Skip to content

Workflows

Joshua Hiller edited this page Nov 22, 2024 · 6 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Workflows service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
WorkflowActivitiesCombined
PEP8 search_activities
Search for activities by name. Returns all supported activities if no filter is specified.
WorkflowExecute
PEP8 execute
Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s)
WorkflowExecuteInternal
PEP8 execute_internal
Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s)
WorkflowMockExecute
PEP8 mock_execute
Executes an on-demand Workflow with mocks
WorkflowExecutionsAction
PEP8 execution_action
Allows a user to resume/retry a failed workflow execution.
WorkflowExecutionResults
PEP8 execution_results
Get execution result of a given execution
WorkflowSystemDefinitionsDeProvision
PEP8 deprovision
Deprovisions a system definition that was previously provisioned on the target CID
WorkflowSystemDefinitionsPromote
PEP8 promote
Promote a version of a system definition
WorkflowSystemDefinitionsProvision
PEP8 provision
Provisions a system definition onto the target CID by using the template and provided parameters
WorkflowDefinitionsCombined
PEP8 search_definitions
Search workflow definitions based on the provided filter
WorkflowTriggersCombined
PEP8 search_triggers
Search for triggers by namespaced identifier, i.e. FalconAudit, Detection, or FalconAudit/Detection/Status. Returns all triggers if no filter is specified.
WorkflowExecutionsCombined
PEP8 search_executions
Search workflow executions based on the provided filter
WorkflowDefinitionsExport
PEP8 export_definition
Exports a workflow definition for the given definition ID
WorkflowDefinitionsImport
PEP8 import_definition
Imports a workflow definition based on the provided model
WorkflowDefinitionsUpdate
PEP8 update_definition
Updates a workflow definition based on the provided model.
WorkflowGetHumanInputV1
PEP8 get_human_input
Gets one or more specific human inputs by their IDs.
WorkflowUpdateHumanInputV1
PEP8 update_human_input
Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

WorkflowActivitiesCombined

Search for activities by name. Returns all supported activities if no filter is specified.

PEP8 method name

search_activities

Endpoint

Method Route
GET /workflows/combined/activities/v1

Required Scope

workflow:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string FQL query specifying filter parameters.
offset Service Class Support Uber Class Support query string Starting pagination offset of records to return.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
limit Service Class Support Uber Class Support query integer Maximum number of records to return.
sort Service Class Support Uber Class Support query string Sort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.search_activities(filter="string",
                                    offset="string",
                                    limit=integer,
                                    sort="string"
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.WorkflowActivitiesCombined(filter="string",
                                             offset="string",
                                             limit=integer,
                                             sort="string"
                                             )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("WorkflowActivitiesCombined",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

WorkflowExecute

Execute an on-demand workflow. Response will contain the execution ID.

PEP8 method name

execute

Endpoint

Method Route
POST /workflows/entities/execute/v1

Required Scope

workflow:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
definition_id
Service Class Support

Uber Class Support
query string or list of strings Definition ID to execute, either a name or an ID can be specified.
execution_cid
Service Class Support

Uber Class Support
query string or list of strings CID(s) to execute on.
name
Service Class Support

Uber Class Support
query string Workflow name to execute, either a name or an ID can be specified.
key
Service Class Support

Uber Class Support
query string Key used to help deduplicate executions, if unset a new UUID is used
depth
Service Class Support

Uber Class Support
query integer Used to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
source_event_url
Service Class Support

Uber Class Support
query string Used to record a URL to the source that led to triggering this workflow
body
Service Class Support

Uber Class Support
body string Full body payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

workflow_schema = {
    "schema details": "go here"
}

id_list = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']

response = falcon.execute(definition_id=["string", "string"],
                          execution_cid=id_list,
                          name="string",
                          key="string",
                          depth=integer,
                          source_event_url="string",
                          body=workflow_schema
                          )

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

workflow_schema = {
    "schema details": "go here"
}

id_list = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']

response = falcon.WorkflowExecute(definition_id=["string", "string"],
                                  execution_cid=id_list,
                                  name="string",
                                  key="string",
                                  depth=integer,
                                  source_event_url="string",
                                  body=workflow_schema
                                  )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

workflow_schema = {
    "schema details": "go here"
}

id_list = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']

response = falcon.command("WorkflowExecute",
                          definition_id=["string", "string"],
                          execution_cid=id_list,
                          name="string",
                          key="string",
                          depth=integer,
                          source_event_url="string",
                          body=workflow_schema
                          )

print(response)

WorkflowExecuteInternal

Execute an on-demand workflow. Response will contain the execution ID.

