Firewall Management
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Aggregate events for customer | ||||
|
Aggregate rules within a policy for customer | ||||
|
Aggregate rule groups for customer | ||||
|
Aggregate rules for customer | ||||
|
Get events entities by ID and optionally version | ||||
|
Get the firewall field specifications by ID | ||||
|
Get platforms by ID, e.g., windows or mac or droid | ||||
|
Get policy container entities by policy ID | ||||
|
Update an identified policy container | ||||
|
Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order. | ||||
|
Create new rule group on a platform for a customer with a name and description, and return the ID | ||||
|
Delete rule group entities by ID | ||||
|
Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules | ||||
|
Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string) | ||||
|
Find all event IDs matching the query with filter | ||||
|
Get the firewall field specification IDs for the provided platform | ||||
|
Get the list of platform names | ||||
|
Find all firewall rule IDs matching the query with filter, and return them in precedence order | ||||
|
Find all rule group IDs matching the query with filter | ||||
|
Find all rule IDs matching the query with filter | ||||
Aggregate events for customer
aggregate_events
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Query criteria and settings |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.aggregate_events(body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("aggregate_events", body=BODY)
print(response)Aggregate rules within a policy for customer
aggregate_policy_rules
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Query criteria and settings |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.aggregate_policy_rules(body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("aggregate_policy_rules", body=BODY)
print(response)Aggregate rule groups for customer
aggregate_rule_groups
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Query criteria and settings |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.aggregate_rule_groups(body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("aggregate_rule_groups", body=BODY)
print(response)Aggregate rules for customer
aggregate_rules
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Query criteria and settings |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.aggregate_rules(body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("aggregate_rules", body=BODY)
print(response)Get events entities by ID and optionally version
get_events
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The events to retrieve, identified by ID |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_events(ids=id_list)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_events", ids=id_list)
print(response)Get the firewall field specifications by ID
get_firewall_fields
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The IDs of the rule types to retrieve |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_firewall_fields(ids=id_list)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_firewall_fields", ids=id_list)
print(response)Get platforms by ID, e.g., windows or mac or droid
get_platforms
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The IDs of the platforms to retrieve |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_platforms(ids=id_list)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_platforms", ids=id_list)
print(response)Get policy container entities by policy ID
get_policy_containers
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The policy container(s) to retrieve, identified by policy ID |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_policy_containers(ids=id_list)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_policy_containers", ids=id_list)
print(response)Update an identified policy container
update_policy_container
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.update_policy_container(body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("update_policy_container", body=BODY)
print(response)Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
get_rule_groups
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The IDs of the rule groups to retrieve |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_groups(ids=id_list)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rule_groups", ids=id_list)
print(response)Create new rule group on a platform for a customer with a name and description, and return the ID
create_rule_group
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| clone_id | query | string | A rule group ID from which to copy rules. If this is provided then the 'rules' property of the body is ignored. | |
| library | query | string | If this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewal Rule Groups Library. | |
| comment | query | string | Audit log comment for this action | |
| ✅ | body | body | string |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.create_rule_group(clone_id="string",
library="string",
comment="string"
, body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"clone_id": "string",
"library": "string",
"comment": "string"
}
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("create_rule_group", parameters=PARAMS, body=BODY)
print(response)Delete rule group entities by ID
delete_rule_groups
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The IDs of the rule groups to be deleted |
| comment | query | string | Audit log comment for this action |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"comment": "string"
}
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("delete_rule_groups", parameters=PARAMS, ids=id_list)
print(response)Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
update_rule_group
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| comment | query | string | Audit log comment for this action | |
| ✅ | body | body | string |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.update_rule_group(comment="string", body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"comment": "string"
}
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("update_rule_group", parameters=PARAMS, body=BODY)
print(response)Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
get_rules
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The rules to retrieve, identified by ID |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules(ids=id_list)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rules", ids=id_list)
print(response)Find all event IDs matching the query with filter
query_events
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| sort | query | string | Possible order by fields: | |
| filter | query | string | FQL query specifying the filter parameters. Filter term criteria: enabled, platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'. | |
| q | query | string | Match query criteria, which includes all the filter string fields, plus TODO | |
| offset | query | string | Starting index of overall result set from which to return ids. | |
| after | query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. |
|
| limit | query | integer | Number of ids to return. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_events(sort="string",
filter="string",
q="string",
offset="string",
after="string",
limit=integer
)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"sort": "string",
"filter": "string",
"q": "string",
"offset": "string",
"after": "string",
"limit": integer
}
response = falcon.command("query_events", parameters=PARAMS)
print(response)Get the firewall field specification IDs for the provided platform
query_firewall_fields
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| platform_id | query | string | Get fields configuration for this platform | |
| offset | query | string | Starting index of overall result set from which to return ids. | |
| limit | query | integer | Number of ids to return. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_firewall_fields(platform_id="string",
offset="string",
limit=integer
)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"platform_id": "string",
"offset": "string",
"limit": integer
}
response = falcon.command("query_firewall_fields", parameters=PARAMS)
print(response)Get the list of platform names
query_platforms
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | string | Starting index of overall result set from which to return ids. | |
| limit | query | integer | Number of ids to return. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_platforms(offset="string", limit=integer)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"offset": "string",
"limit": integer
}
response = falcon.command("query_platforms", parameters=PARAMS)
print(response)Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_policy_rules
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| id | query | string | The ID of the policy container within which to query | |
| sort | query | string | Possible order by fields: | |
| filter | query | string | FQL query specifying the filter parameters. Filter term criteria: enabled, platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'. | |
| q | query | string | Match query criteria, which includes all the filter string fields, plus TODO | |
| offset | query | string | Starting index of overall result set from which to return ids. | |
| limit | query | integer | Number of ids to return. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_policy_rules(id="string",
sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"id": "string",
"sort": "string",
"filter": "string",
"q": "string",
"offset": "string",
"limit": integer
}
response = falcon.command("query_policy_rules", parameters=PARAMS)
print(response)Find all rule group IDs matching the query with filter
query_rule_groups
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| sort | query | string | Possible order by fields: | |
| filter | query | string | FQL query specifying the filter parameters. Filter term criteria: enabled, platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'. | |
| q | query | string | Match query criteria, which includes all the filter string fields, plus TODO | |
| offset | query | string | Starting index of overall result set from which to return ids. | |
| after | query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. |
|
| limit | query | integer | Number of ids to return. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_rule_groups(sort="string",
filter="string",
q="string",
offset="string",
after="string",
limit=integer
)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"sort": "string",
"filter": "string",
"q": "string",
"offset": "string",
"after": "string",
"limit": integer
}
response = falcon.command("query_rule_groups", parameters=PARAMS)
print(response)Find all rule IDs matching the query with filter
query_rules
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| sort | query | string | Possible order by fields: | |
| filter | query | string | FQL query specifying the filter parameters. Filter term criteria: enabled, platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'. | |
| q | query | string | Match query criteria, which includes all the filter string fields, plus TODO | |
| offset | query | string | Starting index of overall result set from which to return ids. | |
| after | query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. |
|
| limit | query | integer | Number of ids to return. |
from falconpy.firewall_management import FirewallManagement
falcon = FirewallManagement(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_rules(sort="string",
filter="string",
q="string",
offset="string",
after="string",
limit=integer
)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"sort": "string",
"filter": "string",
"q": "string",
"offset": "string",
"after": "string",
"limit": integer
}
response = falcon.command("query_rules", parameters=PARAMS)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
