• Stars
    star
    358
  • Rank 118,855 (Top 3 %)
  • Language
    Python
  • License
    The Unlicense
  • Created about 4 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The CrowdStrike Falcon SDK for Python

CrowdStrike FalconPy

Twitter URL

FalconPy - The CrowdStrike Falcon SDK for Python

Package Status PyPI Release date Repo status Commit activity GitHub forks

The FalconPy SDK contains a collection of Python classes that abstract CrowdStrike Falcon OAuth2 API interaction, removing duplicative code and allowing developers to focus on just the logic of their solution requirements.

Overview πŸ”Ž

There are many CrowdStrike Falcon API service collections collectively containing hundreds of individual operations, all of which are accessible to your project via FalconPy.

The CrowdStrike Falcon SDK for Python completely abstracts token management, while also supporting interaction with all CrowdStrike regions, custom connection and response timeouts, routing requests through a list of proxies, disabling SSL verification, and custom header configuration.

If the CrowdStrike APIs were rings of great power, that the Dark Lord Sauron gifted to the kings of dwarves, elves and men, then CrowdStrike's FalconPy would be the One Ring.

"One SDK to rule them all, One SDK to find them, One SDK to bring them all and in the darkness bind them."

Downloads Development Installs

Supported versions of Python

The CrowdStrike Falcon SDK for Python was developed for Python 3, and does not support versions of Python below 3.6. Every commit to the FalconPy code base is unit tested for functionality using all versions of Python the library currently supports.

PyPI - Implementation PyPI - Wheel PyPI - Python Version

Supported Operating Systems

The FalconPy SDK is unit tested on the following operating systems.

macOS Ubuntu Windows

FalconPy will also run on any of the following operating systems.

Amazon Linux CentOS Fedora RedHat Arch

Debian Kali Pop! OS SUSE openSUSE

Details regarding supported operating systems and Python versions, and project security and testing procedures can be found here.

Components

The FalconPy SDK provides two distinct methods for interacting with CrowdStrike's API.

Service Classes The Uber Class

Service Classes
The Uber Class
Each Service Class represents a single CrowdStrike API service collection providing an interface to the operations available within that service collection. An all-in-one class that provides a singular interface for all operations in every CrowdStrike API service collection.

Service Classes

Representing a single CrowdStrike Falcon API service collection, each Service Class has a method defined for every operation available within that service collection.

Available Service Classes

For each CrowdStrike Falcon API service collection, a matching Service Class is available in the FalconPy library.

Service Collection Code Location Class Name
Alerts alerts.py Alerts
Device Control device_control_policies.py DeviceControlPolicies
Custom Indicators of Attack (IOAs) custom_ioa.py
ioa_exclusions.py
CustomIOA
IOAExclusions
Detections detects.py Detects
Falcon Discover cloud_connect_aws.py
d4c_registration.py
discover.py
CloudConnectAWS
D4CRegistration
Discover
Event Streams event_streams.py EventStreams
Falcon Container falcon_container.py FalconContainer
Falcon Horizon cspm_registration.py CSPMRegistration
FileVantage filevantage.py FileVantage
Firewall Management firewall_management.py FirewallManagement
Firewall Policy Management firewall_policies.py FirewallPolicies
Falcon Complete Dashboard falcon_complete_dashboard.py FalconCompleteDashboard
Falcon Data Replicator fdr.py FDR
Falcon Flight Control mssp.py FlightControl
Host Groups host_group.py HostGroup
Hosts hosts.py Hosts
Incident and Detection Monitoring incidents.py Incidents
Identity Protections identity_protection.py IdentityProtection
Installation Tokens installation_tokens.py InstallationTokens
Kubernetes Protection kubernetes_protection.py KubernetesProtection
Message Center message_center.py MessageCenter
ML Exclusions ml_exclusions.py MLExclusions
Mobile Enrollment mobile_enrollment.py Mobile Enrollment
OAuth2 Authentication oauth2.py OAuth2
Overwatch Dashboard overwatch_dashboard.py OverwatchDashboard
Prevention Policy prevention_policy.py PreventionPolicy
Quarantine quarantine.py Quarantine
Real Time Response (RTR) real_time_response.py
real_time_response_admin.py
RealTimeResponse
RealTimeResponseAdmin
Real Time Response (RTR) Policies response_policies.py ResponsePolicies
Report Executions report_executions.py ReportExecutions
Scheduled Reports scheduled_reports.py ScheduledReports
Sensor Download sensor_download.py SensorDownload
Sensor Visibility Exclusions sensor_visibility_exclusions.py SensorVisibilityExclusions
Sensor Update Policy Management sensor_update_policy.py SensorUpdatePolicy
Spotlight spotlight_evaluation_logic.py
spotlight_vulnerabilities.py
SpotlightEvaluationLogic
SpotlightVulnerabilities
Falcon Intelligence
Intel
IOC
IOCS
MalQuery
ODS (On Demand Scan)
Quick Scan
Recon
Sample Uploads
Sandbox