PEP8 method name

execute_internal

Endpoint

Method Route
POST /workflows/entities/execute/internal/v1

Required Scope

workflow:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
batch_size
Service Class Support

Uber Class Support
query integer Used to set the size of the batch.
definition_id
Service Class Support

Uber Class Support
query string or list of strings Definition ID to execute, either a name or an ID can be specified.
execution_cid
Service Class Support

Uber Class Support
query string or list of strings CID(s) to execute on.
name
Service Class Support

Uber Class Support
query string Workflow name to execute, either a name or an ID can be specified.
key
Service Class Support

Uber Class Support
query string Key used to help deduplicate executions, if unset a new UUID is used
depth
Service Class Support

Uber Class Support
query integer Used to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
source_event_url
Service Class Support

Uber Class Support
query string Used to record a URL to the source that led to triggering this workflow
body
Service Class Support

Uber Class Support
body string Full body payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

workflow_schema = {
    "schema details": "go here"
}

id_list = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']

response = falcon.execute_internal(batch_size=integer,
                                   definition_id=["string", "string"],
                                   execution_cid=id_list,
                                   name="string",
                                   key="string",
                                   depth=integer,
                                   source_event_url="string",
                                   body=workflow_schema
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

workflow_schema = {
    "schema details": "go here"
}

id_list = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']

response = falcon.WorkflowExecuteInternal(batch_size=integer,
                                          definition_id=["string", "string"],
                                          execution_cid=id_list,
                                          name="string",
                                          key="string",
                                          depth=integer,
                                          source_event_url="string",
                                          body=workflow_schema
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

workflow_schema = {
    "schema details": "go here"
}

id_list = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']

response = falcon.command("WorkflowExecuteInternal",
                          batch_size=integer,
                          definition_id=["string", "string"],
                          execution_cid=id_list,
                          name="string",
                          key="string",
                          depth=integer,
                          source_event_url="string",
                          body=workflow_schema
                          )
print(response)

WorkflowMockExecute

Execute an on-demand workflow with mocks.

PEP8 method name

mock_execute

Endpoint

Method Route
POST /workflows/entities/execute/v1

Required Scope

workflow:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
definition_id
Service Class Support

Uber Class Support
query string or list of strings Definition ID to execute, either a name or an ID can be specified.
execution_cid
Service Class Support

Uber Class Support
query string or list of strings CID(s) to execute on.
name
Service Class Support

Uber Class Support
query string Workflow name to execute, either a name or an ID can be specified.
key
Service Class Support

Uber Class Support
query string Key used to help deduplicate executions, if unset a new UUID is used
depth
Service Class Support

Uber Class Support
query integer Used to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
source_event_url
Service Class Support

Uber Class Support
query string Used to record a URL to the source that led to triggering this workflow
body
Service Class Support

Uber Class Support
body string Full body payload in JSON format containing the schema definition, mocks, and the on demand trigger.
validate_only
Service Class Support

Uber Class Support
query boolean Prevent execution after validating mocks against definition.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

body_payload = {
    "definition" {
        Workflow schema
    },
    "mocks": "string",
    "on_demand_trigger": "string"
}

id_list = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']

response = falcon.mock_execute(definition_id=["string", "string"],
                               execution_cid=id_list,
                               name="string",
                               key="string",
                               depth=integer,
                               source_event_url="string",
                               body=body_payload,
                               validate_only=boolean
                               )

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

body_payload = {
    "definition" {
        Workflow schema
    },
    "mocks": "string",
    "on_demand_trigger": "string"
}

id_list = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']

response = falcon.WorkflowMockExecute(definition_id=["string", "string"],
                                      execution_cid=id_list,
                                      name="string",
                                      key="string",
                                      depth=integer,
                                      source_event_url="string",
                                      body=body_payload,
                                      validate_only=boolean
                                      )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

body_payload = {
    "definition" {
        Workflow schema
    },
    "mocks": "string",
    "on_demand_trigger": "string"
}

id_list = 'CID1,CID2,CID3'  # Can also pass a list here: ['CID1', 'CID2', 'CID3']

response = falcon.command("WorkflowMockExecute",
                          definition_id=["string", "string"],
                          execution_cid=id_list,
                          name="string",
                          key="string",
                          depth=integer,
                          source_event_url="string",
                          body=body_payload,
                          validate_only=boolean
                          )
print(response)

WorkflowExecutionsAction

Allows a user to resume/retry a failed workflow execution.

