customer. + + Keyword arguments: + cve_id -- Vulnerability CVE ID. String. + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /container-vulnerabilities/ReadCombinedVulnerabilitiesInfo + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadCombinedVulnerabilitiesInfo", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_combined_vulnerabilities(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve vulnerability and aggregate data filtered by the provided FQL. + + Keyword arguments: + filter -- Filter vulnerabilities using a query in Falcon Query Language (FQL). String. + Supported filters: + base_os exploited_status_name + cid fix_status + container_id image_digest + container_running_status image_id + containers_impacted_range images_impacted_range + cps_rating package_name_version + cve_id registry + cvss_score repository + description severity + exploited_status tag + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + Supported columns: + cps_current_rating images_impacted + cve_id packages_impacted + cvss_score severity + description + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/container-vulnerabilities/ReadCombinedVulnerabilities + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadCombinedVulnerabilities", + keywords=kwargs, + params=parameters + ) + + ReadCombinedVulnerabilities = read_combined_vulnerabilities + ReadCombinedVulnerabilitiesInfo = read_combined_vulnerabilities_info + ReadCombinedVulnerabilitiesDetails = read_combined_vulnerability_detail + ReadVulnerabilitiesPublicationDate = read_vulnerabilities_by_pub_date + ReadVulnerabilitiesByImageCount = read_vulnerabilities_by_count + ReadVulnerabilityCount = read_vulnerability_count + ReadVulnerabilityCountBySeverity = read_vulnerability_counts_by_severity + ReadVulnerabilityCountByCPSRating = read_vulnerability_counts_by_cps_rating + ReadVulnerabilityCountByCVSSScore = read_vulnerability_counts_by_cvss_score + ReadVulnerabilityCountByActivelyExploited = read_vulnerability_counts_by_active_exploited diff --git a/tests/test_container_vulnerabilities.py b/tests/test_container_vulnerabilities.py new file mode 100644 index 000000000..c132e7cd7 --- /dev/null +++ b/tests/test_container_vulnerabilities.py @@ -0,0 +1,42 @@ +# test_container_vulnerabilities.py +# This class tests the container vulnerabilities service class + +# import json +import os +import sys + +# Authentication via the test_authorization.py +from tests import test_authorization as Authorization + +# Import our sibling src folder into the path +sys.path.append(os.path.abspath('src')) +# Classes to test - manually imported from sibling folder +from falconpy import ContainerVulnerabilities + +auth = Authorization.TestAuthorization() +config = auth.getConfigObject() +falcon = ContainerVulnerabilities(auth_object=config) +AllowedResponses = [200, 201, 207, 400, 404, 429] + + +class TestContainerVulnerabilities: + def test_all_code_paths(self): + error_checks = True + tests = { + "ReadCombinedVulnerabilities": falcon.read_combined_vulnerabilities(filter="cid:'12345678901234567890123456789012'"), + "ReadCombinedVulnerabilitiesInfo": falcon.read_combined_vulnerabilities_info(cve_id="1234567890"), + "ReadCombinedVulnerabilitiesDetails": falcon.read_combined_vulnerability_detail(filter="cid:'12345678901234567890123456789012'"), + "ReadVulnerabilitiesPublicationDate": falcon.read_vulnerabilities_by_pub_date(filter="cid:'12345678901234567890123456789012'"), + "ReadVulnerabilitiesByImageCount": falcon.read_vulnerabilities_by_count(filter="cid:'12345678901234567890123456789012'"), + "ReadVulnerabilityCount": falcon.read_vulnerability_count(filter="cid:'12345678901234567890123456789012'"), + "ReadVulnerabilityCountBySeverity": falcon.read_vulnerability_counts_by_severity(filter="cid:'12345678901234567890123456789012'"), + "ReadVulnerabilityCountByCPSRating": falcon.read_vulnerability_counts_by_cps_rating(filter="cid:'12345678901234567890123456789012'"), + "ReadVulnerabilityCountByCVSSScore": falcon.read_vulnerability_counts_by_cvss_score(filter="cid:'12345678901234567890123456789012'"), + "ReadVulnerabilityCountByActivelyExploited": falcon.read_vulnerability_counts_by_active_exploited(filter="cid:'12345678901234567890123456789012'") + } + for key in tests: + if tests[key]["status_code"] not in AllowedResponses: + error_checks = False + # print(key) + # print(tests[key]) + assert error_checks From fc4fc5ec1b0031fb23004aa1ba0b4ae95111b901 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 12:08:15 -0500 Subject: [PATCH 30/37] Add Drift Indicators service collection --- src/falconpy/__init__.py | 3 +- src/falconpy/_endpoint/__init__.py | 2 + src/falconpy/_endpoint/_drift_indicators.py | 169 ++++++++++++++ src/falconpy/drift_indicators.py | 230 ++++++++++++++++++++ tests/test_drift_indicators.py | 37 ++++ 5 files changed, 440 insertions(+), 1 deletion(-) create mode 100644 src/falconpy/_endpoint/_drift_indicators.py create mode 100644 src/falconpy/drift_indicators.py create mode 100644 tests/test_drift_indicators.py diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index 21c3c2757..bc70168e5 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -105,6 +105,7 @@ from .detects import Detects from .device_control_policies import DeviceControlPolicies from .discover import Discover +from .drift_indicators import DriftIndicators from .event_streams import EventStreams from .falcon_complete_dashboard import CompleteDashboard from .falcon_container import FalconContainer @@ -192,7 +193,7 @@ "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic", "ConfigurationAssessment", "ContainerAlerts", "ContainerDetections", "ContainerImages", "ContainerPackages", - "ContainerVulnerabilities", "UnidentifiedContainers" + "ContainerVulnerabilities", "DriftIndicators", "UnidentifiedContainers" ] """ This is free and unencumbered software released into the public domain. diff --git a/src/falconpy/_endpoint/__init__.py b/src/falconpy/_endpoint/__init__.py index d78ac4aab..9488020cd 100644 --- a/src/falconpy/_endpoint/__init__.py +++ b/src/falconpy/_endpoint/__init__.py @@ -56,6 +56,7 @@ from ._detects import _detects_endpoints from ._device_control_policies import _device_control_policies_endpoints from ._discover import _discover_endpoints +from ._drift_indicators import _drift_indicators_endpoints from ._event_streams import _event_streams_endpoints from ._falcon_complete_dashboard import _falcon_complete_dashboard_endpoints from ._falcon_container import _falcon_container_endpoints @@ -122,6 +123,7 @@ api_endpoints.extend(_detects_endpoints) api_endpoints.extend(_device_control_policies_endpoints) api_endpoints.extend(_discover_endpoints) +api_endpoints.extend(_drift_indicators_endpoints) api_endpoints.extend(_event_streams_endpoints) api_endpoints.extend(_falcon_complete_dashboard_endpoints) api_endpoints.extend(_falcon_container_endpoints) diff --git a/src/falconpy/_endpoint/_drift_indicators.py b/src/falconpy/_endpoint/_drift_indicators.py new file mode 100644 index 000000000..1663901b1 --- /dev/null +++ b/src/falconpy/_endpoint/_drift_indicators.py @@ -0,0 +1,169 @@ +"""Internal API endpoint constant library. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" + +_drift_indicators_endpoints = [ + [ + "GetDriftIndicatorsValuesByDate", + "GET", + "/container-security/aggregates/drift-indicators/count-by-date/v1", + "Returns the count of Drift Indicators by the date. by default it's for 7 days.", + "drift_indicators", + [ + { + "type": "string", + "description": "Filter drift indicators using a query in Falcon Query Language (FQL). Supported " + "filters: cid,cloud_name,command_line,container_id,file_name,file_sha256,host_id,indicator_process_id,namespace" + ",occurred_at,parent_process_id,pod_name,prevented,scheduler_name,severity,worker_node_name", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + } + ] + ], + [ + "ReadDriftIndicatorsCount", + "GET", + "/container-security/aggregates/drift-indicators/count/v1", + "Returns the total count of Drift indicators over a time period", + "drift_indicators", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,cl" + "oud_name,command_line,container_id,file_name,file_sha256,host_id,indicator_process_id,namespace,occurred_at,pa" + "rent_process_id,pod_name,prevented,scheduler_name,severity,worker_node_name", + "name": "filter", + "in": "query" + } + ] + ], + [ + "SearchAndReadDriftIndicatorEntities", + "GET", + "/container-security/combined/drift-indicators/v1", + "Retrieve Drift Indicators by the provided search criteria", + "drift_indicators", + [ + { + "type": "string", + "description": "Filter Drift Indicators using a query in Falcon Query Language (FQL). Supported " + "filters: cid, cloud_name, command_line, container_id, file_name, file_sha256, host_id, indicator_process_id, " + "namespace, occurred_at, parent_process_id, pod_name, prevented, scheduler_name, severity, worker_node_name", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on.", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadDriftIndicatorEntities", + "GET", + "/container-security/entities/drift-indicators/v1", + "Retrieve Drift Indicator entities identified by the provided IDs", + "drift_indicators", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "description": "Search Drift Indicators by ids - The maximum amount is 100 IDs", + "name": "ids", + "in": "query" + } + ] + ], + [ + "SearchDriftIndicators", + "GET", + "/container-security/queries/drift-indicators/v1", + "Retrieve all drift indicators that match the given query", + "drift_indicators", + [ + { + "type": "string", + "description": "Filter Drift Indicators using a query in Falcon Query Language (FQL). Supported " + "filters: cid, cloud_name, command_line, container_id, file_name, file_sha256, host_id, indicator_process_id, " + "namespace, occurred_at, parent_process_id, pod_name, prevented, scheduler_name, severity, worker_node_name", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on.", + "name": "sort", + "in": "query" + } + ] + ] +] diff --git a/src/falconpy/drift_indicators.py b/src/falconpy/drift_indicators.py new file mode 100644 index 000000000..d321aa9c7 --- /dev/null +++ b/src/falconpy/drift_indicators.py @@ -0,0 +1,230 @@ +"""CrowdStrike Falcon Drift Indicators API interface class. + + _______ __ _______ __ __ __ +| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----. +|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__| +|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____| +|: 1 | |: 1 | +|::.. . | CROWDSTRIKE FALCON |::.. . | FalconPy +`-------' `-------' + +OAuth2 API - Customer SDK + +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to +""" +from typing import Dict, Union +from ._util import force_default, process_service_request, handle_single_argument +from ._service_class import ServiceClass +from ._endpoint._drift_indicators import _drift_indicators_endpoints as Endpoints + + +class DriftIndicators(ServiceClass): + """The only requirement to instantiate an instance of this class is one of the following. + + - a valid client_id and client_secret provided as keywords. + - a credential dictionary with client_id and client_secret containing valid API credentials + { + "client_id": "CLIENT_ID_HERE", + "client_secret": "CLIENT_SECRET_HERE" + } + - a previously-authenticated instance of the authentication service class (oauth2.py) + - a valid token provided by the authentication service class (oauth2.py) + """ + + @force_default(defaults=["parameters"], default_types=["dict"]) + def get_drift_indicators_by_date(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Return the count of Drift Indicators by the date. by default it's for 7 days. + + Keyword arguments: + filter -- Filter drift indicators using a query in Falcon Query Language (FQL). String. + Supported filters: + cid namespace + cloud_name occurred_at + command_line parent_process_id + container_id pod_name + file_name prevented + file_sha256 scheduler_name + host_id severity + indicator_process_id worker_node_name + limit -- The upper-bound on the number of records to retrieve. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/drift-indicators/GetDriftIndicatorsValuesByDate + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="GetDriftIndicatorsValuesByDate", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_drift_indicator_counts(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Return the total count of Drift indicators over a time period. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: + cid namespace + cloud_name occurred_at + command_line parent_process_id + container_id pod_name + file_name prevented + file_sha256 scheduler_name + host_id severity + indicator_process_id worker_node_name + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/drift-indicators/ReadDriftIndicatorsCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDriftIndicatorsCount", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def search_and_read_drift_indicators(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve Drift Indicators by the provided search criteria. + + Keyword arguments: + filter -- Filter Drift Indicators using a query in Falcon Query Language (FQL). String. + Supported filters: + cid namespace + cloud_name occurred_at + command_line parent_process_id + container_id pod_name + file_name prevented + file_sha256 scheduler_name + host_id severity + indicator_process_id worker_node_name + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/drift-indicators/SearchAndReadDriftIndicatorEntities + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="SearchAndReadDriftIndicatorEntities", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_drift_indicators(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve Drift Indicator entities identified by the provided IDs. + + Keyword arguments: + ids -- Search Drift Indicators by IDs. String or list of strings. [Max: 100] + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'ids'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/drift-indicators/ReadDriftIndicatorEntities + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDriftIndicatorEntities", + keywords=kwargs, + params=handle_single_argument(args, parameters, "ids") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def search_drift_indicators(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve all drift indicators that match the given query. + + Keyword arguments: + filter -- Filter Drift Indicators using a query in Falcon Query Language (FQL). String. + Supported filters: + cid namespace + cloud_name occurred_at + command_line parent_process_id + container_id pod_name + file_name prevented + file_sha256 scheduler_name + host_id severity + indicator_process_id worker_node_name + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/drift-indicators/SearchDriftIndicators + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="SearchDriftIndicators", + keywords=kwargs, + params=parameters + ) + + GetDriftIndicatorsValuesByDate = get_drift_indicators_by_date + ReadDriftIndicatorsCount = read_drift_indicator_counts + SearchAndReadDriftIndicatorEntities = search_and_read_drift_indicators + ReadDriftIndicatorEntities = read_drift_indicators + SearchDriftIndicators = search_drift_indicators diff --git a/tests/test_drift_indicators.py b/tests/test_drift_indicators.py new file mode 100644 index 000000000..b294e5d3b --- /dev/null +++ b/tests/test_drift_indicators.py @@ -0,0 +1,37 @@ +# test_drift_indicators.py +# This class tests the drift indicators service class + +# import json +import os +import sys + +# Authentication via the test_authorization.py +from tests import test_authorization as Authorization + +# Import our sibling src folder into the path +sys.path.append(os.path.abspath('src')) +# Classes to test - manually imported from sibling folder +from falconpy import DriftIndicators + +auth = Authorization.TestAuthorization() +config = auth.getConfigObject() +falcon = DriftIndicators(auth_object=config) +AllowedResponses = [200, 201, 207, 400, 404, 429] + + +class TestDriftIndicators: + def test_all_code_paths(self): + error_checks = True + tests = { + "GetDriftIndicatorsValuesByDate": falcon.get_drift_indicators_by_date(filter="cid:'12345678901234567890123456789012'"), + "ReadDriftIndicatorsCount": falcon.read_drift_indicator_counts(filter="cid:'12345678901234567890123456789012'"), + "SearchAndReadDriftIndicatorEntities": falcon.search_and_read_drift_indicators(filter="cid:'12345678901234567890123456789012'"), + "ReadDriftIndicatorEntities": falcon.read_drift_indicators(ids="1234567890"), + "SearchDriftIndicators": falcon.search_drift_indicators(filter="cid:'12345678901234567890123456789012'"), + } + for key in tests: + if tests[key]["status_code"] not in AllowedResponses: + error_checks = False + # print(key) + # print(tests[key]) + assert error_checks From 46c8e0883930615aec3567ddc5dc99b6e076b328 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 12:30:13 -0500 Subject: [PATCH 31/37] Add new operations to Alerts service collection --- src/falconpy/_endpoint/_alerts.py | 186 +++++++++++++++----- src/falconpy/alerts.py | 272 ++++++++++++++++++++++++++++-- tests/test_alerts.py | 52 +++++- 3 files changed, 440 insertions(+), 70 deletions(-) diff --git a/src/falconpy/_endpoint/_alerts.py b/src/falconpy/_endpoint/_alerts.py index 592480b93..26f34656d 100644 --- a/src/falconpy/_endpoint/_alerts.py +++ b/src/falconpy/_endpoint/_alerts.py @@ -41,11 +41,26 @@ "PostAggregatesAlertsV1", "POST", "/alerts/aggregates/alerts/v1", - "retrieves aggregates for Alerts across all CIDs", + "retrieves aggregate values for Alerts across all CIDs", "alerts", [ { - "description": "request body takes a list of aggregation query requests", + "description": "request body takes a list of aggregate-alert query requests", + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "PostAggregatesAlertsV2", + "POST", + "/alerts/aggregates/alerts/v2", + "retrieves aggregate values for Alerts across all CIDs", + "alerts", + [ + { + "description": "request body takes a list of aggregate-alert query requests", "name": "body", "in": "body", "required": True @@ -70,26 +85,36 @@ "PatchEntitiesAlertsV1", "PATCH", "/alerts/entities/alerts/v1", - "Perform actions on detections identified by detection ID(s) in request.\n" - "Each action has a name and a description which describes what the action does.\n\n" - "remove_tag - remove a tag from 1 or more detection(s)\n" - "assign_to_user_id - assign 1 or more detection(s) to a user identified by user id " - "(eg: user1@example.com)\nunassign - unassign an previously assigned user from 1 or " - "more detection(s). The value passed to this action is ignored.\nnew_behavior_processed " - "- adds a newly processed behavior to 1 or more detection(s)\nupdate_status - update " - "status for 1 or more detection(s)\nassign_to_uuid - assign 1 or more detection(s) to " - "a user identified by UUID\nadd_tag - add a tag to 1 or more detection(s)\n" - "remove_tags_by_prefix - remove tags with given prefix from 1 or more detection(s)\n" - "append_comment - appends new comment to existing comments\n" - "assign_to_name - assign 1 or more detection(s) to a user identified by user name\n" - "show_in_ui - shows 1 or more detection(s) on UI if set to true, hides otherwise. " - "an empty/nil value is also valid\nskip_side_effects - internal only command to skip " + "Perform actions on detections identified by detection ID(s) in request.\nEach action has a name and a " + "description which describes what the action does.\n\nremove_tag - remove a tag from 1 or more " + "detection(s)\nassign_to_user_id - assign 1 or more detection(s) to a user identified by user id (eg: " + "user1@example.com)\nunassign - unassign an previously assigned user from 1 or more detection(s). The value " + "passed to this action is ignored.\nnew_behavior_processed - adds a newly processed behavior to 1 or more " + "detection(s)\nupdate_status - update status for 1 or more detection(s)\nassign_to_uuid - assign 1 or more " + "detection(s) to a user identified by UUID\nadd_tag - add a tag to 1 or more " + "detection(s)\nremove_tags_by_prefix - remove tags with given prefix from 1 or more " + "detection(s)\nappend_comment - appends new comment to existing comments\nassign_to_name - assign 1 or more " + "detection(s) to a user identified by user name\nshow_in_ui - shows 1 or more detection(s) on UI if set to " + "true, hides otherwise. an empty/nil value is also valid\nskip_side_effects - internal only command to skip " "side effects during Beta phase\n", "alerts", [ { - "description": "request body takes a list of action parameter request that is applied " - "against all \"ids\" provided", + "description": "request body takes a list of action parameter request that is applied against all \"ids\" provided", + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "PostEntitiesAlertsV2", + "POST", + "/alerts/entities/alerts/v2", + "retrieves all Alerts given their composite ids", + "alerts", + [ + { "name": "body", "in": "body", "required": True @@ -100,26 +125,30 @@ "PatchEntitiesAlertsV2", "PATCH", "/alerts/entities/alerts/v2", - "Perform actions on detections identified by detection ID(s) in request.\n" - "Each action has a name and a description which describes what the action does.\n\n" - "remove_tag - remove a tag from 1 or more detection(s)\n" - "assign_to_user_id - assign 1 or more detection(s) to a user identified by user id " - "(eg: user1@example.com)\nunassign - unassign an previously assigned user from 1 or " - "more detection(s). The value passed to this action is ignored.\nnew_behavior_processed " - "- adds a newly processed behavior to 1 or more detection(s)\nupdate_status - update " - "status for 1 or more detection(s)\nassign_to_uuid - assign 1 or more detection(s) to " - "a user identified by UUID\nadd_tag - add a tag to 1 or more detection(s)\n" - "remove_tags_by_prefix - remove tags with given prefix from 1 or more detection(s)\n" - "append_comment - appends new comment to existing comments\n" - "assign_to_name - assign 1 or more detection(s) to a user identified by user name\n" - "show_in_ui - shows 1 or more detection(s) on UI if set to true, hides otherwise. " - "an empty/nil value is also valid\nskip_side_effects - internal only command to skip " - "side effects during Beta phase\n", + "Perform actions on detections identified by detection ID(s) in request.\nEach action has a name and a " + "description which describes what the action does.\nIf a request adds and removes tag in a single request, the " + "order of processing would be to remove tags before adding new ones in.\n\n", + "alerts", + [ + { + "description": "request body takes a list of action parameter request that is applied against all \"ids\" provided", + "name": "body", + "in": "body", + "required": True + } + ] + ], + [ + "PatchEntitiesAlertsV3", + "PATCH", + "/alerts/entities/alerts/v3", + "Perform actions on detections identified by detection ID(s) in request.\nEach action has a name and a " + "description which describes what the action does.\nIf a request adds and removes tag in a single request, the " + "order of processing would be to remove tags before adding new ones in.\n\n", "alerts", [ { - "description": "request body takes a list of action parameter request that is applied " - "against all \"ids\" provided", + "description": "request body takes a list of action parameter request that is applied against all \"ids\" provided", "name": "body", "in": "body", "required": True @@ -135,8 +164,65 @@ [ { "type": "integer", - "description": "The first detection to return, where `0` is the latest detection. " - "Use with the `offset` parameter to manage pagination of results.", + "description": "The first detection to return, where `0` is the latest detection. Use with the " + "`offset` parameter to manage pagination of results.", + "name": "offset", + "in": "query" + }, + { + "maximum": 10000, + "minimum": 0, + "type": "integer", + "description": "The maximum number of detections to return in this response (default: 100; max: " + "10000). Use with the `offset` parameter to manage pagination of results.", + "name": "limit", + "in": "query" + }, + { + "type": "string", + "description": "Sort parameter takes the form . Direction can be either `asc` " + "(ascending) or `desc` (descending) order. For example: `status|asc` or `status|desc`.\n\nThe sorting fields " + "can be any keyword field that is part of #domain.Alert except for the text based fields. Most commonly used " + "fields are status, cid, aggregate_id, timestamp, created_timestamp, updated_timestamp, assigned_to_name, " + "assigned_to_uid, assigned_to_uuid, show_in_ui, tactic_id, tactic, technique, technique_id, pattern_id, " + "product, comment, tags\nIf the fields are missing from the Alerts, the service will fallback to its default " + "ordering ", + "name": "sort", + "in": "query" + }, + { + "type": "string", + "description": "Filter Alerts using a query in Falcon Query Language (FQL).Filter fields can be any " + "keyword field that is part of #domain.Alert \nAn asterisk wildcard `*` includes all results. \nEmpty value " + "means to not filter on anything.\nMost commonly used filter fields that supports exact match: cid, id, " + "aggregate_id, product, type, pattern_id, platform ...\nMost commonly used filter fields that supports wildcard " + " (*): assigned_to_name, assigned_to_uuid, tactic_id, technique ...\nMost commonly filter fields that supports " + "range comparisons (>, <, >=, <=): severity, created_timestamp, timestamp, updated_timestamp...\nAll filter " + "fields and operations support negation (!).\n\n\nThe full list of valid filter options is extensive. Review it " + " in our [documentation inside the Falcon console](https://falcon.crowdstrike.com/documentation/45/falcon-" + "query-language-fql).", + "name": "filter", + "in": "query" + }, + { + "type": "string", + "description": "Search all detection metadata for the provided string", + "name": "q", + "in": "query" + } + ] + ], + [ + "GetQueriesAlertsV2", + "GET", + "/alerts/queries/alerts/v2", + "retrieves all Alerts ids that match a given query", + "alerts", + [ + { + "type": "integer", + "description": "The first detection to return, where `0` is the latest detection. Use with the " + "`offset` parameter to manage pagination of results.", "name": "offset", "in": "query" }, @@ -144,24 +230,34 @@ "maximum": 10000, "minimum": 0, "type": "integer", - "description": "The maximum number of detections to return in this response (default: 100; " - "max: 10000). Use with the `offset` parameter to manage pagination of results.", + "description": "The maximum number of detections to return in this response (default: 100; max: " + "10000). Use with the `offset` parameter to manage pagination of results.", "name": "limit", "in": "query" }, { "type": "string", - "description": "Sort detections in either `asc` (ascending) or `desc` (descending) order. " - "For example: `status|asc` or `status|desc`.", + "description": "Sort parameter takes the form . Direction can be either `asc` " + "(ascending) or `desc` (descending) order. For example: `status|asc` or `status|desc`.\n\nThe sorting fields " + "can be any keyword field that is part of #domain.Alert except for the text based fields. Most commonly used " + "fields are status, cid, aggregate_id, timestamp, created_timestamp, updated_timestamp, assigned_to_name, " + "assigned_to_uid, assigned_to_uuid, show_in_ui, tactic_id, tactic, technique, technique_id, pattern_id, " + "product, comment, tags\nIf the fields are missing from the Alerts, the service will fallback to its default " + "ordering ", "name": "sort", "in": "query" }, { "type": "string", - "description": "Filter detections using a query in Falcon Query Language (FQL). " - "An asterisk wildcard `*` includes all results. \n\nThe full list of valid filter options " - "is extensive. Review it in our [documentation inside the Falcon console]" - "(https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql).", + "description": "Filter Alerts using a query in Falcon Query Language (FQL).Filter fields can be any " + "keyword field that is part of #domain.Alert \nAn asterisk wildcard `*` includes all results. \nEmpty value " + "means to not filter on anything.\nMost commonly used filter fields that supports exact match: cid, id, " + "aggregate_id, product, type, pattern_id, platform ...\nMost commonly used filter fields that supports wildcard " + " (*): assigned_to_name, assigned_to_uuid, tactic_id, technique ...\nMost commonly filter fields that supports " + "range comparisons (>, <, >=, <=): severity, created_timestamp, timestamp, updated_timestamp...\nAll filter " + "fields and operations support negation (!).