intel.py
ioc.py
iocs.py Deprecated
malquery.py
ods.py
quick_scan.py
recon.py
sample_uploads.py
falconx_sandbox.py

Intel
IOC
Iocs
MalQuery
ODS
QuickScan
Recon
SampleUploads
FalconXSandbox
User and Roles user_management.py UserManagement
Falcon Zero Trust Assessment zero_trust_assessment.py ZeroTrustAssessment

Service Class benefits

  • Closely follows Python and OpenAPI best practice for code style and syntax. PEP-8 compliant.
  • Completely abstracts token management, automatically refreshing your token when it expires.
  • Provides simple programmatic patterns for interacting with CrowdStrike Falcon APIs.
  • Supports cloud region autodiscovery for the CrowdStrike US-1, US-2 and EU-1 regions.
  • Supports dynamic configuration based upon the needs of your environment.
  • Supports CrowdStrike Falcon API parameter abstraction functionality.
  • Supports CrowdStrike Falcon API body payload abstraction functionality.

The Uber Class

Operating as a single harness for interacting with the entire CrowdStrike Falcon API, the Uber Class can access every available operation within every API service collection.

Code Location
api_complete.py The Uber Class provides an interface to all CrowdStrike APIs with a single handler. This solution supports communicating with API endpoints that do not have an available Service Class or are recently released.

Uber Class benefits

  • Access every CrowdStrike Falcon API service collection with only one import and only one class.
  • Completely abstracts token management, automatically refreshing your token when it expires.
  • Interact with newly released API operations not yet available in the library via the override keyword.
  • Provides simple programmatic patterns for interacting with CrowdStrike Falcon APIs.
  • Supports cloud region autodiscovery for the CrowdStrike US-1, US-2 and EU-1 regions.
  • Supports CrowdStrike Falcon API parameter abstraction functionality.
  • Supports all environment configuration options supported by FalconPy Service Classes.

Comparing FalconPy class types

While the usage syntax varies slightly, the Uber Class provides the same performance and output as FalconPy Service Classes, and can perform all of the same operations. The Uber Class does not support body payload abstraction but does provide unique override functionality that is not available when you are using Service Classes.

CrowdStrike Divider

Quick Start πŸ’«

Stable releases of FalconPy are available on the Python Package Index. In a terminal, execute the following command:

python3 -m pip install crowdstrike-falconpy

Once installed, you can immediately begin using CrowdStrike functionality in your Python projects.

"""CrowdStrike FalconPy Quick Start."""
import os
from falconpy import Hosts

# Use the API Clients and Keys page within your Falcon console to generate credentials.
# You will need to assign the Hosts: READ scope to your client to run this example.