PEP8 method name

execution_action

Endpoint

Method Route
POST /workflows/entities/execution-actions/v1

Required Scope

workflow:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action_name
Service Class Support

Uber Class Support
query string Specify one of these actions: - resume: resume/retry the workflow execution(s) specified in ids
action_parameters
Service Class Support

Uber Class Support
body list of dictionaries List of actions to perform.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format. Not required when using other keywords.
ids
Service Class Support

Uber Class Support
body string or list of strings Execution IDs.
name
Service Class Support

Uber Class Support
body (action_parameters) string Action parameter name.
value
Service Class Support

Uber Class Support
body (action_parameters) string Action parameter value.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

response = falcon.execution_action(action_name="string",
                                   ids="string",
                                   name="string",
                                   value="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

response = falcon.WorkflowExecutionsAction(action_name="string",
                                           ids="string",
                                           name="string",
                                           value="string"
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

body_payload = {
    "action_parameters": [
        {
            "name": "string",
            "value": "string"
        }
    ],
    "ids": [
        "string"
    ]
}

response = falcon.command("WorkflowExecutionsAction", action_name="string", body=body_payload)

print(response)

WorkflowExecutionResults

Get execution result of a given execution

PEP8 method name

execution_results

Endpoint

Method Route
GET /workflows/entities/execution-results/v1

Required Scope

workflow:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings Workflow execution ID to return results for.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.execution_results(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.WorkflowExecutionResults(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("WorkflowExecutionResults", ids=id_list)

print(response)

WorkflowSystemDefinitionsDeProvision

Deprovisions a system definition that was previously provisioned on the target CID.

PEP8 method name

deprovision

Endpoint

Method Route
POST /workflows/system-definitions/deprovision/v1

Required Scope

workflow:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format. Not required when using other keywords.
definition_id
Service Class Support

Uber Class Support
body string Workflow definition ID.
deprovision_all
Service Class Support

Uber Class Support
body boolean Flag indicating if all workflows should be deprovisioned.
template_id
Service Class Support

Uber Class Support
body string Template ID.
template_name
Service Class Support

Uber Class Support
body string Template name.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

response = falcon.deprovision(definition_id="string",
                              deprovision_all=boolean,
                              template_id="string",
                              template_name="string",
                              )

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

response = falcon.WorkflowSystemDefinitionsDeProvision(definition_id="string",
                                                       deprovision_all=boolean,
                                                       template_id="string",
                                                       template_name="string",
                                                       )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

body_payload = {
    "definition_id": "string",
    "deprovision_all": boolean,
    "template_id": "string",
    "template_name": "string"
}

response = falcon.command("WorkflowSystemDefinitionsDeProvision", body=body_payload)

print(response)

WorkflowSystemDefinitionsPromote

Promote a version of a system definition.

Tenant must be already provisioned. This allows the caller to apply an updated template version on a CID and expects all parameters to be supplied. If the template supports multi-instance, the customer scope definition ID must be supplied to determine which customer workflow should be update.

PEP8 method name

promote

Endpoint

Method Route
POST /workflows/system-definitions/promote/v1

Required Scope

workflow:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
activities
Service Class Support

Uber Class Support
body dictionary Dictionary of workflow activities.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format. Not required when using other keywords.
conditions
Service Class Support

Uber Class Support
body list of dictionaries List of workflow conditions.
customer_definition_id
Service Class Support

Uber Class Support
body string Customer definition ID.
name
Service Class Support

Uber Class Support
body string Name of the workflow.
parameters
Service Class Support

Uber Class Support
body dictionary Overrides specified activities, conditions and trigger keywords.
template_id
Service Class Support