\n\n\nThe full list of valid filter options is extensive. Review it " + " in our [documentation inside the Falcon console](https://falcon.crowdstrike.com/documentation/45/falcon-" + "query-language-fql).", "name": "filter", "in": "query" }, diff --git a/src/falconpy/alerts.py b/src/falconpy/alerts.py index 192307c8c..46ad936d7 100644 --- a/src/falconpy/alerts.py +++ b/src/falconpy/alerts.py @@ -58,7 +58,7 @@ class Alerts(ServiceClass): """ @force_default(defaults=["body"], default_types=["list"]) - def get_aggregate_alerts(self, body: list = None, **kwargs) -> Dict[str, Union[int, dict]]: + def get_aggregate_alerts_v1(self, body: list = None, **kwargs) -> Dict[str, Union[int, dict]]: """Retrieve aggregates for Alerts across all CIDs. Keyword arguments: @@ -141,6 +141,90 @@ def get_aggregate_alerts(self, body: list = None, **kwargs) -> Dict[str, Union[i body=body ) + @force_default(defaults=["body"], default_types=["list"]) + def get_aggregate_alerts_v2(self, body: list = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve aggregates for Alerts across all CIDs. + + Keyword arguments: + body -- full body payload, not required when using other keywords. + [ + { + "date_ranges": [ + { + "from": "string", + "to": "string" + } + ], + "exclude": "string", + "field": "string", + "filter": "string", + "from": 0, + "include": "string", + "interval": "string", + "max_doc_count": 0, + "min_doc_count": 0, + "missing": "string", + "name": "string", + "q": "string", + "ranges": [ + { + "From": 0, + "To": 0 + } + ], + "size": 0, + "sort": "string", + "sub_aggregates": [ + null + ], + "time_zone": "string", + "type": "string" + } + ] + date_ranges -- If peforming a date range query specify the from and to date ranges. + These can be in common date formats like 2019-07-18 or now. + List of dictionaries. + exclude -- Fields to exclude. String. + field -- Term you want to aggregate on. If doing a date_range query, + this is the date field you want to apply the date ranges to. String. + filter -- Optional filter criteria in the form of an FQL query. + For more information about FQL queries, see our FQL documentation in Falcon. + String. + from -- Integer. + include -- Fields to include. String. + interval -- String. + max_doc_count -- Maximum number of documents. Integer. + min_doc_count -- Minimum number of documents. Integer. + missing -- String. + name -- Scan name. String. + q -- FQL syntax. String. + ranges -- List of dictionaries. + size -- Integer. + sort -- FQL syntax. String. + sub_aggregates -- List of strings. + time_zone -- String. + type -- String. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: POST + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/Alerts/PostAggregatesAlertsV2 + """ + if not body: + # Similar to 664: Alerts aggregates expects a list + body = [aggregate_payload(submitted_keywords=kwargs)] + + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="PostAggregatesAlertsV2", + body=body + ) + # PatchEntitiesAlertsV1 has been **DECOMISSIONED** # @force_default(defaults=["body"], default_types=["dict"]) @@ -217,11 +301,11 @@ def get_aggregate_alerts(self, body: list = None, **kwargs) -> Dict[str, Union[i # ) @force_default(defaults=["body"], default_types=["dict"]) - def update_alerts(self, - *args, - body: Optional[Dict[str, List[Union[str, Dict[str, str]]]]] = None, - **kwargs - ) -> Dict[str, Union[int, dict]]: + def update_alerts_v2(self, + *args, + body: Optional[Dict[str, List[Union[str, Dict[str, str]]]]] = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: """Perform actions on alerts identified by detection ID(s) in request. Keyword arguments: @@ -284,9 +368,6 @@ def update_alerts(self, _action_params: Optional[List[Union[str, Dict[str, str]]]] = kwargs.get("action_parameters", None) if _action_params: body["action_parameters"] = _action_params - # Getting this from mypy: - # src/falconpy/alerts.py:269: error: - # Unsupported target for indexed assignment ("Optional[Dict[str, List[Union[str, Dict[str, str]]]]]") return process_service_request( calling_object=self, endpoints=Endpoints, @@ -295,7 +376,82 @@ def update_alerts(self, ) @force_default(defaults=["body"], default_types=["dict"]) - def get_alerts(self, *args, body: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + def update_alerts_v3(self, + *args, + body: Optional[Dict[str, List[Union[str, Dict[str, str]]]]] = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: + """Perform actions on alerts identified by detection ID(s) in request. + + Keyword arguments: + action_parameters -- List of dictionaries containing action specific parameter settings. + add_tag -- add a tag to 1 or more alert(s). String. Overridden by action_parameters. + append_comment -- appends new comment to existing comments. String. + Overridden by action_parameters. + assign_to_name -- assign 1 or more alert(s) to a user identified by user name. String. + Overridden by action_parameters. + assign_to_user_id -- assign 1 or more alert(s) to a user identified by user id + (eg: user1@example.com). String. Overridden by action_parameters. + assign_to_uuid -- assign 1 or more alert(s) to a user identified by UUID. String. + Overridden by action_parameters. + body -- full body payload, not required when using other keywords. + { + "composite_ids": [ + "string" + ], + "action_parameters": [ + { + "name": "string", + "value": "string" + } + ] + } + composite_ids -- ID(s) of the alert to update. String or list of strings. + new_behavior_processed -- adds a newly processed behavior to 1 or more alert(s). String. + Overridden by action_parameters. + remove_tag -- remove a tag from 1 or more alert(s). String. + Overridden by action_parameters. + remove_tags_by_prefix -- remove tags with given prefix from 1 or more alert(s). String. + Overridden by action_parameters. + show_in_ui -- shows 1 or more alert(s) on UI if set to true, hides otherwise. + An empty/nil value is also valid. Overridden by action_parameters. + unassign -- unassign an previously assigned user from 1 or more alert(s). + The value passed to this action is ignored. Overridden by action_parameters. + update_status -- update status for 1 or more alert(s). String. + Overridden by action_parameters. + + Arguments: When not specified, the first argument to this method is assumed to be 'ids'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: PATCH + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/Alerts/PatchEntitiesAlertsV3 + """ + if not body: + body = update_alerts_payload( + current_payload=generic_payload_list(submitted_arguments=args, + submitted_keywords=kwargs, + payload_value="composite_ids" + ), + passed_keywords=kwargs + ) + + # Passing action_parameters overrides other keywords + _action_params: Optional[List[Union[str, Dict[str, str]]]] = kwargs.get("action_parameters", None) + if _action_params: + body["action_parameters"] = _action_params + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="PatchEntitiesAlertsV3", + body=body + ) + + @force_default(defaults=["body"], default_types=["dict"]) + def get_alerts_v1(self, *args, body: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Retrieve all Alerts given their IDs. Keyword arguments: @@ -332,8 +488,46 @@ def get_alerts(self, *args, body: dict = None, **kwargs) -> Dict[str, Union[int, body_required=["ids"] if self.validate_payloads else None ) + @force_default(defaults=["body"], default_types=["dict"]) + def get_alerts_v2(self, *args, body: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve all Alerts given their IDs. + + Keyword arguments: + body -- full body payload, not required when ids keyword is provided. + { + "composite_ids": [ + "string" + ] + } + composite_ids -- ID(s) of the detections to retrieve. String or list of strings. + + Arguments: When not specified, the first argument to this method is assumed to be 'composite_ids'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: POST + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/Alerts/PostEntitiesAlertsV2 + """ + if not body: + body = generic_payload_list(submitted_arguments=args, + submitted_keywords=kwargs, + payload_value="composite_ids" + ) + + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="PostEntitiesAlertsV2", + body=body, + body_validator={"composite_ids": list} if self.validate_payloads else None, + body_required=["composite_ids"] if self.validate_payloads else None + ) + @force_default(defaults=["parameters"], default_types=["dict"]) - def query_alerts(self, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + def query_alerts_v1(self, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Search for detection IDs that match a given query. Keyword arguments: @@ -368,14 +562,58 @@ def query_alerts(self, parameters: dict = None, **kwargs) -> Dict[str, Union[int params=parameters ) + @force_default(defaults=["parameters"], default_types=["dict"]) + def query_alerts_v2(self, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Search for detection IDs that match a given query. + + Keyword arguments: + filter -- The filter expression that should be used to limit the results. FQL syntax. + + For more detail regarding filtering options, please review: + https://falcon.crowdstrike.com/documentation/86/detections-monitoring-apis#find-detections + + limit -- The maximum number of detections to return in this response. + [Integer, default: 10000; max: 10000] + Use with the offset parameter to manage pagination of results. + offset -- The first detection to return, where 0 is the latest detection. + Use with the limit parameter to manage pagination of results. + parameters - full parameters payload, not required if using other keywords. + q -- Search all detection metadata for the provided string. + sort -- The property to sort by. FQL syntax (e.g. status|asc). + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/Alerts/GetQueriesAlertsV2 + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="GetQueriesAlertsV2", + keywords=kwargs, + params=parameters + ) + # These method names align to the operation IDs in the API but # do not conform to snake_case / PEP8 and are defined here for # backwards compatibility / ease of use purposes - PostAggregatesAlertsV1 = get_aggregate_alerts - PatchEntitiesAlertsV2 = update_alerts - PostEntitiesAlertsV1 = get_alerts - GetQueriesAlertsV1 = query_alerts + PostAggregatesAlertsV1 = get_aggregate_alerts_v1 + PostAggregatesAlertsV2 = get_aggregate_alerts_v2 + get_aggregate_alerts = get_aggregate_alerts_v1 + PatchEntitiesAlertsV2 = update_alerts_v2 + update_alerts = update_alerts_v2 + PatchEntitiesAlertsV3 = update_alerts_v3 + PostEntitiesAlertsV1 = get_alerts_v1 + PostEntitiesAlertsV2 = get_alerts_v2 + get_alerts = get_alerts_v1 + GetQueriesAlertsV1 = query_alerts_v1 + GetQueriesAlertsV2 = query_alerts_v2 + query_alerts = query_alerts_v1 # PatchEntitiesAlertsV1 has been decommissioned. Redirect requests # to the newly defined PatchEntitiesAlertsV2 operation. - update_alerts_v2 = update_alerts - PatchEntitiesAlertsV1 = update_alerts + update_alerts = update_alerts_v2 + PatchEntitiesAlertsV1 = update_alerts_v2 diff --git a/tests/test_alerts.py b/tests/test_alerts.py index 563c27ab4..fc7ccd26f 100644 --- a/tests/test_alerts.py +++ b/tests/test_alerts.py @@ -48,14 +48,50 @@ def alerts_run_all_tests(self): time_zone="string", type="string" ), - "update_alerts": falcon.update_alerts(ids="12345678", - show_in_ui=False, - action_parameters=[{ - "show_in_ui": False - }] - ), - "get_alerts": falcon.get_alerts(ids="12345678"), - "query_alerts": falcon.query_alerts() + "aggregate_alerts_v2": falcon.get_aggregate_alerts_v2( + date_ranges=[ + { + "from": "string", + "to": "string" + } + ], + field="string", + filter="string", + interval="string", + min_doc_count=0, + missing="string", + name="string", + q="string", + ranges=[ + { + "From": 0, + "To": 0 + } + ], + size=0, + sort="string", + sub_aggregates=[ + "string" + ], + time_zone="string", + type="string" + ), + "update_alerts_v1": falcon.update_alerts_v2(ids="12345678", + show_in_ui=False, + action_parameters=[{ + "show_in_ui": False + }] + ), + "update_alerts_v2": falcon.update_alerts_v3(ids="12345678", + show_in_ui=False, + action_parameters=[{ + "show_in_ui": False + }] + ), + "get_alerts_v1": falcon.get_alerts_v1(ids="12345678"), + "get_alerts_v2": falcon.get_alerts_v2(ids="12345678"), + "query_alerts_v1": falcon.query_alerts_v1(), + "query_alerts_v2": falcon.query_alerts_v2() } for key in tests: From ae49b3b6a302cd66b5d4d8c1e59290fb2bdc378d Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 14:33:24 -0500 Subject: [PATCH 32/37] Add new kubernetes operations --- .../_endpoint/_kubernetes_protection.py | 923 ++++++++++ src/falconpy/kubernetes_protection.py | 1523 +++++++++++++++++ tests/test_kubernetes_protection.py | 43 +- 3 files changed, 2488 insertions(+), 1 deletion(-) diff --git a/src/falconpy/_endpoint/_kubernetes_protection.py b/src/falconpy/_endpoint/_kubernetes_protection.py index 08c483a99..0ec5e2134 100644 --- a/src/falconpy/_endpoint/_kubernetes_protection.py +++ b/src/falconpy/_endpoint/_kubernetes_protection.py @@ -35,8 +35,931 @@ For more information, please refer to """ +# pylint: disable=C0302 _kubernetes_protection_endpoints = [ + [ + "ReadClustersByDateRangeCount", + "GET", + "/container-security/aggregates/clusters/count-by-date/v1", + "Retrieve clusters by date range counts", + "kubernetes_protection", + [] + ], + [ + "ReadClustersByKubernetesVersionCount", + "GET", + "/container-security/aggregates/clusters/count-by-kubernetes-version/v1", + "Bucket clusters by kubernetes version", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes clusters that match a query in Falcon Query Language " + "(FQL). Supported filters: access,agent_status,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster " + "_name,cluster_status,container_count,kubernetes_version,last_seen, management_status, node_count, pod_count, " + "tags", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadClustersByStatusCount", + "GET", + "/container-security/aggregates/clusters/count-by-status/v1", + "Bucket clusters by status", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes clusters that match a query in Falcon Query Language " + "(FQL). Supported filters: access,agent_status,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster " + "_name,cluster_status,container_count,kubernetes_version,last_seen, management_status, node_count, pod_count, " + "tags", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadClusterCount", + "GET", + "/container-security/aggregates/clusters/count/v1", + "Retrieve