# CrowdStrike does not recommend you hardcode credentials within source code.
# Instead, provide these values as variables that are retrieved from the environment,
# read from an encrypted file or secrets store, provided at runtime, etc.
# This example retrieves credentials from the environment as the variables
# "FALCON_CLIENT_ID" and "FALCON_CLIENT_SECRET".

hosts = Hosts(client_id=os.getenv("FALCON_CLIENT_ID"),
              client_secret=os.getenv("FALCON_CLIENT_SECRET")
              )

SEARCH_FILTER = "hostname-search-string"

# Retrieve a list of hosts that have a hostname that matches our search filter
hosts_search_result = hosts.query_devices_by_filter(filter=f"hostname:*'*{SEARCH_FILTER}*'")

# Confirm we received a success response back from the CrowdStrike API
if hosts_search_result["status_code"] == 200:
    hosts_found = hosts_search_result["body"]["resources"]
    # Confirm our search produced results
    if hosts_found:
        # Retrieve the details for all matches
        hosts_detail = hosts.get_device_details(ids=hosts_found)["body"]["resources"]
        for detail in hosts_detail:
            # Display the AID and hostname for this match
            aid = detail["device_id"]
            hostname = detail["hostname"]
            print(f"{hostname} ({aid})")
    else:
        print("No hosts found matching that hostname within your Falcon tenant.")
else:
    # Retrieve the details of the error response
    error_detail = hosts_search_result["body"]["errors"]
    for error in error_detail:
        # Display the API error detail
        error_code = error["code"]
        error_message = error["message"]
        print(f"[Error {error_code}] {error_message}")

More samples

If you are interested in reviewing more examples of FalconPy usage, this repository also maintains a collection of samples to help get you started with integrating CrowdStrike Falcon into your DevOps processes.

Documentation and Support πŸ“–

FalconPy is a community-driven, open source project designed to assist developers in leveraging the power of CrowdStrike APIs within their solutions. While not a formal CrowdStrike product, FalconPy is maintained by CrowdStrike and supported in partnership with the open source developer community.

Official Project Documentation: falconpy.io

Website Documentation Version

Extended documentation is also available via the wiki for this repository.

Issues and Questions

Is something going wrong? πŸ”₯

GitHub Issues are used to report bugs and errors.

Report Issue

Have a question you can't find answered in the documentation?

Please submit usage questions to the Q&A section of our discussion board.

Discussions

Community forums

The discussion board for this repository also provides the community with means to communicate regarding enhancements ideas, integration examples and new releases.

Discussions

More information regarding FalconPy documentation and support can be found here.

Contribute to FalconPy β˜•

Interested in being acknowledged as a member of an elite community of security-focused Python developers that stop breaches?

There are many ways you can contribute to the FalconPy project!

  • Providing feedback by opening a GitHub ticket. Even a fly-by "hey, this worked..." is appreciated and helps validate approaches. Ideas on improving the project are most welcome.
  • Documenting, blogging, or creating videos, of how you've used FalconPy. This type of content is invaluable and helps our community grow. Post these in the Show and Tell category of our discussion board.
  • Submit a sample demonstrating how you're using FalconPy by opening a pull request for inclusion in the Samples Library.
  • Fix a bug or implement a new feature. Check out our open issues on GitHub or our discussion board for inspiration.
  • Review pull requests by going through the queue of open pull requests on GitHub and giving feedback to the authors.

To get started, review the Code of Conduct for community guidelines, and the contribution guide for more detail regarding contributing to the CrowdStrike FalconPy project.



WE STOP BREACHES

More Repositories

1

CRT

Contact: [email protected]
PowerShell
696
star
2

automactc

AutoMacTC: Automated Mac Forensic Triage Collector
Python
491
star
3

psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
PowerShell
350
star
4

Forensics

Scripts and code referenced in CrowdStrike blog posts
Python
325
star
5

Tortilla

C
281
star
6

ember-timetree

Visualize hierarchical timeline data. Built with Ember.jsΒ and D3.js
JavaScript
273
star
7

SuperMem

A python script developed to process Windows memory images based on triage type.
Python
258
star
8

travel-laptop

Auxiliary documentation and scripts around "A Reasonably Safe Travel Burner Laptop"
C++
225
star
9

falcon-orchestrator

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
JavaScript
181
star
10

CrowdDetox

The CrowdDetox plugin for Hex-Rays automatically removes junk code and variables from Hex-Rays function decompilations.
C++
157
star
11

cs-bro

Bro scripts written by CrowdStrike Services
Zeek
147
star
12

Cloud-AWS

A collection of projects supporting AWS Integration
Python
146
star
13

logscale-community-content

This repository contains Community and Field contributed content for LogScale
Shell
139
star
14