Uber Class Support
body string Template ID.
template_name
Service Class Support

Uber Class Support
body string Template name.
template_version
Service Class Support

Uber Class Support
body string Template version.
trigger
Service Class Support

Uber Class Support
body dictionary Workflow trigger definition.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

activities = {
    "configuration": [
        {
            "node_id": "string",
            "properties": {}
        }
    ],
    "selection": [
        {
            "id": "string",
            "properties": {},
            "source": "string"
        }
    ]
}
conditions = [
    {
        "fields": [
            {
                "name": "string",
                "operator": "string"
            }
        ],
        "node_id": "string"
    }
]
trigger = {
    "fields": {},
    "node_id": "string"
}

response = falcon.promote(activities=activities,
                          conditions=conditions,
                          customer_definition_id="string",
                          name="string",
                          template_id="string",
                          template_name="string",
                          template_version="string",
                          trigger=trigger
                          )

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

activities = {
    "configuration": [
        {
            "node_id": "string",
            "properties": {}
        }
    ],
    "selection": [
        {
            "id": "string",
            "properties": {},
            "source": "string"
        }
    ]
}
conditions = [
    {
        "fields": [
            {
                "name": "string",
                "operator": "string"
            }
        ],
        "node_id": "string"
    }
]
trigger = {
    "fields": {},
    "node_id": "string"
}

response = falcon.WorkflowSystemDefinitionsPromote(activities=activities,
                                                   conditions=conditions,
                                                   customer_definition_id="string",
                                                   name="string",
                                                   template_id="string",
                                                   template_name="string",
                                                   template_version="string",
                                                   trigger=trigger
                                                   )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

activities = {
    "configuration": [
        {
            "node_id": "string",
            "properties": {}
        }
    ],
    "selection": [
        {
            "id": "string",
            "properties": {},
            "source": "string"
        }
    ]
}
conditions = [
    {
        "fields": [
            {
                "name": "string",
                "operator": "string"
            }
        ],
        "node_id": "string"
    }
]
trigger = {
    "fields": {},
    "node_id": "string"
}
body_payload = {
    "customer_definition_id": "string",
    "name": "string",
    "parameters": {
        "activities": activities,
        "conditions": conditions,
        "trigger": trigger
    },
    "template_id": "string",
    "template_name": "string",
    "template_version": "string"
}

response = falcon.command("WorkflowSystemDefinitionsPromote", body=body_payload)

print(response)

WorkflowSystemDefinitionsProvision

Provisions a system definition onto the target CID by using the template and provided parameters.

PEP8 method name

provision

Endpoint

Method Route
POST /workflows/system-definitions/provision/v1

Required Scope

workflow:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
activities
Service Class Support

Uber Class Support
body dictionary Dictionary of workflow activities.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format. Not required when using other keywords.
conditions
Service Class Support

Uber Class Support
body list of dictionaries List of workflow conditions.
customer_definition_id
Service Class Support

Uber Class Support
body string Customer definition ID.
name
Service Class Support

Uber Class Support
body string Workflow name.
parameters
Service Class Support

Uber Class Support
body dictionary Overrides specified activities, conditions and trigger keywords.
template_id
Service Class Support

Uber Class Support
body string Template ID.
template_name
Service Class Support

Uber Class Support
body string Template name.
template_version
Service Class Support

Uber Class Support
body string Template version.
trigger
Service Class Support

Uber Class Support
body dictionary Workflow trigger definition.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

activities = {
    "configuration": [
        {
            "node_id": "string",
            "properties": {}
        }
    ],
    "selection": [
        {
            "id": "string",
            "properties": {},
            "source": "string"
        }
    ]
}
conditions = [
    {
        "fields": [
            {
                "name": "string",
                "operator": "string"
            }
        ],
        "node_id": "string"
    }
]
trigger = {
    "fields": {},
    "node_id": "string"
}

response = falcon.provision(activities=activities,
                            conditions=conditions,
                            customer_definition_id="string",
                            name="string",
                            template_id="string",
                            template_name="string",
                            template_version="string",
                            trigger=trigger
                            )

