Authenticating to the API
FalconPy is designed to make authentication and token management easy and supports multiple methods of providing your API credentials.
These examples only focus on authentication. Review Environment Configuration for details regarding other keywords that can be specified during object creation to customize functionality for your environment.
- Direct Authentication
- Credential Authentication
- Object Authentication
- Environment Authentication
- Legacy Authentication
WARNING
client_id,client_secretandmember_cidare keyword arguments that contain your CrowdStrike API credentials and the customer ID of a child tenant. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does NOT recommend hard coding API credentials or customer identifiers within source code.
As of version 0.6.2, Direct Authentication is the standard method used for authenticating.
- This method is supported in Service Classes and the Uber Class.
- You do not need to call the
authenticate()method before making your first request. - Your token and your authentication status will not be valid / True until the first request is made.
- You cannot mix Direct Authentication and Credential Authentication. Values provided directly via keywords will be overridden by any
credsdictionaries provided (regardless if that value is used).
The Uber class only supports
Credential AuthenticationandDirect Authentication.
from falconpy import Hosts
falcon = Hosts(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# You can use PEP8 or Operation ID syntax for this call
response = falcon.query_devices_by_filter()from falconpy import APIHarness
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryDevicesByFilter")
print(response)Starting in version 0.8.3, Direct Authentication supports the member_cid keyword for MSSP authentication.
from falconpy import Hosts
falcon = Hosts(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
member_cid=CHILD_CID
)
# You can use PEP8 or Operation ID syntax for this call
response = falcon.query_devices_by_filter()
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
member_cid=CHILD_CID
)
response = falcon.command("QueryDevicesByFilter")
print(response)- This method is supported in Service Classes and the Uber Class.
- You do not need to call the
authenticate()method before making your first request. - Your token and your authentication status will not be valid / True until the first request is made.
- Credential Authentication has precedence and will override authentication values provided when you use Direct Authentication. This means that if you provide a
credsdictionary theclient_id,client_secretandmember_cidkeyword value s will be overridden by the contents of this dictionary.
The Uber class only supports
Credential AuthenticationandDirect Authentication.
from falconpy import CloudConnectAWS
falcon = CloudConnectAWS(creds={
"client_id": CLIENT_ID,
"client_secret": CLIENT_SECRET
})
# You can use PEP8 or Operation ID syntax for this call
response = falcon.QueryAWSAccounts()
print(response)from falconpy import APIHarness
falcon = APIHarness(creds={
"client_id": CLIENT_ID,
"client_secret": CLIENT_SECRET
}
)
response = falcon.command('QueryAWSAccounts')
print(response)MSSP authentication scenarios are also supported using Credential Authentication (v0.2.1+).
from falconpy import CloudConnectAWS
falcon = CloudConnectAWS(creds={
"client_id": CLIENT_ID,
"client_secret": CLIENT_SECRET
"member_cid": CHILD_CID
})
# You can use PEP8 or Operation ID syntax for this call
response = falcon.query_aws_accounts()
print(response)from falconpy import APIHarness
falcon = APIHarness(creds={
"client_id": CLIENT_ID,
"client_secret": CLIENT_SECRET
"member_cid": CHILD_CID
}
)
response = falcon.command('QueryAWSAccounts')
print(response)Object Authentication allows you to authenticate to the API, and then pass the returned authentication object to other Service Classes, allowing developers to easily authenticate to multiple API service collections with the same token.
- Using Object Authentication to authenticate to the CrowdStrike API is only supported in Service Classes.
