Extensibility
FalconPy has been designed to be fully extensible, allowing developers to customize or enhance functionality as required.
To accomplish this, the library implements several types of classes.
| Type | Purpose |
|---|---|
| Data Class | Generic class abstraction layer that represents a discrete type or block of data. |
| Interface Class | Generic class abstraction layer used to provide base functionality to all derivative clases that leverage it. |
| Derivative Class | Class that extends the functionality provided by an interface class to provide a solution for directly interacting with CrowdStrike APIs. |
A derivative class and an interface class combined, the Uber Class provides an all-in-one interface to the CrowdStrike Falcon API.
APIHarness directly extends UberInterface (an Uber-specific interface class that extends the FalconInterface class) by using it as a base class. This results in the Uber Class inheriting all functionality provided by the FalconInterface class. The Uber Class does not maintain an auth_object attribute, as the Uber class is an authentication object. This means the Uber Class can be used for Object Authentication just like any Service Class.
| Name | Purpose |
|---|---|
authenticate
|
Legacy method handler for triggering a authentication request and state update. This method is deprecated, developers should move to using the updated login method to access updated functionality. |
command |
The generic method handler for processing any API operation available within the CrowdStrike API. More details about the command method can be found in the Uber Class usage documentation. |
deauthenticate
|
Legacy method handler for revoking the current API bearer token and performing a state update. This method is deprecated, developers should move to using the updated logout method to access updated functionality. |
headers
|
Legacy method handler for returning the current authentication headers. This method is deprecated, developers should move to using the new auth_headers property to access this dictionary. |
login |
Leverages a private method to perform a request for a bearer token and updates the authentication objects current state. |
logout |
Leverages a private method to revoke the current API bearer token and updates the objects current state. |
valid_cred_format
|
Legacy method handler that returns a boolean indicating if the current credential dictionary formatted properly. This method is deprecated, developers should move to using the new cred_format_valid property to access this flag. |
| Name | Purpose | Mutable? |
|---|---|---|
authenticated |
A boolean flag indicating if the current object is successfully authenticated to the CrowdStrike API. |  |
auth_headers |
The authentication headers that are sent along with all requests to the CrowdStrike API. If the FalconInterface object is not currently authenticated, an authentication request will be performed when this property is referenced. |
|
base_url |
The base URL for the target CrowdStrike API. This can be the shortname, or the full address. |  |
bearer_token |
A data class that represents the current CrowdStrike bearer token. | |
config |
The InterfaceConfiguration object used for this authentication object. |
|
creds |
A dictionary containing the client_id and client_secret used to authenticate to the CrowdStrike API. |
|
cred_format_valid |
A boolean flag indicating if the current format of the creds dictionary is valid. |
|
debug |
Boolean flag indicating if the current object has debug mode enabled. | |
debug_record_count |
The maximum number of records per API call performed to be logged in debug logs. | |
log |
The logger object used for this object. | |
log_facility |
The attached debug logging facility for this object. | |
proxy |
Proxy dictionary that is leveraged to perform API requests from this object. | |
pythonic |
A boolean flag indicating if results returned from the API should be provided as JSON dictionary or a pythonic object. | |
renew_window |
The amount of time in seconds before the token expires and the token is automatically refreshed. | |
refreshable |
A boolean flag indicating if the current bearer token can be automatically refreshed. | |
sanitize_log |
A boolean flag indicating if client_id, client_secret, member_cid and bearer token values should be sanitized from debug logs. |
|
ssl_verify |
The SSL verification setting (boolean or certificate location). | |
timeout |
The connect or connect / read timeout for requests made to the CrowdStrike API. | |
token_status |
The current API bearer token status. | |
token_expired |
A boolean flag indicating if the current bearer token is expired. | |
token_expiration |
The remaining time, in seconds, the current bearer token is considered valid. | |
token_fail_reason |
API authentication failure reason. | |
token_time |
The timestamp when the current bearer token was generated. | |
token_value |
The bearer token value as a string. | |
user_agent |
The User-Agent string that is send as part of the headers for all API requests performed. | |
A generic data class comprised of several data sub-classes containing all of the details for the API request to be performed.
A generic object that represents the interface to the CrowdStrike Falcon API.
This class contains the default object constructor, as well as the properties and methods used by derivative classes to maintain state and authenticate to the CrowdStrike API.
The
FalconInterfaceclass is frequently referred to as the "authentication object" or the "auth object". For all but one of the Service Classes that leverage it, this object is available as theauth_objectattribute.The OAuth2 Service Class directly extends the
FalconInterfaceclass by using it as a base class.The
UberInterfaceclass directly extends theFalconInterfaceclass by using it as a base class. This class is used by the Uber Class (APIHarness) as it's base class, inheriting all functionality provided by theFalconInterfaceclass.