CrowdFMS

CrowdStrike Feed Management System. CrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system. This framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.
Python
123
star
15

csproto

CrowdStrike's Protocol Buffers library
Go
122
star
16

falcon-scripts

Scripts to streamline the deployment and use of the CrowdStrike Falcon sensor
PowerShell
117
star
17

Falcon-Toolkit

Unleash the power of the Falcon Platform at the CLI
Python
108
star
18

falcon-query-assets

Welcome to the Falcon Query Assets GitHub page.
Shell
98
star
19

ansible_collection_falcon

Comprehensive toolkit for streamlining your interactions with the CrowdStrike Falcon platform.
Python
88
star
20

xwf-yara-scanner

C
84
star
21

CAST

CrowdStrike Archive Scan Tool
PowerShell
83
star
22

tf2rust

Tensorflow to Rust is a tool to convert trained Tensorflow models to pure Rust code.
Python
83
star
23

VirtualGHOST

VirtualGHOST Detection Tool
PowerShell
83
star
24

falcon-helm

Helm Charts for running CrowdStrike Falcon with Kubernetes
Smarty
71
star
25

gofalcon

Golang-based SDK to CrowdStrike's APIs
Go
57
star
26

pyspresso

The pyspresso package is a Python-based framework for debugging Java.
Python
51
star
27

falcon-operator

Go
49
star
28

ember-browser-services

Services for interacting with browser APIs so that you can have fine-grained control in tests.
TypeScript
46
star
29

MISP-tools

Import CrowdStrike Threat Intelligence into your instance of MISP
Python
39
star
30

detection-container

PHP
38
star
31

perseus

The hero we all need to defeat the kraken that is Go module dependency graphs
Go
37
star
32

gotel

GoTel - Scheduled job monitoring
Go
36
star
33

falcon-windows-host-recovery

Automated Windows host recovery
Rich Text Format
35
star
34

community

CrowdStrike's Open Source Policy & Contribution Guide
HTML
35
star
35

caracara

Developer enhancements (DX) for FalconPy, the CrowdStrike Python SDK
Python
34
star
36

container-image-scan

Code to scan a container with CrowdStrike and return response codes indicating pass/fail status.
Python
33
star
37

Dockerfiles

Automation to help create container images pre-loaded with the CrowdStrike Falcon sensor.
Shell
31
star
38

chopshop

Mitre chopshop network decoder framework
Python
30
star
39

FDR

Falcon Data Replicator
Python
29
star
40

faltest

A different take on WebDriver browser testing
JavaScript
28
star
41

ember-headless-form

Headless forms with a11y and validation support built in
TypeScript
28
star
42

Cloud-Azure

Discover for Cloud and Containers Azure
HCL
27
star
43

embersim-databank

Code for the paper "EMBERSim: A Large-Scale Databank for Boosting Similarity Search in Malware Analysis"
Python
25
star
44

apbf

Go package implementing Age-Partitioned Bloom Filters (APBF)
Go
25
star
45

go-metrics-sliding-window

A sliding window sampling implementation for the rcrowley/go-metrics library.
Go
24
star
46

ember-headless-table

TypeScript
23
star
47

ember-aria-utilities

ARIA utilities for helping create some of the more complex ARIA design patterns. Follows https://www.w3.org/TR/wai-aria-practices/
TypeScript
20
star
48

bpfmon-example

proof-of-concept example of using eBPF to Monitor for eBPF Map tampering
C
20
star
49

falcon-windows-repair

Scripts to aid in diagnosing and repairing unhealthy Windows Falcon Sensor installations
PowerShell
19
star
50

ember-resource-tasks

Resources for async functions in Ember
TypeScript
18
star
51

falcon-integration-gateway

Falcon Integration Gateway (FIG)
Python
18
star
52

cloud-resource-estimator

Cloud deployment size calculation utilities
Python
17
star
53

ember-url-hash-polyfill

Support for in/inter page linking / scrolling with hashes in EmberJS
TypeScript
17
star
54

tf-layers

Tensorflow Layers provides Rust implementations of Tensorflow model layers
Rust
16
star
55