- Beginning in
v1.3.0, the Uber Class may be used for Object Authentication to authenticate a Service Class.
from falconpy import OAuth2
from falconpy import CloudConnectAWS
from falconpy import Detects
# You may also use Credential Authentication to
# create the instance of the authentication object
auth = OAuth2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# The auth object is then passed when instantiating
# subsequent Service Class objects
falcon_aws = CloudConnectAWS(auth_object=auth)
falcon_detects = Detects(auth_object=auth)
# You can use PEP8 or Operation ID syntax for these calls
print(falcon_aws.query_aws_accounts())
print(falcon_detects.query_detects())You do not need to create an instance of the OAuth2 object if you are working with more than one Service Class. The authentication object that is created as part of your instantiation of the first class, may be used to authenticate to subsequent classes.
from falconpy import RealTimeResponse, RealTimeResponseAdmin
# We authenticate to our first Service Class like normal
rtr = RealTimeResponse(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Now we can just reuse our existing auth_object
rtr_admin = RealTimeResponseAdmin(auth_object=rtr.auth_object)
# And make use of our second class
print(rtr_admin.list_scripts())Starting in v1.2.2, you no longer need to specify the auth_object attribute of the Service Class instance you are using to share authentication.
from falconpy import Hosts, HostGroup
# We authenticate to our first Service Class using our preferred method (Direct / Credential)
hosts = Hosts(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Then we can pass this newly created object
host_group = HostGroup(auth_object=hosts)
# And make use of our second class
print(host_group.query_combined_host_groups())With the extensibility updates included as part of v1.3.0, the Uber Class may now be used to authenticate Service Classes.
from falconpy import (
APIHarness,
Hosts
)
# The Uber Class does not have an auth_object attribute,
# so we cannot authenticate it using Object Authentication.
uber = APIHarness(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Since the Uber Class is a derivative of the FalconInterface
# object, it can be used to authenticate Service Classes via
# Object Authentication.
hosts = Hosts(auth_object=uber)
print(hosts.query_devices_by_filter_scroll())This authentication mechanism is a variation of Direct Authentication that leverages environment variables to store the credentials used for authentication. Every other authentication mechanism supported within FalconPy takes precedence over Environment Authentication (this includes the Legacy Authentication mechanism described below.)
Environment Authentication was released in FalconPy v1.3.0.
There are two environment variables that must be present for Environment Authentication to work:
| Variable Name | Purpose | Data type |
|---|---|---|
FALCON_CLIENT_ID |
CrowdStrike Falcon API client ID | string |
FALCON_CLIENT_SECRET |
CrowdStrike Falcon API client secret | string |
Both variables must be defined in the enviroment before Environment Authentication will be attempted. If both environment variables are present, and only one of these values exists within the
credsdictionary, then the missing value will be replaced with the value stored within the environment.
Environment Authentication allows developers to authenticate to the CrowdStrike API using credentials they defined in their environment.
from falconpy import Hosts
# Both environment variables, FALCON_CLIENT_ID and FALCON_CLIENT_SECRET
# must be present in the running environment if we do not want to
# provide credentials when we create the instance of the class.
hosts = Hosts()
print(hosts.query_devices_by_filter_scroll())This functionality is also available to the Uber Class, and can be used to provide only one value if necessary.
from falconpy import APIHarness
# If only one of the required authentication keywords is provided
# and both environment variables are present, the missing value
# is retrieved from the environment.
uber = APIHarness(client_id=CLIENT_ID)
print(uber.command("QueryDevicesByFilterScroll"))Prior to version 0.4.0, FalconPy Service Classes authenticated using Legacy Authentication.
This method authenticates by providing the token directly to the Service Class and requires the developer to handle authentication using the OAuth2 Service Class.
- Legacy Authentication is only supported in Service Classes.
- This method of authentication does not support automatic token refresh.
- This method of authentication cannot automatically authenticate your first request.
- Developers can authenticate to multiple Service Classes using the same token utilizing this method.
from falconpy import OAuth2
from falconpy import FalconXSandbox
# You may also use Credential Authentication to
# create the instance of the authentication object
auth = OAuth2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
try:
token = auth.token()['body']['access_token']
except:
token = False
if token:
falcon = FalconXSandbox(access_token=token)
# You can use PEP8 or Operation ID syntax for this call
response = falcon.QueryReports()
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