| Name | Purpose |
|---|---|
login |
Leverages a private method to perform a request for a bearer token and updates the authentication objects current state. |
logout |
Leverages a private method to revoke the current API bearer token and updates the objects current state. |
| Name | Purpose | Mutable? |
|---|---|---|
authenticated |
A boolean flag indicating if the current object is successfully authenticated to the CrowdStrike API. | |
auth_headers |
The authentication headers that are sent along with all requests to the CrowdStrike API. If the FalconInterface object is not currently authenticated, an authentication request will be performed when this property is referenced. |
|
base_url |
The base URL for the target CrowdStrike API. This can be the shortname, or the full address. | |
bearer_token |
A data class that represents the current CrowdStrike bearer token. | |
config |
The InterfaceConfiguration object used for this authentication object. |
|
creds |
A dictionary containing the client_id and client_secret used to authenticate to the CrowdStrike API. |
|
cred_format_valid |
A boolean flag indicating if the current format of the creds dictionary is valid. |
|
debug |
Boolean flag indicating if the current object has debug mode enabled. | |
debug_record_count |
The maximum number of records per API call performed to be logged in debug logs. | |
log |
The logger object used for this object. | |
log_facility |
The attached debug logging facility for this object. | |
proxy |
Proxy dictionary that is leveraged to perform API requests from this object. | |
pythonic |
A boolean flag indicating if results returned from the API should be provided as JSON dictionary or a pythonic object. | |
renew_window |
The amount of time in seconds before the token expires and the token is automatically refreshed. | |
refreshable |
A boolean flag indicating if the current bearer token can be automatically refreshed. | |
sanitize_log |
A boolean flag indicating if client_id, client_secret, member_cid and bearer token values should be sanitized from debug logs. |
|
ssl_verify |
The SSL verification setting (boolean or certificate location). | |
timeout |
The connect or connect / read timeout for requests made to the CrowdStrike API. | |
token_status |
The current API bearer token status. | |
token_expired |
A boolean flag indicating if the current bearer token is expired. | |
token_expiration |
The remaining time, in seconds, the current bearer token is considered valid. | |
token_fail_reason |
API authentication failure reason. | |
token_time |
The timestamp when the current bearer token was generated. | |
token_value |
The bearer token value as a string. | |
user_agent |
The User-Agent string that is send as part of the headers for all API requests performed. | |
A generic interface class that provides logging functionality for all classes within the library.
A generic interface class that represents the result received from the CrowdStrike API.
A generic interface class that is used as the base class for errors generated at runtime.
A generic interface class that is used as the base class for warnings generated at runtime.
A generic interface class that abstracts functionality leveraged by all derivative Service Classes.
This class extends the BaseServiceClass object, which is not intended for extensible usage outside of this scenario.
All FalconPy Service Classes, excluding OAuth2, extend the ServiceClass object to inherit common functionality.
| Name | Purpose |
|---|---|
auth_object |
The attached FalconInterface object used for authentication and maintaining state. |
| Name | Purpose |
|---|---|
authenticated |
Method handler for returning the current authentication state. Retrieved from the attached auth_objeect attribute. |
login |
Performs a request for a bearer token and updates the authentication objects current state. |
logout |
Revokes the current API bearer token and updates the objects current state. |
token_expired |
Method handler for returning t he current token expiration status. Retrieved from the attached auth_objeect attribute. |
| Name | Purpose | Mutable? |
|---|---|---|
base_url |
The base URL address for the target CrowdStrike API. This can be the shortname, or the full address. This property is returned from the auth_object attribute. |
|
ssl_verify |
The SSL verification setting (boolean or certificate location). This property is returned from the auth_object attribute. |
|
log |
The logger object for this object. This property can be enabled or disabled per Service Class regardless of the setting specified in the attached auth_object. When not specifically enabled or disabled, this property is returned from the auth_object attribute. |
|
headers |
The headers that are sent for all API requests performed. This includes authentication headers that are requested from the attached auth_object and any custom headers provided when the object is created via the ext_headers keyword. |
|
token_status |
The current API bearer token status. This property is returned from the auth_object attribute. |
|
token_fail_reason |
API authentication failure reason. This property is returned from the auth_object attribute. |
|
refreshable |
Boolean flag indicating if the current bearer token can be automatically refreshed. This property is returned from the auth_object attribute. |
|
debug |
Boolean flag indicating if the current object has debug mode enabled. This property can be enabled or disabled per Service Class regardless of the setting specified in the attached auth_object. When not specifically enabled or disabled, this property is returned from the auth_object attribute. |
|
proxy |
Proxy dictionary that is leveraged to perform API requests from this object. This property can be set to a unique value per Service Class regardless of the setting specified in the attached auth_object. When not specifically set, this property is returned from the auth_object attribute. |
|
renew_window |
The amount of time in seconds before the token expires and the token is automatically refreshed. This property is returned from the auth_object attribute. Changing this value will impact all classes that leverage this same authentication object. |
|
token_renew_window
|
This property recreates the functionality of a legacy attribute and is deprecated. Developers should make use of the renew_window property to make changes to the token renewal window. |
|
user_agent |
The User-Agent string that is send as part of the headers for all API requests performed. This property can be set to a unique value per Service Class regardless of the setting specified in the attached auth_object. When not specifically set, this property is returned from the auth_object attribute. |
|
debug_record_count |
The maximum number of records per API call performed to be logged in debug logs. This property can be set to a unique value per Service Class regardless of the setting speficied in the attached auth_object. When not specificially set, this property is returned from the auth_object attribute. |
|
sanitize_log |
Boolean flag indicating if client_id, client_secret, member_cid and bearer token values should be sanitized from debug logs. This property can be enabled or disabled per Service Class regardless of the setting specified in the attached auth_object. When not specifically enabled or disabled, this property is returned from the auth_object attribute. |
|
pythonic |
Boolean flag indicating if results returned from the API should be provided as JSON dictionary or a pythonic object. This property can be enabled or disabled per Service Class regardless of the setting specified in the attached auth_object. When not specifically enabled or disabled, this property is returned from the auth_object attribute. |
|
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