tailwind-toucan-base

Base Tailwind config for the Toucan design system.
JavaScript
15
star
56

aws-ssm-distributor

HCL
15
star
57

omigo-data-analytics

Data Analytics Library for Python
Python
15
star
58

helpful-links

List of helpful publicly available CrowdStrike material.
14
star
59

ivan

Falcon Image Vulnerability Analysis (IVAN) is a command-line image assessment tool.
13
star
60

container-image-scan-action

CrowdStrike Container Image Scan Github Action
Shell
13
star
61

zscaler-FalconX-integration

This is the integration to feed Falcon X IOC data into zscaler's platform
Python
13
star
62

ember-velcro

Ember Velcro sticks one element to another with Floating UI.
TypeScript
13
star
63

kafka-replicator

Kafka replicator is a tool used to mirror and backup Kafka topics across regions
Go
13
star
64

OWASSRF

PowerShell
13
star
65

falconjs

CrowdStrike Falcon API JS library for the browser and Node
TypeScript
12
star
66

rusty-falcon

Rust bindings for CrowdStrike Falcon API
Rust
12
star
67

Identity-Protection

PowerShell
11
star
68

monorepo-next

Detach monorepo packages from normal linking
JavaScript
10
star
69

NotPetyaDecryptor

Python
9
star
70

ember-toucan-core

Toucan Design System
TypeScript
9
star
71

aws-security-lake

Integration guide for CrowdStrike and Amazon Security Lake
Shell
8
star
72

terraform-provider-crowdstrike

https://registry.terraform.io/providers/CrowdStrike/crowdstrike/latest/docs
Go
7
star
73

puppet-falcon

Ruby
7
star
74

terraform-kubectl-falcon

Module to manage CrowdStrike Falcon Sensor and the Kubernetes Protection Agent on a Kubernetes cluster.
HCL
7
star
75

Cloud-GCP

A collection of projects supporting GCP integration
Shell
6
star
76

cloud-tools-image

Command-line tools for remote communication with public and private cloud environments.
Shell
6
star
77

aws-verified-access

Integration details between CrowdStrike Falcon Zero Trust Assessments (ZTA) and AWS Verified Access
6
star
78

foundry-sample-mitre

Triage with MITRE Attack sample Foundry app
CSS
6
star
79

HEC-Log-Shipper

This repository contains examples of code used to send data to Humio instances
Python
5
star
80

image-scan-example

HCL
5
star
81

Container-Security

HCL
5
star
82

cloud-scripts-hide-host

Event driven solution to automatically hide hosts from CrowdStrike upon termination.
Python
5
star
83

foundry-sample-scalable-rtr

Scalable RTR sample Foundry app
TypeScript
5
star
84

foundry-fn-go

Go
4
star
85

crimson-falcon

A Shiny Ruby SDK of our Falcon API
Ruby
4
star
86

ember-toucan-styles

Ember wrapper, CSS, and JS utilities for working with the Toucan design system
JavaScript
4
star
87

ember-three

Ember.js three.js shim
JavaScript
4
star
88

foundry-sample-rapid-response

Rapid Response sample Foundry app
TypeScript
4
star
89

falcon-cli

Go
3
star
90

logscale-azure-event-hub-collector

LogScale Azure Event Hub Collector
Python
3
star
91

cloud-pov

HCL
3
star
92

devdays

Shell
3
star
93

cs.aws_account

Python
3
star
94

chronicle-intel-bridge

CrowdStrike to Chronicle Intel Bridge
Python
3
star
95

kubectl-falcon

Plug-in to kubectl command-line tool that helps with manipulation of Falcon Container.
Go
3
star
96

upb-cloud-workshop

A cloud workshop organised by Crowdstrike in Bucharest, Romania for the students of Universitatea Politehnica Bucharest
Go
3
star
97

opensource.crowdstrike.com

JavaScript
3
star
98

CrowdStrike-Spotlight-Humio-Package-Integration

Python
3
star
99

ember-number-to-words-shim

Ember.js number-to-words shim
JavaScript
3
star
100

template-gitbook-workshop

Code behind https://crowdstrike.gitbook.io/template-gitbook-workshop/
CSS
3
star