Using the Drift Indicators service collection

Documentation Version

Operation ID

Description

GetDriftIndicatorsValuesByDate
PEP8	get_drift_indicators_by_date

Returns the count of Drift Indicators by the date. by default it's for 7 days.

ReadDriftIndicatorsCount
PEP8	read_drift_indicator_counts

Returns the total count of Drift indicators over a time period

SearchAndReadDriftIndicatorEntities
PEP8	search_and_read_drift_indicators

Retrieve Drift Indicators by the provided search criteria

SearchDriftIndicators
PEP8	search_drift_indicators

Retrieve all drift indicators that match the given query

GetDriftIndicatorsValuesByDate

Returns the count of Drift Indicators by the date. by default it's for 7 days.

PEP8 method name

get_drift_indicators_by_date

Endpoint

Method	Route
	`/container-security/aggregates/drift-indicators/count-by-date/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Filter drift indicators using a query in Falcon Query Language (FQL). Supported filters: cid,cloud_name,command_line,container_id,file_name,file_sha256,host_id,indicator_process_id,namespace,occurred_at,parent_process_id,pod_name,prevented,scheduler_name,severity,worker_node_name
limit			query	integer	The upper-bound on the number of records to retrieve.

Usage

Service class example (PEP8 syntax)

from falconpy import DriftIndicators

# Do not hardcode API credentials!
falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.get_drift_indicators_by_date(filter="string", limit=integer)

print(response)

Service class example (Operation ID syntax)

from falconpy import DriftIndicators

# Do not hardcode API credentials!
falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.GetDriftIndicatorsValuesByDate(filter="string", limit=integer)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("GetDriftIndicatorsValuesByDate",
                          filter="string",
                          limit="string
                          )
print(response)

ReadDriftIndicatorsCount

Returns the total count of Drift indicators over a time period

PEP8 method name

read_drift_indicator_counts

Endpoint

Method	Route
	`/container-security/aggregates/drift-indicators/count/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,cloud_name,command_line,container_id,file_name,file_sha256,host_id,indicator_process_id,namespace,occurred_at,parent_process_id,pod_name,prevented,scheduler_name,severity,worker_node_name

Usage

Service class example (PEP8 syntax)

from falconpy import DriftIndicators

# Do not hardcode API credentials!
falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.read_drift_indicator_counts(filter="string")

print(response)

Service class example (Operation ID syntax)

from falconpy import DriftIndicators

# Do not hardcode API credentials!
falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.ReadDriftIndicatorsCount(filter="string")

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ReadDriftIndicatorsCount", filter="string")

print(response)

SearchAndReadDriftIndicatorEntities

Retrieve Drift Indicators by the provided search criteria

PEP8 method name

search_and_read_drift_indicators

Endpoint

Method	Route
	`/container-security/combined/drift-indicators/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	Filter Drift Indicators using a query in Falcon Query Language (FQL). Supported filters: cid, cloud_name, command_line, container_id, file_name, file_sha256, host_id, indicator_process_id, namespace, occurred_at, parent_process_id, pod_name, prevented, scheduler_name, severity, worker_node_name
limit	query	integer	The upper-bound on the number of records to retrieve.
offset	query	integer	The offset from where to begin.
sort	query	string	The fields to sort the records on.

Usage

Service class example (PEP8 syntax)

from falconpy import DriftIndicators

# Do not hardcode API credentials!
falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.search_and_read_drift_indicators(filter="string",
                                                   limit=integer,
                                                   offset=integer,
                                                   sort="string"
                                                   )
print(response)

Service class example (Operation ID syntax)

from falconpy import DriftIndicators

# Do not hardcode API credentials!
falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.SearchAndReadDriftIndicatorEntities(filter="string",
                                                      limit=integer,
                                                      offset=integer,
                                                      sort="string"
                                                      )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("SearchAndReadDriftIndicatorEntities",
                          filter="string",
                          limit=integer,
                          offset=integer,
                          sort="string"
                          )
print(response)

SearchDriftIndicators

Retrieve all drift indicators that match the given query

PEP8 method name

search_drift_indicators

Endpoint

Method	Route
	`/container-security/queries/drift-indicators/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	Filter Drift Indicators using a query in Falcon Query Language (FQL). Supported filters: cid, cloud_name, command_line, container_id, file_name, file_sha256, host_id, indicator_process_id, namespace, occurred_at, parent_process_id, pod_name, prevented, scheduler_name, severity, worker_node_name
limit	query	integer	The upper-bound on the number of records to retrieve.
offset	query	integer	The offset from where to begin.
sort	query	string	The fields to sort the records on.

Usage

Service class example (PEP8 syntax)

from falconpy import DriftIndicators

# Do not hardcode API credentials!
falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.search_drift_indicators(filter="string",
                                          limit=integer,
                                          offset=integer,
                                          sort="string"
                                          )
print(response)

Service class example (Operation ID syntax)

from falconpy import DriftIndicators

# Do not hardcode API credentials!
falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.SearchDriftIndicators(filter="string",
                                        limit=integer,
                                        offset=integer,
                                        sort="string"
                                        )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("SearchDriftIndicators", 
                          filter="string",
                          limit=integer,
                          offset=integer,
                          sort="string"
                          )
print(response)

The CrowdStrike Falcon Wiki for Python

Using the Drift Indicators service collection

Table of Contents

GetDriftIndicatorsValuesByDate

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

ReadDriftIndicatorsCount

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

SearchAndReadDriftIndicatorEntities

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

SearchDriftIndicators

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example