cluster counts", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes clusters that match a query in Falcon Query Language " + "(FQL). Supported filters: access,agent_status,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster " + "_name,cluster_status,container_count,kubernetes_version,last_seen, management_status, node_count, pod_count, " + "tags", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadContainersByDateRangeCount", + "GET", + "/container-security/aggregates/containers/count-by-date/v1", + "Retrieve containers by date range counts", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Get container counts using a query in Falcon Query Language (FQL). Supported filters: " + " agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,clust " + "er_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_count,image_digest,image_" + "has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerability_count,insecure_mount_" + "source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,labels,last_seen,namespace,nod " + "e_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_write_access,run_as_root_group,run_a " + "s_root_user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadContainerCountByRegistry", + "GET", + "/container-security/aggregates/containers/count-by-registry/v1", + "Retrieve top container image registries", + "kubernetes_protection", + [ + { + "type": "boolean", + "description": "(true/false) whether to return registries under assessment or not under assessment. If " + "not provided all registries are considered", + "name": "under_assessment", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + } + ] + ], + [ + "FindContainersCountAffectedByZeroDayVulnerabilities", + "GET", + "/container-security/aggregates/containers/count-by-zero-day/v1", + "Retrieve containers count affected by zero day vulnerabilities", + "kubernetes_protection", + [] + ], + [ + "ReadVulnerableContainerImageCount", + "GET", + "/container-security/aggregates/containers/count-vulnerable-images/v1", + "Retrieve count of vulnerable images running on containers", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes containers that match a query in Falcon Query Language " + "(FQL). Supported filters: agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_name,clou " + "d_region,cluster_id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_" + "count,image_digest,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerabil " + "ity_count,insecure_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,label " + "s,last_seen,namespace,node_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_write_acces " + "s,run_as_root_group,run_as_root_user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadContainerCount", + "GET", + "/container-security/aggregates/containers/count/v1", + "Retrieve container counts", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes containers that match a query in Falcon Query Language " + "(FQL). Supported filters: agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_name,clou " + "d_region,cluster_id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_" + "count,image_digest,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerabil " + "ity_count,insecure_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,label " + "s,last_seen,namespace,node_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_write_acces " + "s,run_as_root_group,run_as_root_user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "FindContainersByContainerRunTimeVersion", + "GET", + "/container-security/aggregates/containers/find-by-runtimeversion/v1", + "Retrieve containers by container_runtime_version", + "kubernetes_protection", + [ + { + "type": "integer", + "description": "The upper-bound on the number of container records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "It is used to get the offset", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "Field to sort results by", + "name": "sort", + "in": "query" + }, + { + "type": "string", + "description": "Retrieve count of Kubernetes containers that match a query in Falcon Query Language " + "(FQL). Supported filters: agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_name,clou " + "d_region,cluster_id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_" + "count,image_digest,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerabil " + "ity_count,insecure_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,label " + "s,last_seen,namespace,node_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_write_acces " + "s,run_as_root_group,run_as_root_user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "GroupContainersByManaged", + "GET", + "/container-security/aggregates/containers/group-by-managed/v1", + "Group the containers by Managed", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes containers that match a query in Falcon Query Language " + "(FQL). Supported filters: agent_id,allow_privilege_escalation,cid,cloud_account_id,cloud_name,cloud_region,cl " + "uster_id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_count,image " + "_digest,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerability_count,i " + "nsecure_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,labels,last_seen " + ",namespace,node_name,node_uid,pod_id,pod_name,port,privileged,root_write_access,run_as_root_group,run_as_root_" + "user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadContainerImageDetectionsCountByDate", + "GET", + "/container-security/aggregates/containers/image-detections-count-by-date/v1", + "Retrieve count of image assessment detections on running containers over a period of time", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes containers that match a query in Falcon Query Language " + "(FQL). Supported filters: agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_name,clou " + "d_region,cluster_id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_" + "count,image_digest,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerabil " + "ity_count,insecure_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,label " + "s,last_seen,namespace,node_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_write_acces " + "s,run_as_root_group,run_as_root_user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadContainerImagesByState", + "GET", + "/container-security/aggregates/containers/images-by-state/v1", + "Retrieve count of image states running on containers", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Filter using a query in Falcon Query Language (FQL). Supported filters: cid", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadContainersSensorCoverage", + "GET", + "/container-security/aggregates/containers/sensor-coverage/v1", + "Bucket containers by agent type and calculate sensor coverage", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes containers that match a query in Falcon Query Language " + "(FQL). Supported filters: agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_name,clou " + "d_region,cluster_id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_" + "count,image_digest,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerabil " + "ity_count,insecure_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,label " + "s,last_seen,namespace,node_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_write_acces " + "s,run_as_root_group,run_as_root_user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadContainerVulnerabilitiesBySeverityCount", + "GET", + "/container-security/aggregates/containers/vulnerability-count-by-severity/v1", + "Retrieve container vulnerabilities by severity counts", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Get vulnerabilities count by severity for container using a query in Falcon Query " + "Language (FQL). Supported filters: agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_" + "name,cloud_region,cluster_id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_d " + "etection_count,image_digest,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_v " + "ulnerability_count,insecure_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,i " + "pv6,labels,last_seen,namespace,node_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_wr " + "ite_access,run_as_root_group,run_as_root_user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadDeploymentsByDateRangeCount", + "GET", + "/container-security/aggregates/deployments/count-by-date/v1", + "Retrieve deployments by date range counts", + "kubernetes_protection", + [] + ], + [ + "ReadDeploymentCount", + "GET", + "/container-security/aggregates/deployments/count/v1", + "Retrieve deployment counts", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes deployments that match a query in Falcon Query Language " + "(FQL). Supported filters: annotations_list,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster_na " + "me,deployment_id,deployment_name,first_seen,last_seen,namespace,pod_count", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadClusterEnrichment", + "GET", + "/container-security/aggregates/enrichment/clusters/entities/v1", + "Retrieve cluster enrichment data", + "kubernetes_protection", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "description": "One or more cluster ids for which to retrieve enrichment info", + "name": "cluster_id", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "Supported filters: last_seen", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadContainerEnrichment", + "GET", + "/container-security/aggregates/enrichment/containers/entities/v1", + "Retrieve container enrichment data", + "kubernetes_protection", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "description": "One or more container ids for which to retrieve enrichment info", + "name": "container_id", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "Supported filters: last_seen", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadDeploymentEnrichment", + "GET", + "/container-security/aggregates/enrichment/deployments/entities/v1", + "Retrieve deployment enrichment data", + "kubernetes_protection", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "description": "One or more deployment ids for which to retrieve enrichment info", + "name": "deployment_id", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "Supported filters: last_seen", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadNodeEnrichment", + "GET", + "/container-security/aggregates/enrichment/nodes/entities/v1", + "Retrieve node enrichment data", + "kubernetes_protection", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "description": "One or more node names for which to retrieve enrichment info", + "name": "node_name", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "Supported filters: last_seen", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadPodEnrichment", + "GET", + "/container-security/aggregates/enrichment/pods/entities/v1", + "Retrieve pod enrichment data", + "kubernetes_protection", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "description": "One or more pod ids for which to retrieve enrichment info", + "name": "pod_id", + "in": "query", + "required": True + }, + { + "type": "string", + "description": "Supported filters: last_seen", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadDistinctContainerImageCount", + "GET", + "/container-security/aggregates/images/count-by-distinct/v1", + "Retrieve count of distinct images running on containers", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes containers using a query in Falcon Query Language (FQL). Supported " + "filters: agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_name,cloud_region,cluster_" + "id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_count,image_diges " + "t,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerability_count,insecur " + "e_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,labels,last_seen,names " + "pace,node_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_write_access,run_as_root_gro " + "up,run_as_root_user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadContainerImagesByMostUsed", + "GET", + "/container-security/aggregates/images/most-used/v1", + "Bucket container by image-digest", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes containers that match a query in Falcon Query Language " + "(FQL). Supported filters: agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_name,clou " + "d_region,cluster_id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_" + "count,image_digest,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerabil " + "ity_count,insecure_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,label " + "s,last_seen,namespace,node_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_write_acces " + "s,run_as_root_group,run_as_root_user,running_status", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadKubernetesIomByDateRange", + "GET", + "/container-security/aggregates/kubernetes-ioms/count-by-date/v1", + "Returns the count of Kubernetes IOMs by the date. by default it's for 7 days.", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " + "cid,created_timestamp,detect_timestamp,severity", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadKubernetesIomCount", + "GET", + "/container-security/aggregates/kubernetes-ioms/count/v1", + "Returns the total count of Kubernetes IOMs over the past seven days", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Filter images using a query in Falcon Query Language (FQL). Supported filters: " + "cid,created_timestamp,detect_timestamp,severity", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadNodesByCloudCount", + "GET", + "/container-security/aggregates/nodes/count-by-cloud/v1", + "Bucket nodes by cloud providers", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes nodes using a query in Falcon Query Language (FQL). Supported " + "filters: aid,annotations_list,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster_name,container_" + "count,container_runtime_version,first_seen,image_digest,ipv4,last_seen,node_name,pod_count", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadNodesByContainerEngineVersionCount", + "GET", + "/container-security/aggregates/nodes/count-by-container-engine-version/v1", + "Bucket nodes by their container engine version", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes nodes using a query in Falcon Query Language (FQL). Supported " + "filters: aid,annotations_list,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster_name,container_" + "count,container_runtime_version,first_seen,image_digest,ipv4,last_seen,node_name,pod_count", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadNodesByDateRangeCount", + "GET", + "/container-security/aggregates/nodes/count-by-date/v1", + "Retrieve nodes by date range counts", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes nodes using a query in Falcon Query Language (FQL). Supported " + "filters: aid,annotations_list,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster_name,container_" + "count,container_runtime_version,first_seen,image_digest,ipv4,last_seen,node_name,pod_count", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadNodeCount", + "GET", + "/container-security/aggregates/nodes/count/v1", + "Retrieve node counts", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes nodes that match a query in Falcon Query Language (FQL). " + "Supported filters: aid,annotations_list,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster_name, " + "container_count,container_runtime_version,first_seen,image_digest,ipv4,last_seen,node_name,pod_count", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadPodsByDateRangeCount", + "GET", + "/container-security/aggregates/pods/count-by-date/v1", + "Retrieve pods by date range counts", + "kubernetes_protection", + [] + ], + [ + "ReadPodCount", + "GET", + "/container-security/aggregates/pods/count/v1", + "Retrieve pod counts", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve count of Kubernetes pods that match a query in Falcon Query Language (FQL). " + "Supported filters: agent_id,agent_type,allow_privilege_escalation,annotations_list,cid,cloud_account_id,cloud " + "_name,cloud_region,cluster_id,cluster_name,container_count,ipv4,ipv6,labels,last_seen,namespace,node_name,node " + "_uid,owner_id,owner_type,pod_id,pod_name,port,privileged,root_write_access, run_as_root_group, " + "run_as_root_user", + "name": "filter", + "in": "query" + } + ] + ], + [ + "ReadClusterCombined", + "GET", + "/container-security/combined/clusters/v1", + "Retrieve kubernetes clusters identified by the provided filter criteria", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes clusters using a query in Falcon Query Language (FQL). Supported " + "filters: access,agent_status,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster_name,cluster_sta " + "tus,container_count,kubernetes_version,last_seen, management_status, node_count, pod_count, tags", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "Field to sort results by", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadRunningContainerImages", + "GET", + "/container-security/combined/container-images/v1", + "Retrieve images on running containers", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Retrieve list of images on running containers using a query in Falcon Query Language " + "(FQL). Supported filters: cid,hosts,image_digest,image_has_been_assessed,image_id,image_name,image_registry,i " + "mage_repository,image_tag,last_seen,running_status", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "Field to sort results by", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadContainerCombined", + "GET", + "/container-security/combined/containers/v1", + "Retrieve containers identified by the provided filter criteria", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes containers using a query in Falcon Query Language (FQL). Supported " + "filters: agent_id,agent_type,allow_privilege_escalation,cid,cloud_account_id,cloud_name,cloud_region,cluster_" + "id,cluster_name,container_id,container_name,cve_id,detection_name,first_seen,image_detection_count,image_diges " + "t,image_has_been_assessed,image_id,image_registry,image_repository,image_tag,image_vulnerability_count,insecur " + "e_mount_source,insecure_mount_type,insecure_propagation_mode,interactive_mode,ipv4,ipv6,labels,last_seen,names " + "pace,node_name,node_uid,package_name_version,pod_id,pod_name,port,privileged,root_write_access,run_as_root_gro " + "up,run_as_root_user,running_status", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "Field to sort results by", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadDeploymentCombined", + "GET", + "/container-security/combined/deployments/v1", + "Retrieve kubernetes deployments identified by the provided filter criteria", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes deployments using a query in Falcon Query Language (FQL). Supported " + "filters: annotations_list,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster_name,deployment_id, " + "deployment_name,first_seen,last_seen,namespace,pod_count", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "Field to sort results by", + "name": "sort", + "in": "query" + } + ] + ], + [ + "SearchAndReadKubernetesIomEntities", + "GET", + "/container-security/combined/kubernetes-ioms/v1", + "Search Kubernetes IOM by the provided search criteria", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes IOMs using a query in Falcon Query Language (FQL). Supported " + "filters: cid,cis_id,cluster_id,cluster_name,containers_impacted_count,containers_impacted_ids,detection_type, " + "name,namespace,resource_id,resource_name,resource_type,severity", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on.", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadNodeCombined", + "GET", + "/container-security/combined/nodes/v1", + "Retrieve kubernetes nodes identified by the provided filter criteria", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes nodes using a query in Falcon Query Language (FQL). Supported " + "filters: aid,annotations_list,cid,cloud_account_id,cloud_name,cloud_region,cluster_id,cluster_name,container_" + "count,container_runtime_version,first_seen,image_digest,ipv4,last_seen,node_name,pod_count", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "Field to sort results by", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadPodCombined", + "GET", + "/container-security/combined/pods/v1", + "Retrieve kubernetes pods identified by the provided filter criteria", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes pods using a query in Falcon Query Language (FQL). Supported " + "filters: agent_id,agent_type,allow_privilege_escalation,annotations_list,cid,cloud_account_id,cloud_name,clou " + "d_region,cluster_id,cluster_name,container_count,ipv4,ipv6,labels,last_seen,namespace,node_name,node_uid,owner " + "_id,owner_type,pod_id,pod_name,port,privileged,root_write_access, run_as_root_group, run_as_root_user", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "Field to sort results by", + "name": "sort", + "in": "query" + } + ] + ], + [ + "ReadKubernetesIomEntities", + "GET", + "/container-security/entities/kubernetes-ioms/v1", + "Retrieve Kubernetes IOM entities identified by the provided IDs", + "kubernetes_protection", + [ + { + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "description": "Search Kubernetes IOMs by ids - The maximum amount is 100 IDs", + "name": "ids", + "in": "query" + } + ] + ], + [ + "SearchKubernetesIoms", + "GET", + "/container-security/queries/kubernetes-ioms/v1", + "Search Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM " + "UUIDs matching the query", + "kubernetes_protection", + [ + { + "type": "string", + "description": "Search Kubernetes IOMs using a query in Falcon Query Language (FQL). Supported " + "filters: cid,cis_id,cluster_id,cluster_name,containers_impacted_count,containers_impacted_ids,detection_type, " + "name,namespace,resource_id,resource_name,resource_type,severity", + "name": "filter", + "in": "query" + }, + { + "type": "integer", + "description": "The upper-bound on the number of records to retrieve.", + "name": "limit", + "in": "query" + }, + { + "type": "integer", + "description": "The offset from where to begin.", + "name": "offset", + "in": "query" + }, + { + "type": "string", + "description": "The fields to sort the records on.", + "name": "sort", + "in": "query" + } + ] + ], [ "GetAWSAccountsMixin0", "GET", diff --git a/src/falconpy/kubernetes_protection.py b/src/falconpy/kubernetes_protection.py index b988db280..d8df822ee 100644 --- a/src/falconpy/kubernetes_protection.py +++ b/src/falconpy/kubernetes_protection.py @@ -35,6 +35,7 @@ For more information, please refer to """ +# pylint: disable=C0302, R0904 from typing import Dict, Union from ._util import process_service_request, force_default, handle_single_argument from ._service_class import ServiceClass @@ -54,6 +55,1487 @@ class KubernetesProtection(ServiceClass): - a valid token provided by the authentication service class (OAuth2.token()) """ + def read_clusters_by_date_range(self: object) -> Dict[str, Union[int, dict]]: + """Retrieve clusters by date range counts. + + Keyword arguments: + This method does not accept keyword arguments. + + This method does not accept arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadClustersByDateRangeCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadClustersByDateRangeCount" + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_clusters_by_version(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Bucket clusters by kubernetes version. + + Keyword arguments: + filter -- Retrieve count of Kubernetes clusters that match a query in Falcon Query Language (FQL). String. + Supported filters: + access cluster_status + agent_status container_count + cid kubernetes_version + cloud_account_id last_seen + cloud_name management_status + cloud_region node_count + cluster_id pod_count + cluster_name tags + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /kubernetes-protection/ReadClustersByKubernetesVersionCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadClustersByKubernetesVersionCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_clusters_by_status(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Bucket clusters by status. + + Keyword arguments: + filter -- Retrieve count of Kubernetes clusters that match a query in Falcon Query Language (FQL). String. + Supported filters: + access cluster_status + agent_status container_count + cid kubernetes_version + cloud_account_id last_seen + cloud_name management_status + cloud_region node_count + cluster_id pod_count + cluster_name tags + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadClustersByStatusCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadClustersByStatusCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_cluster_count(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve cluster counts. + + Keyword arguments: + filter -- Retrieve count of Kubernetes clusters that match a query in Falcon Query Language (FQL). String. + Supported filters: + access cluster_status + agent_status container_count + cid kubernetes_version + cloud_account_id last_seen + cloud_name management_status + cloud_region node_count + cluster_id pod_count + cluster_name tags + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadClusterCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadClusterCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_containers_by_date_range(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve containers by date range counts. + + Keyword arguments: + filter -- Get container counts using a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadContainersByDateRangeCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainersByDateRangeCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_containers_by_registry(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve top container image registries. + + Keyword arguments: + under_assessment -- Flag indicating whether to return registries under assessment or not under assessment. + If not provided all registries are considered. Boolean. Defaults to False. + limit -- The upper-bound on the number of records to retrieve. Integer. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadContainerCountByRegistry + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainerCountByRegistry", + keywords=kwargs, + params=parameters + ) + + def read_zero_day_affected_counts(self: object) -> Dict[str, Union[int, dict]]: + """Retrieve containers count affected by zero day vulnerabilities. + + Keyword arguments: + This method does not accept keyword arguments. + + This method does not accept arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /kubernetes-protection/FindContainersCountAffectedByZeroDayVulnerabilities + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="FindContainersCountAffectedByZeroDayVulnerabilities" + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vulnerable_container_count(self: object, + *args, + parameters: dict = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: + """Retrieve count of vulnerable images running on containers. + + Keyword arguments: + filter -- Retrieve count of Kubernetes containers that match a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /kubernetes-protection/ReadVulnerableContainerImageCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadVulnerableContainerImageCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_container_counts(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve container counts. + + Keyword arguments: + filter -- Retrieve count of Kubernetes containers that match a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadContainerCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainerCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def find_containers_by_runtime_version(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve containers by container_runtime_version. + + Keyword arguments: + limit -- The upper-bound on the number of container records to retrieve. + offset -- It is used to get the offset + sort -- Field to sort results by + filter -- Retrieve count of Kubernetes containers that match a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/FindContainersByContainerRunTimeVersion + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="FindContainersByContainerRunTimeVersion", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def group_managed_containers(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Group the containers by Managed. + + Keyword arguments: + filter -- Retrieve count of Kubernetes containers that match