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

activities = {
    "configuration": [
        {
            "node_id": "string",
            "properties": {}
        }
    ],
    "selection": [
        {
            "id": "string",
            "properties": {},
            "source": "string"
        }
    ]
}
conditions = [
    {
        "fields": [
            {
                "name": "string",
                "operator": "string"
            }
        ],
        "node_id": "string"
    }
]
trigger = {
    "fields": {},
    "node_id": "string"
}

response = falcon.WorkflowSystemDefinitionsProvision(activities=activities,
                                                     conditions=conditions,
                                                     customer_definition_id="string",
                                                     name="string",
                                                     template_id="string",
                                                     template_name="string",
                                                     template_version="string",
                                                     trigger=trigger
                                                     )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

activities = {
    "configuration": [
        {
            "node_id": "string",
            "properties": {}
        }
    ],
    "selection": [
        {
            "id": "string",
            "properties": {},
            "source": "string"
        }
    ]
}
conditions = [
    {
        "fields": [
            {
                "name": "string",
                "operator": "string"
            }
        ],
        "node_id": "string"
    }
]
trigger = {
    "fields": {},
    "node_id": "string"
}
body_payload = {
    "customer_definition_id": "string",
    "name": "string",
    "parameters": {
        "activities": activities,
        "conditions": conditions,
        "trigger": trigger
    },
    "template_id": "string",
    "template_name": "string",
    "template_version": "string"
}

response = falcon.command("WorkflowSystemDefinitionsProvision", body=body_payload)

print(response)

WorkflowDefinitionsCombined

Search workflow definitions based on the provided filter.

PEP8 method name

search_definitions

Endpoint

Method Route
GET /workflows/combined/definitions/v1

Required Scope

workflow:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string FQL query specifying filter parameters.
offset Service Class Support Uber Class Support query string Starting pagination offset of records to return.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
limit Service Class Support Uber Class Support query integer Maximum number of records to return.
sort Service Class Support Uber Class Support query string Sort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.search_definitions(filter="string",
                                     offset="string",
                                     limit=integer,
                                     sort="string"
                                     )
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.WorkflowDefinitionsCombined(filter="string",
                                              offset="string",
                                              limit=integer,
                                              sort="string"
                                              )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("WorkflowDefinitionsCombined",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

WorkflowExecutionsCombined

Search workflow executions based on the provided filter.

PEP8 method name

search_executions

Endpoint

Method Route
GET /workflows/combined/executions/v1

Required Scope

workflow:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string FQL query specifying filter parameters.
offset Service Class Support Uber Class Support query string Starting pagination offset of records to return.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
limit Service Class Support Uber Class Support query integer Maximum number of records to return.
sort Service Class Support Uber Class Support query string Sort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.search_executions(filter="string",
                                    offset="string",
                                    limit=integer,
                                    sort="string"
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.WorkflowExecutionsCombined(filter="string",
                                             offset="string",
                                             limit=integer,
                                             sort="string"
                                             )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("WorkflowExecutionsCombined",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

WorkflowTriggersCombined

Search for triggers by namespaced identifier, i.e. FalconAudit, Detection, or FalconAudit/Detection/Status. Returns all triggers if no filter is specified.

PEP8 method name

search_triggers

Endpoint

Method Route
GET /workflows/combined/triggers/v1

Required Scope

workflow:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string FQL query specifying filter parameters.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.search_activities(filter="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.WorkflowActivitiesCombined(filter="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("WorkflowActivitiesCombined", filter="string")

print(response)

WorkflowDefinitionsExport

Exports a workflow definition for the given definition ID.

PEP8 method name

export_definition

Endpoint

Method Route
GET /workflows/entities/definitions/export/v1

Required Scope

workflow:read

Content-Type

  • Consumes: application/json
  • Produces: application/yaml

Keyword Arguments

Name Service Uber Type Data type Description
id Service Class Support Uber Class Support query string ID of workflow definitions to return details for.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
sanitize Service Class Support Uber Class Support query boolean Sanitize PII from workflow before it is exported.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.export_definition(id="string", sanitize=boolean)

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.WorkflowDefinitionsExport(id="string", sanitize=boolean)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("WorkflowDefinitionsExport", id="string", sanitize=boolean)

print(response)

WorkflowDefinitionsImport

Imports a workflow definition based on the provided model

PEP8 method name

import_definition

Endpoint

Method Route
POST /workflows/entities/definitions/import/v1

Required Scope

workflow:write

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
data_file Service Class Support Uber Class Support formData file A workflow definition in YAML format to import.
name Service Class Support Uber Class Support query string Workflow name to override.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
validate_only Service Class Support Uber Class Support query boolean When enabled, prevents saving workflow after validating.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

with open("filename.yml", "r") as yaml_file:
    response = falcon.import_definition(name="string", validate_only=boolean, data_file=yaml_file)

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

with open("filename.yml", "r") as yaml_file:
    response = falcon.WorkflowDefinitionsImport(name="string",
                                                validate_only=boolean,
                                                data_file=yaml_file
                                                )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("filename.yml", "r") as yaml_file:
    response = falcon.command("WorkflowDefinitionsImport",
                              name="string",
                              validate_only=boolean,
                              data_file=yaml_file
                              )
print(response)

WorkflowDefinitionsUpdate

Updates a workflow definition based on the provided model.

PEP8 method name

WorkflowDefinitionsUpdate

Endpoint

Method Route
PUT /workflows/entities/definitions/v1

Required Scope

workflow:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full workflow definition with all parameters in JSON format.
change_log Service Class Support Uber Class Support body string Workflow revision change log comment.
definition Service Class Support Uber Class Support body dictionary Workflow definition parameters.
flight_control Service Class Support Uber Class Support body dictionary Workflow flight control functionality definitions.
id Service Class Support Uber Class Support body dictionary Workflow ID to update.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
validate_only Service Class Support Uber Class Support query boolean When enabled, prevents saving workflow after validating.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

workflow_definition = {
    "Workflow definition in JSON format"
}
fc_params = {
    "all_cids": boolean,
    "excluded_cids": [
        "string"
    ],
    "include_parent_cid": boolean,
    "selected_cids": [
        "string"
    ]
}

response = falcon.WorkflowDefinitionsUpdate(change_log="string",
                                            definition=workflow_definition,
                                            flight_control=fc_params,
                                            id="string",
                                            validate_only=boolean
                                            )
print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

workflow_definition = {
    "Workflow definition in JSON format"
}
fc_params = {
    "all_cids": boolean,
    "excluded_cids": [
        "string"
    ],
    "include_parent_cid": boolean,
    "selected_cids": [
        "string"
    ]
}
response = falcon.WorkflowDefinitionsUpdate(change_log="string",
                                            definition=workflow_definition,
                                            flight_control=fc_params,
                                            id="string",
                                            validate_only=boolean
                                            )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

workflow_definition = {
    "Workflow definition in JSON format"
}
fc_params = {
    "all_cids": boolean,
    "excluded_cids": [
        "string"
    ],
    "include_parent_cid": boolean,
    "selected_cids": [
        "string"
    ]
}
body_payload = {
    "Definition": workflow_definition,
    "change_log": "string",
    "enabled": boolean,
    "flight_control": fc_params,
    "id": "string"
}
response = falcon.command("WorkflowDefinitionsUpdate", body=body_payload)

print(response)

WorkflowGetHumanInputV1

Gets one or more specific human inputs by their IDs.

PEP8 method name

get_human_input

Endpoint

Method Route
GET /workflows/entities/human-inputs/v1

Required Scope

workflow:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids Service Class Support Uber Class Support query string or list of strings ID(s) of human inputs to retrieve.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_human_input(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.WorkflowGetHumanInputV1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("WorkflowGetHumanInputV1", ids=id_list)

print(response)

WorkflowUpdateHumanInputV1

Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.

PEP8 method name

update_human_input

Endpoint

Method Route
PATCH /workflows/entities/human-inputs/v1

Required Scope

workflow:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload in JSON format.
id Service Class Support Uber Class Support query string ID of human input to provide an input to.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
input Service Class Support Uber Class Support body string Input value.
note Service Class Support Uber Class Support body string Input note.

Usage

Service class example (PEP8 syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.update_human_input(id="string", input="string", note="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import Workflows

# Do not hardcode API credentials!
falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.WorkflowUpdateHumanInputV1(id="string", input="string", note="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "input": "string",
    "note": "string"
}

response = falcon.command("WorkflowUpdateHumanInputV1", id="string", body=body_payload)

print(response)

CrowdStrike Falcon

Clone this wiki locally