a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/GroupContainersByManaged + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="GroupContainersByManaged", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_detections_count_by_date(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve count of image assessment detections on running containers over a period of time. + + Keyword arguments: + filter -- Retrieve count of Kubernetes containers that match a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /kubernetes-protection/ReadContainerImageDetectionsCountByDate + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainerImageDetectionsCountByDate", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_images_by_state(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve count of image states running on containers. + + Keyword arguments: + filter -- Filter using a query in Falcon Query Language (FQL). String. + Supported filters: cid + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadContainerImagesByState + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainerImagesByState", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_sensor_coverage(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Bucket containers by agent type and calculate sensor coverage. + + Keyword arguments: + filter -- Retrieve count of Kubernetes containers that match a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadContainersSensorCoverage + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainersSensorCoverage", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_vulnerability_counts_by_severity(self: object, + *args, + parameters: dict = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: + """Retrieve container vulnerabilities by severity counts. + + Keyword arguments: + filter -- Get vulnerabilities count by severity for container using a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /kubernetes-protection/ReadContainerVulnerabilitiesBySeverityCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainerVulnerabilitiesBySeverityCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + def read_deployment_counts_by_date_range(self: object) -> Dict[str, Union[int, dict]]: + """Retrieve deployments by date range counts. + + Keyword arguments: + This method does not accept keyword arguments. + + This method does not accept arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadDeploymentsByDateRangeCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDeploymentsByDateRangeCount" + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_deployment_count(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve deployment counts. + + Keyword arguments: + filter -- Retrieve count of Kubernetes deployments that match a query in Falcon Query Language (FQL). String. + Supported filters: + annotations_list deployment_id + cid deployment_name + cloud_account_id first_seen + cloud_name last_seen + cloud_region namespace + cluster_id pod_count + cluster_name + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadDeploymentCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDeploymentCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_cluster_enrichment(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve cluster enrichment data. + + Keyword arguments: + cluster_id -- One or more cluster ids for which to retrieve enrichment info + filter -- Supported filters: last_seen + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadClusterEnrichment + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadClusterEnrichment", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_container_enrichment(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve container enrichment data. + + Keyword arguments: + container_id -- One or more container ids for which to retrieve enrichment info + filter -- Supported filters: last_seen + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadContainerEnrichment + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainerEnrichment", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_deployment_enrichment(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve deployment enrichment data. + + Keyword arguments: + deployment_id -- One or more deployment ids for which to retrieve enrichment info + filter -- Supported filters: last_seen + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadDeploymentEnrichment + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDeploymentEnrichment", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_node_enrichment(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve node enrichment data. + + Keyword arguments: + node_name -- One or more node names for which to retrieve enrichment info + filter -- Supported filters: last_seen + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadNodeEnrichment + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadNodeEnrichment", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_pod_enrichment(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve pod enrichment data. + + Keyword arguments: + pod_id -- One or more pod ids for which to retrieve enrichment info + filter -- Supported filters: last_seen + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadPodEnrichment + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadPodEnrichment", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_distinct_image_count(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve count of distinct images running on containers. + + Keyword arguments: + filter -- Search Kubernetes containers using a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadDistinctContainerImageCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDistinctContainerImageCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_images_by_most_used(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Bucket container by image-digest. + + Keyword arguments: + filter -- Retrieve count of Kubernetes containers that match a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadContainerImagesByMostUsed + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainerImagesByMostUsed", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_iom_count_by_date_range(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Return the count of Kubernetes IOMs by the date. by default it's for 7 days. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: cid, created_timestamp, detect_timestamp, severity + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadKubernetesIomByDateRange + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadKubernetesIomByDateRange", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_iom_count(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Return the total count of Kubernetes IOMs over the past seven days. + + Keyword arguments: + filter -- Filter images using a query in Falcon Query Language (FQL). String. + Supported filters: cid, created_timestamp, detect_timestamp, severity + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadKubernetesIomCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadKubernetesIomCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_node_counts_by_cloud(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Bucket nodes by cloud providers. + + Keyword arguments: + filter -- Search Kubernetes nodes using a query in Falcon Query Language (FQL). String. + Supported filters: + aid container_count + annotations_list container_runtime_version + cid first_seen + cloud_account_id image_digest + cloud_name ipv4 + cloud_region last_seen + cluster_id node_name + cluster_name pod_count + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadNodesByCloudCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadNodesByCloudCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_nodes_by_container_engine_version(self: object, + *args, + parameters: dict = None, + **kwargs + ) -> Dict[str, Union[int, dict]]: + """Bucket nodes by their container engine version. + + Keyword arguments: + filter -- Search Kubernetes nodes using a query in Falcon Query Language (FQL). String. + Supported filters: + aid container_count + annotations_list container_runtime_version + cid first_seen + cloud_account_id image_digest + cloud_name ipv4 + cloud_region last_seen + cluster_id node_name + cluster_name pod_count + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /kubernetes-protection/ReadNodesByContainerEngineVersionCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadNodesByContainerEngineVersionCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_node_counts_by_date_range(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve nodes by date range counts. + + Keyword arguments: + filter -- Search Kubernetes nodes using a query in Falcon Query Language (FQL). String. + Supported filters: + aid container_count + annotations_list container_runtime_version + cid first_seen + cloud_account_id image_digest + cloud_name ipv4 + cloud_region last_seen + cluster_id node_name + cluster_name pod_count + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadNodesByDateRangeCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadNodesByDateRangeCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_node_counts(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve node counts. + + Keyword arguments: + filter -- Retrieve count of Kubernetes nodes that match a query in Falcon Query Language (FQL). String. + Supported filters: + aid container_count + annotations_list container_runtime_version + cid first_seen + cloud_account_id image_digest + cloud_name ipv4 + cloud_region last_seen + cluster_id node_name + cluster_name pod_count + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadNodeCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadNodeCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + def read_pod_counts_by_date_range(self: object) -> Dict[str, Union[int, dict]]: + """Retrieve pods by date range counts. + + Keyword arguments: + This method does not accept keyword arguments. + + This method does not accept arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadPodsByDateRangeCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadPodsByDateRangeCount" + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_pod_counts(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve pod counts. + + Keyword arguments: + filter -- Retrieve count of Kubernetes pods that match a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id last_seen + agent_type namespace + allow_privilege_escalation node_name + annotations_list node_uid + cid owner_id + cloud_account_id owner_type + cloud_name pod_id + cloud_region pod_name + cluster_id port + cluster_name privileged + container_count root_write_access + ipv4 run_as_root_group + ipv6 run_as_root_user + labels + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'filter'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadPodCount + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadPodCount", + keywords=kwargs, + params=handle_single_argument(args, parameters, "filter") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_clusters_combined(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve kubernetes clusters identified by the provided filter criteria. + + Keyword arguments: + filter -- Search Kubernetes clusters using a query in Falcon Query Language (FQL). String. + Supported filters: + access cluster_status + agent_status container_count + cid kubernetes_version + cloud_account_id last_seen + cloud_name management_status + cloud_region node_count + cluster_id pod_count + cluster_name tags + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- Field to sort results by. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadClusterCombined + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadClusterCombined", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_running_images(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve images on running containers. + + Keyword arguments: + filter -- Retrieve list of images on running containers using a query in Falcon Query Language (FQL). String. + Supported filters: + cid image_registry + hosts image_repository + image_digest image_tag + image_has_been_assessed last_seen + image_id running_status + image_name + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- Field to sort results by. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadRunningContainerImages + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadRunningContainerImages", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_containers_combined(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve containers identified by the provided filter criteria. + + Keyword arguments: + filter -- Search Kubernetes containers using a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id image_vulnerability_count + agent_type insecure_mount_source + allow_privilege_escalation insecure_mount_type + cid insecure_propagation_mode + cloud_account_id interactive_mode + cloud_name ipv4 + cloud_region ipv6 + cluster_id labels + cluster_name last_seen + container_id namespace + container_name node_name + cve_id node_uid + detection_name package_name_version + first_seen pod_id + image_detection_count pod_name + image_digest port + image_has_been_assessed privileged + image_id root_write_access + image_registry run_as_root_group + image_repository run_as_root_user + image_tag running_status + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- Field to sort results by. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadContainerCombined + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadContainerCombined", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_deployments_combined(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve kubernetes deployments identified by the provided filter criteria. + + Keyword arguments: + filter -- Search Kubernetes deployments using a query in Falcon Query Language (FQL). String. + Supported filters: + annotations_list deployment_id + cid deployment_name + cloud_account_id first_seen + cloud_name last_seen + cloud_region namespace + cluster_id pod_count + cluster_name + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- Field to sort results by. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadDeploymentCombined + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadDeploymentCombined", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def search_and_read_ioms(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Search Kubernetes IOM by the provided search criteria. + + Keyword arguments: + filter -- Search Kubernetes IOMs using a query in Falcon Query Language (FQL). String. + Supported filters: + cid name + cis_id namespace + cluster_id resource_id + cluster_name resource_name + containers_impacted_count resource_type + containers_impacted_ids severity + detection_type + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html# + /kubernetes-protection/SearchAndReadKubernetesIomEntities + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="SearchAndReadKubernetesIomEntities", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_nodes_combined(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve kubernetes nodes identified by the provided filter criteria. + + Keyword arguments: + filter -- Search Kubernetes nodes using a query in Falcon Query Language (FQL). String. + Supported filters: + aid container_count + annotations_list container_runtime_version + cid first_seen + cloud_account_id image_digest + cloud_name ipv4 + cloud_region last_seen + cluster_id node_name + cluster_name pod_count + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- Field to sort results by. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadNodeCombined + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadNodeCombined", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_pods_combined(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve kubernetes pods identified by the provided filter criteria. + + Keyword arguments: + filter -- Search Kubernetes pods using a query in Falcon Query Language (FQL). String. + Supported filters: + agent_id last_seen + agent_type namespace + allow_privilege_escalation node_name + annotations_list node_uid + cid owner_id + cloud_account_id owner_type + cloud_name pod_id + cloud_region pod_name + cluster_id port + cluster_name privileged + container_count root_write_access + ipv4 run_as_root_group + ipv6 run_as_root_user + labels + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- Field to sort results by. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadPodCombined + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadPodCombined", + keywords=kwargs, + params=parameters + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def read_iom_entities(self: object, *args, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Retrieve Kubernetes IOM entities identified by the provided IDs. + + Keyword arguments: + ids -- Kubernetes IOMs ID or list of IDs. String or list of strings. [Max: 100] + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + Arguments: When not specified, the first argument to this method is assumed to be 'ids'. + All others are ignored. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadKubernetesIomEntities + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="ReadKubernetesIomEntities", + keywords=kwargs, + params=handle_single_argument(args, parameters, "ids") + ) + + @force_default(defaults=["parameters"], default_types=["dict"]) + def search_ioms(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: + """Search Kubernetes IOMs by the provided search criteria. + + This endpoint returns a list of Kubernetes IOM UUIDs matching the query. + + Keyword arguments: + filter -- Search Kubernetes IOMs using a query in Falcon Query Language (FQL). String. + Supported filters: + cid name + cis_id namespace + cluster_id resource_id + cluster_name resource_name + containers_impacted_count resource_type + containers_impacted_ids severity + detection_type + limit -- The upper-bound on the number of records to retrieve. Integer. + offset -- The offset from where to begin. Integer. + sort -- The fields to sort the records on. String. + parameters -- Full parameters payload dictionary. Not required if using other keywords. + + This method only supports keywords for providing arguments. + + Returns: dict object containing API response. + + HTTP Method: GET + + Swagger URL + https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/SearchKubernetesIoms + """ + return process_service_request( + calling_object=self, + endpoints=Endpoints, + operation_id="SearchKubernetesIoms", + keywords=kwargs, + params=parameters + ) + @force_default(defaults=["parameters"], default_types=["dict"]) def get_aws_accounts(self: object, parameters: dict = None, **kwargs) -> Dict[str, Union[int, dict]]: """Provide a list of AWS accounts. @@ -582,6 +2064,47 @@ def update_azure_service_principal(self: object, *args, parameters: dict = None, # These method names align to the operation IDs in the API but # do not conform to snake_case / PEP8 and are defined here for # backwards compatibility / ease of use purposes + ReadClustersByDateRangeCount = read_clusters_by_date_range + ReadClustersByKubernetesVersionCount = read_clusters_by_version + ReadClustersByStatusCount = read_clusters_by_status + ReadClusterCount = read_cluster_count + ReadContainersByDateRangeCount = read_containers_by_date_range + ReadContainerCountByRegistry = read_containers_by_registry + FindContainersCountAffectedByZeroDayVulnerabilities = read_zero_day_affected_counts + ReadVulnerableContainerImageCount = read_vulnerable_container_count + ReadContainerCount = read_container_counts + FindContainersByContainerRunTimeVersion = find_containers_by_runtime_version + GroupContainersByManaged = group_managed_containers + ReadContainerImageDetectionsCountByDate = read_detections_count_by_date + ReadContainerImagesByState = read_images_by_state + ReadContainersSensorCoverage = read_sensor_coverage + ReadContainerVulnerabilitiesBySeverityCount = read_vulnerability_counts_by_severity + ReadDeploymentsByDateRangeCount = read_deployment_counts_by_date_range + ReadDeploymentCount = read_deployment_count + ReadClusterEnrichment = read_cluster_enrichment + ReadContainerEnrichment = read_container_enrichment + ReadDeploymentEnrichment = read_deployment_enrichment + ReadNodeEnrichment = read_node_enrichment + ReadPodEnrichment = read_pod_enrichment + ReadDistinctContainerImageCount = read_distinct_image_count + ReadContainerImagesByMostUsed = read_images_by_most_used + ReadKubernetesIomByDateRange = read_iom_count_by_date_range + ReadKubernetesIomCount = read_iom_count + ReadNodesByCloudCount = read_node_counts_by_cloud + ReadNodesByContainerEngineVersionCount = read_nodes_by_container_engine_version + ReadNodesByDateRangeCount = read_node_counts_by_date_range + ReadNodeCount = read_node_counts + ReadPodsByDateRangeCount = read_pod_counts_by_date_range + ReadPodCount = read_pod_counts + ReadClusterCombined = read_clusters_combined + ReadRunningContainerImages = read_running_images + ReadContainerCombined = read_containers_combined + ReadDeploymentCombined = read_deployments_combined + SearchAndReadKubernetesIomEntities = search_and_read_ioms + ReadNodeCombined = read_nodes_combined + ReadPodCombined = read_pods_combined + ReadKubernetesIomEntities = read_iom_entities + SearchKubernetesIoms = search_ioms GetAWSAccountsMixin0 = get_aws_accounts CreateAWSAccount = create_aws_account DeleteAWSAccountsMixin0 = delete_aws_accounts diff --git a/tests/test_kubernetes_protection.py b/tests/test_kubernetes_protection.py index 35afd8da0..a76649c43 100644 --- a/tests/test_kubernetes_protection.py +++ b/tests/test_kubernetes_protection.py @@ -41,7 +41,48 @@ def serviceKubeProtect_RunAllTests(self): "GetAzureTenantConfig": falcon.get_azure_tenant_config(ids="whatevers"), "GetStaticScripts": falcon.get_static_scripts(), "GetAzureTenantIDs": falcon.get_azure_tenant_ids(ids="12345678"), - "GetAzureInstallScript": falcon.get_azure_install_script(ids="123456789") + "GetAzureInstallScript": falcon.get_azure_install_script(ids="123456789"), + "ReadClustersByDateRangeCount": falcon.read_clusters_by_date_range(), + "ReadClustersByKubernetesVersionCount": falcon.read_clusters_by_version(filter="whatever"), + "ReadClustersByStatusCount": falcon.read_clusters_by_status(filter="whatever"), + "ReadClusterCount": falcon.read_cluster_count(filter="whatever"), + "ReadContainersByDateRangeCount": falcon.read_containers_by_date_range(filter="whatever"), + "ReadContainerCountByRegistry": falcon.read_containers_by_registry(filter="whatever"), + "FindContainersCountAffectedByZeroDayVulnerabilities": falcon.read_zero_day_affected_counts(), + "ReadVulnerableContainerImageCount": falcon.read_vulnerable_container_count(filter="whatever"), + "ReadContainerCount": falcon.read_container_counts(filter="whatever"), + "FindContainersByContainerRunTimeVersion": falcon.find_containers_by_runtime_version(filter="whatever"), + "GroupContainersByManaged": falcon.group_managed_containers(filter="whatever"), + "ReadContainerImageDetectionsCountByDate": falcon.read_detections_count_by_date(filter="whatever"), + "ReadContainerImagesByState": falcon.read_images_by_state(filter="whatever"), + "ReadContainersSensorCoverage": falcon.read_sensor_coverage(filter="whatever"), + "ReadContainerVulnerabilitiesBySeverityCount": falcon.read_vulnerability_counts_by_severity(filter="whatever"), + "ReadDeploymentsByDateRangeCount": falcon.read_deployment_counts_by_date_range(), + "ReadDeploymentCount": falcon.read_deployment_count(filter="whatever"), + "ReadClusterEnrichment": falcon.read_cluster_enrichment(filter="whatever"), + "ReadContainerEnrichment": falcon.read_container_enrichment(filter="whatever"), + "ReadDeploymentEnrichment": falcon.read_deployment_enrichment(filter="whatever"), + "ReadNodeEnrichment": falcon.read_node_enrichment(filter="whatever"), + "ReadPodEnrichment": falcon.read_pod_enrichment(filter="whatever"), + "ReadDistinctContainerImageCount": falcon.read_distinct_image_count(filter="whatever"), + "ReadContainerImagesByMostUsed": falcon.read_images_by_most_used(filter="whatever"), + "ReadKubernetesIomByDateRange": falcon.read_iom_count_by_date_range(filter="whatever"), + "ReadKubernetesIomCount": falcon.read_iom_count(filter="whatever"), + "ReadNodesByCloudCount": falcon.read_node_counts_by_cloud(filter="whatever"), + "ReadNodesByContainerEngineVersionCount": falcon.read_nodes_by_container_engine_version(filter="whatever"), + "ReadNodesByDateRangeCount": falcon.read_node_counts_by_date_range(filter="whatever"), + "ReadNodeCount": falcon.read_node_counts(filter="whatever"), + "ReadPodsByDateRangeCount": falcon.read_pod_counts_by_date_range(), + "ReadPodCount": falcon.read_pod_counts(filter="whatever"), + "ReadClusterCombined": falcon.read_clusters_combined(filter="whatever"), + "ReadRunningContainerImages": falcon.read_running_images(filter="whatever"), + "ReadContainerCombined": falcon.read_containers_combined(filter="whatever"), + "ReadDeploymentCombined": falcon.read_deployments_combined(filter="whatever"), + "SearchAndReadKubernetesIomEntities": falcon.search_and_read_ioms(filter="whatever"), + "ReadNodeCombined": falcon.read_nodes_combined(filter="whatever"), + "ReadPodCombined": falcon.read_pods_combined(filter="whatever"), + "ReadKubernetesIomEntities": falcon.read_iom_entities(filter="whatever"), + "SearchKubernetesIoms": falcon.search_ioms(filter="whatever") } for key in tests: From 3ad6351e68109fdca2e9c8e65fb7977889d3b815 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 15:16:00 -0500 Subject: [PATCH 33/37] Update module inventory list --- src/falconpy/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/falconpy/__init__.py b/src/falconpy/__init__.py index bc70168e5..c4dee67c2 100644 --- a/src/falconpy/__init__.py +++ b/src/falconpy/__init__.py @@ -192,7 +192,7 @@ "UnnecessaryEncodingUsed", "APIHarnessV2", "CustomStorage", "FoundryLogScale", "RealTimeResponseAudit", "Workflows", "DeprecatedClass", "DeprecatedOperation", "SDKDeprecationWarning", "ConfigurationAssessmentEvaluationLogic", "ConfigurationAssessment", - "ContainerAlerts", "ContainerDetections", "ContainerImages", "ContainerPackages", + "ContainerAlerts", "ContainerDetections", "ContainerImages", "ContainerPackages", "ContainerVulnerabilities", "DriftIndicators", "UnidentifiedContainers" ] """ From f79230c368f0e770cbc799c42658e230b96b5dfe Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 15:16:12 -0500 Subject: [PATCH 34/37] Bump version -> 1.3.5 --- src/falconpy/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/falconpy/_version.py b/src/falconpy/_version.py index aa90211c5..a9646db47 100644 --- a/src/falconpy/_version.py +++ b/src/falconpy/_version.py @@ -35,7 +35,7 @@ For more information, please refer to """ -_VERSION = '1.3.4' +_VERSION = '1.3.5' _MAINTAINER = 'Joshua Hiller' _AUTHOR = 'CrowdStrike' _AUTHOR_EMAIL = 'falconpy@crowdstrike.com' From 07fc7d5249282703967f22763427c8069088f137 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 21 Dec 2023 15:40:30 -0500 Subject: [PATCH 35/37] Update CHANGELOG.md --- CHANGELOG.md | 255 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 255 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7dde1119f..5901ff683 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,258 @@ +# Version 1.3.5 +## Added features and functionality ++ Added: 4 new operations added to the __*Alerts*__ service collection. + - *PostAggregateAlertsV2* + - *PostEntitiesAlertsV2* + - *PatchEntitiesAlertsV3* + - *GetQueriesAlertsV2* + - `_endpoint/_alerts.py` + - `alerts.py` + > Unit testing expanded to complete code coverage. + - `tests/test_alerts.py` ++ Added: `source_event_url` argument added to the _WorkflowExecute_ operation definition within the endpoint module. + - `_endpoint/_workflows.py` ++ Added: New Configuration Assessment service collection providing 2 new operations. + - *getCombinedAssessmentsQuery* + - *getRuleDetails* + - `_endpoint/__init__.py` + - `_endpoint/_configuration_assessment.py` + - `__init__.py` + - `configuration_assessment.py` + > Unit testing expanded to complete code coverage. + - `tests/test_configuration_assessment.py` ++ Added: New Configuration Assessment Evaluation Logic service collection providing 1 new operation. + - *getEvaluationLogicMixin0* + - `_endpoint/__init__.py` + - `_endpoint/_configuration_assessment_evaluation_logic.py` + - `__init__.py` + - `configuration_assessment_evaluation_logic.py` + > Unit testing expanded to complete code coverage. + - `tests/test_configuration_assessment_evaluation_logic.py` ++ Added: New Container Alerts service collection providing 2 new operations. + - *ReadContainerAlertsCount* + - *SearchAndReadContainerAlerts* + - `_endpoint/__init__.py` + - `_endpoint/_container_alerts.py` + - `__init__.py` + - `container_alerts.py` + > Unit testing expanded to complete code coverage. + - `tests/test_container_alerts.py` ++ Added: New Container Detections service collection providing 6 new operations. + - *ReadDetectionsCountBySeverity* + - *ReadDetectionsCountByType* + - *ReadDetectionsCount* + - *ReadCombinedDetections* + - *ReadDetections* + - *SearchDetections* + - `_endpoint/__init__.py` + - `_endpoint/_container_detections.py` + - `__init__.py` + - `container_detections.py` + > Unit testing expanded to complete code coverage. + - `tests/test_container_detections.py` ++ Added: New Container Images service collection providing 10 new operations. + - *AggregateImageAssessmentHistory* + - *AggregateImageCountByBaseOS* + - *AggregateImageCountByState* + - *AggregateImageCount* + - *GetCombinedImages* + - *CombinedImageByVulnerabilityCount* + - *CombinedImageDetail* + - *ReadCombinedImagesExport* + - *CombinedImageIssuesSummary* + - *CombinedImageVulnerabilitySummary* + - `_endpoint/__init__.py` + - `_endpoint/_container_images.py` + - `__init__.py` + - `container_images.py` + > Unit testing expanded to complete code coverage. + - `tests/test_container_images.py` ++ Added: New Container Packages service collection providing 5 new operations. + - *ReadPackagesCountByZeroDay* + - *ReadPackagesByFixableVulnCount* + - *ReadPackagesByVulnCount* + - *ReadPackagesCombinedExport* + - *ReadPackagesCombined* + - `_endpoint/__init__.py` + - `_endpoint/_container_packages.py` + - `__init__.py` + - `container_packages.py` + > Unit testing expanded to complete code coverage. + - `tests/test_container_packages.py` ++ Added: New Container Vulnerabilities service collection providing 10 new operations. + - *ReadCombinedVulnerabilities* + - *ReadCombinedVulnerabilitiesInfo* + - *ReadCombinedVulnerabilitiesDetails* + - *ReadVulnerabilitiesPublicationDate* + - *ReadVulnerabilitiesByImageCount* + - *ReadVulnerabilityCount* + - *ReadVulnerabilityCountBySeverity* + - *ReadVulnerabilityCountByCPSRating* + - *ReadVulnerabilityCountByCVSSScore* + - *ReadVulnerabilityCountByActivelyExploited* + - `_endpoint/__init__.py` + - `_endpoint/_container_vulnerabilities.py` + - `__init__.py` + - `container_vulnerabilities.py` + > Unit testing expanded to complete code coverage. + - `tests/test_container_vulnerabilities.py` ++ Added: `next_token` argument added to the _GetConfigurationDetectionIDsV2_ operation within the __*CSPM Registration*__ service collection. + - `_endpoint/_cspm_registration.py` + - `cspm_registration.py` ++ Added: New Drift Indicators service collection providing 5 new operations. + - *GetDriftIndicatorsValuesByDate* + - *ReadDriftIndicatorsCount* + - *SearchAndReadDriftIndicatorEntities* + - *ReadDriftIndicatorEntities* + - *SearchDriftIndicators* + - `_endpoint/__init__.py` + - `_endpoint/_drift_indicators.py` + - `__init__.py` + - `drift_indicators.py` + > Unit testing expanded to complete code coverage. + - `tests/test_drift_indicators.py` ++ Added: 3 new operations added to the __*Falcon Complete Dashboard*__ service collection. + - *AggregatePreventionPolicy* + - *AggregateSensorUpdatePolicy* + - *AggregateTotalDeviceCounts* + - `_endpoint/_falcon_complete_dashboard.py` + - `falcon_complete_dashboard.py` + > Unit testing expanded to complete code coverage. + - `tests/test_falcon_complete_dashboard.py` ++ Added: New arguments added to 5 operations within the __*Foundry LogScale*__ service collection. 2 arguments are removed from 1 operation. + - `check_test_data` is added to _ListReposV1_. + - `app_id` is added to _CreateSavedSearchesDynamicExecuteV1_. + - `app_id` is added to _GetSavedSearchesExecuteV1_. + - `app_id` is added to _CreateSavedSearchesExecuteV1_. + - `check_test_data` is added to _ListViewV1_. + - The duplicative query string parameter arguments `mode` and `version` have been removed from _CreateSavedSearchesExecuteV1_. + - `_endpoint/_foundry_logscale.py` + - `foundry_logscale.py` + > Unit testing expanded to complete code coverage. + - `tests/test_foundry_logscale.py` ++ Added: 1 new operation added to the __*Hosts*__ service collection. + - *QueryDeviceLoginHistoryV2* + - `_endpoint/_hosts.py` + - `hosts.py` + > Unit testing expanded to complete code coverage. + - `tests/test_hosts.py` ++ Added: 3 new operations added to the __*IOC*__ service collection. These operations replace legacy operations from the deprecated __*IOCS*__ service collection. + - *indicator_get_device_count_v1* replaces _DevicesCount_. + - *indicator_get_devices_ran_on_v1* replaces _DevicesRanOn_. + - *indicator_get_processes_ran_on_v1* replaces _ProcessRanOn_. + - `_endpoint/_ioc.py` + - `_endpoint/deprecated/_ioc.py` + - `ioc.py` + > Unit testing expanded to complete code coverage. + - `tests/test_ioc.py` ++ Added: 41 new operations added to the __*Kubernetes Protection*__ service collection. + - *ReadClustersByDateRangeCount* + - *ReadClustersByKubernetesVersionCount* + - *ReadClustersByStatusCount* + - *ReadClusterCount* + - *ReadContainersByDateRangeCount* + - *ReadContainerCountByRegistry* + - *FindContainersCountAffectedByZeroDayVulnerabilities* + - *ReadVulnerableContainerImageCount* + - *ReadContainerCount* + - *FindContainersByContainerRunTimeVersion* + - *GroupContainersByManaged* + - *ReadContainerImageDetectionsCountByDate* + - *ReadContainerImagesByState* + - *ReadContainersSensorCoverage* + - *ReadContainerVulnerabilitiesBySeverityCount* + - *ReadDeploymentsByDateRangeCount* + - *ReadDeploymentCount* + - *ReadClusterEnrichment* + - *ReadContainerEnrichment* + - *ReadDeploymentEnrichment* + - *ReadNodeEnrichment* + - *ReadPodEnrichment* + - *ReadDistinctContainerImageCount* + - *ReadContainerImagesByMostUsed* + - *ReadKubernetesIomByDateRange* + - *ReadKubernetesIomCount* + - *ReadNodesByCloudCount* + - *ReadNodesByContainerEngineVersionCount* + - *ReadNodesByDateRangeCount* + - *ReadNodeCount* + - *ReadPodsByDateRangeCount* + - *ReadPodCount* + - *ReadClusterCombined* + - *ReadRunningContainerImages* + - *ReadContainerCombined* + - *ReadDeploymentCombined* + - *SearchAndReadKubernetesIomEntities* + - *ReadNodeCombined* + - *ReadPodCombined* + - *ReadKubernetesIomEntities* + - *SearchKubernetesIoms* + - `_endpoint/_kubernetes_protection.py` + - `kubernetes_protection.py` + > Unit testing expanded to complete code coverage. + - `tests/test_kubernetes_protection.py` ++ Added: 1 new operation added to the __*ODS*__ service collection. + - *get_scans_by_scan_ids_v2* + > *get_scans_by_scan_ids_v1* has been deprecated. The PEP8 method `get_scans` has been redirected to the new operation. Developers wanting to leverage the legacy operation should call `get_scans_v1` or `get_scans_by_scan_ids_v1`. + - `_endpoint/_ods.py` + - `_endpoint/deprecated/_ods.py` + - `ods.py` + > Unit testing expanded to complete code coverage. + - `tests/test_ods.py` ++ Added: 2 new operations added to the __*Real Time Response Admin*__ service collection. + - *RTR_GetFalconScripts* + - *RTR_ListFalconScripts* + - `_endpoint/_real_time_response_admin.py` + - `_endpoint/deprecated/_real_time_response_admin.py` + - `real_time_response_admin.py` + > Unit testing expanded to complete code coverage. + - `tests/test_real_time_response_admin.py` ++ Added: New Unidentified Containers service collection providing 3 new operations. + - *ReadUnidentifiedContainersByDateRangeCount* + - *ReadUnidentifiedContainersCount* + - *SearchAndReadUnidentifiedContainers* + - `_endpoint/__init__.py` + - `_endpoint/_unidentified_containers.py` + - `__init__.py` + - `unidentified_containers.py` + > Unit testing expanded to complete code coverage. + - `tests/test_unidentified_containers.py` + +## Issues resolved ++ Fixed: `batch_id` and `batch_get_cmd_req_id` not available on pythonic Result object. + - `_result/_result.py` ++ Fixed: Pythonic responses not properly populating Result object resources attribute when a dictionary is returned for the resources branch. + - `_result/_result.py` ++ Fixed: `trace_id` property is not available on Result objects that do not contain a Meta attribute. + - `_result/_headers.py` + - `_result/_result.py` ++ Fixed: Changes the datatype for the `ids` argument within the _GetCSPMPolicy_ operation from __`string`__ to __`integer`__. + - `_endpoint/_cspm_registration.py` + +## Other ++ Fixed: A typo that incorrectly listed the default value for the `limit` keyword was resolved in the QueryDetects operation docstring. Closes #1089. + - `detects.py` ++ Refactored: Reduced complexity within the Result object constructor method by abstracting construction logic to a new method. + - `_result/_result.py` ++ Regenerated: Updated endpoint module to align to new library automation, resulting in cosmetic changes to description fields. + - `_endpoint/*` ++ Renamed: _RetrieveUser_ operation has been renamed to _retrieveUser_ within the __*User Management*__ service collection. + - `_endpoint/_user_management.py` ++ Deprecated: Adds additional deprecated operation IDs to the __*Firewall Management*__ service collection. + - `_endpoint/_firewall_management.py` ++ Fixed: Resolves a constant naming typo within the endpoint module for the __*Cloud Snapshots*__ service collection. + - `_endpoint/__init__.py` + - `_endpoint/_cloud_snapshots.py` + - `cloud_snapshots.py` ++ Fixed: Endpoint definition mismatch in _UploadSampleV3_ operation within the __*Sample Uploads*__ service collection. + - `_endpoint/_sample_uploads.py` ++ Fixed: Endpoint definition mismatch in _UploadSampleV2_ operation within the __*Falcon Intelligence Sandbox*__ service collection. + - `_endpoint/_falconx_sandbox.py` + > Unit testing expanded to complete code coverage. + - `tests/test_falconx_sandbox.py` + +--- + # Version 1.3.4 ## Added features and functionality + Added: Use a Service Class or the Uber Class as a context manager. From df4a2bbe8bd6407db3856ca4b598521806f19d98 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 16:05:38 -0500 Subject: [PATCH 36/37] Allow coverage miss on fallback trace-id property lookup --- src/falconpy/_result/_headers.py | 2 +- src/falconpy/_result/_result.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/falconpy/_result/_headers.py b/src/falconpy/_result/_headers.py index c9b24ef25..f9bb4f532 100644 --- a/src/falconpy/_result/_headers.py +++ b/src/falconpy/_result/_headers.py @@ -78,6 +78,6 @@ def ratelimit_remaining(self) -> Optional[int]: return self.get_property("X-Ratelimit-Remaining", None) @property - def trace_id(self) -> Optional[str]: + def trace_id(self) -> Optional[str]: # pragma: no cover """Return the contents of the X-Cs-Traceid key.""" return self.get_property("X-Cs-Traceid", None) diff --git a/src/falconpy/_result/_result.py b/src/falconpy/_result/_result.py index a3b8e2d4d..2fe56813f 100644 --- a/src/falconpy/_result/_result.py +++ b/src/falconpy/_result/_result.py @@ -312,7 +312,7 @@ def trace_id(self) -> Optional[str]: _returned: Optional[str] = None if self.meta: _returned = self.meta.trace_id - elif self.headers: + elif self.headers: # pragma: no cover _returned = self.headers.trace_id return _returned From 557ef489fd7ed70bc00d2a6c0dcb068013cc9d1c Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Fri, 22 Dec 2023 16:07:51 -0500 Subject: [PATCH 37/37] Update wordlist.txt --- .github/wordlist.txt | 99 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 98 insertions(+), 1 deletion(-) diff --git a/.github/wordlist.txt b/.github/wordlist.txt index d468009b8..c094daf42 100644 --- a/.github/wordlist.txt +++ b/.github/wordlist.txt @@ -1177,4 +1177,101 @@ querydetects querydevicesbyfilterscroll queryincidents queryintelactorentities -apis \ No newline at end of file +apis +retrieveUser +SearchAndReadUnidentifiedContainers +PostAggregateAlertsV +PostEntitiesAlertsV +PatchEntitiesAlertsV +GetQueriesAlertsV +getCombinedAssessmentsQuery +getRuleDetails +getEvaluationLogicMixin +GetFalconScripts +ListFalconScripts +ReadUnidentifiedContainersByDateRangeCount +ReadUnidentifiedContainersCount +ReadContainerAlertsCount +SearchAndReadContainerAlerts +ReadDetectionsCountBySeverity +ReadDetectionsCountByType +ReadDetectionsCount +ReadCombinedDetections +ReadDetections +SearchDetections +AggregateImageAssessmentHistory +AggregateImageCountByBaseOS +AggregateImageCountByState +AggregateImageCount +CombinedImageByVulnerabilityCount +CombinedImageDetail +ReadCombinedImagesExport +CombinedImageIssuesSummary +ReadPodCount +ReadClusterCombined +ReadRunningContainerImages +ReadContainerCombined +ReadDeploymentCombined +SearchAndReadKubernetesIomEntities +ReadNodeCombined +ReadPodCombined +ReadKubernetesIomEntities +SearchKubernetesIoms +CombinedImageVulnerabilitySummary +ReadPackagesCountByZeroDay +ReadPackagesByFixableVulnCount +ReadPackagesByVulnCount +ReadPackagesCombinedExport +ReadPackagesCombined +ReadCombinedVulnerabilities +ReadCombinedVulnerabilitiesInfo +ReadCombinedVulnerabilitiesDetails +ReadVulnerabilitiesPublicationDate +ReadVulnerabilitiesByImageCount +ReadVulnerabilityCount +ReadVulnerabilityCountBySeverity +ReadVulnerabilityCountByCPSRating +ReadVulnerabilityCountByCVSSScore +ReadVulnerabilityCountByActivelyExploited +ReadDistinctContainerImageCount +ReadContainerImagesByMostUsed +ReadKubernetesIomByDateRange +ReadKubernetesIomCount +ReadNodesByCloudCount +ReadNodesByContainerEngineVersionCount +ReadNodesByDateRangeCount +ReadNodeCount +ReadPodsByDateRangeCount +GetConfigurationDetectionIDsV +GetDriftIndicatorsValuesByDate +ReadDriftIndicatorsCount +SearchAndReadDriftIndicatorEntities +ReadDriftIndicatorEntities +SearchDriftIndicators +AggregatePreventionPolicy +AggregateSensorUpdatePolicy +AggregateTotalDeviceCounts +ReadContainerCount +FindContainersByContainerRunTimeVersion +GroupContainersByManaged +ReadContainerImageDetectionsCountByDate +ReadContainerImagesByState +ReadContainersSensorCoverage +ReadContainerVulnerabilitiesBySeverityCount +ReadDeploymentsByDateRangeCount +ReadDeploymentCount +ReadClusterEnrichment +ReadContainerEnrichment +ReadDeploymentEnrichment +ReadNodeEnrichment +ReadPodEnrichment +QueryDeviceLoginHistoryV +ProcessRanOn +ReadClustersByDateRangeCount +ReadClustersByKubernetesVersionCount +ReadClustersByStatusCount +ReadClusterCount +ReadContainersByDateRangeCount +ReadContainerCountByRegistry +FindContainersCountAffectedByZeroDayVulnerabilities +ReadVulnerableContainerImageCount