FalconPy - The CrowdStrike Falcon SDK for Python

The FalconPy SDK contains a collection of Python classes that abstract CrowdStrike Falcon OAuth2 API interaction, removing duplicative code and allowing developers to focus on just the logic of their solution requirements.

• Overview
• Quick Start
• Documentation and Support
• Contribute to FalconPy

Overview 🔎

There are many CrowdStrike Falcon API service collections collectively containing hundreds of individual operations, all of which are accessible to your project via FalconPy.

The CrowdStrike Falcon SDK for Python completely abstracts token management, while also supporting interaction with all CrowdStrike regions, custom connection and response timeouts, routing requests through a list of proxies, disabling SSL verification, and custom header configuration.

If the CrowdStrike APIs were rings of great power, that the Dark Lord Sauron gifted to the kings of dwarves, elves and men, then CrowdStrike's FalconPy would be the One Ring.

"One SDK to rule them all, One SDK to find them, One SDK to bring them all and in the darkness bind them."

Supported versions of Python

The CrowdStrike Falcon SDK for Python was developed for Python 3. Current versions of FalconPy provide support for Python versions 3.7 - 3.13. Every commit to the FalconPy code base is unit tested for functionality using all versions of Python the library currently supports.

[!NOTE] Developers working with Python version 3.6 will need to leverage versions of FalconPy less than 1.4.0.

Supported Operating Systems

The FalconPy SDK is unit tested on the following operating systems.

FalconPy will also run on any of the following operating systems.

Details regarding supported operating systems and Python versions, and project security and testing procedures can be found here.

Components

The FalconPy SDK provides two distinct methods for interacting with CrowdStrike's API.

| Service Classes | The Uber Class | | :-- | :-- | |
| | | Each Service Class represents a single CrowdStrike API service collection providing an interface to the operations available within that service collection.| An all-in-one class that provides a singular interface for all operations in every CrowdStrike API service collection. |

Service Classes

Representing a single CrowdStrike Falcon API service collection, each Service Class has a method defined for every operation available within that service collection.

Available Service Classes

For each CrowdStrike Falcon API service collection, a matching Service Class is available in the FalconPy library. For a complete list of service collections and their related Service Class, please review the Operations by Collection page on falconpy.io.

Service Class benefits

• Closely follows Python and OpenAPI best practice for code style and syntax. PEP-8 compliant.
• Completely abstracts token management, automatically refreshing your token when it expires.
• Interact with newly released API operations not yet available in the library via the override method.
• Provides simple programmatic patterns for interacting with CrowdStrike Falcon APIs.
• Supports cloud region autodiscovery for the CrowdStrike US-1, US-2 and EU-1 regions.
• Supports dynamic configuration based upon the needs of your environment.
• Supports CrowdStrike Falcon API parameter abstraction functionality.
• Supports CrowdStrike Falcon API body payload abstraction functionality.

The Uber Class

Operating as a single harness for interacting with the entire CrowdStrike Falcon API, the Uber Class can access every available operation within every API service collection.

Uber Class benefits

• Access every CrowdStrike Falcon API service collection with only one import and only one class.
• Completely abstracts token management, automatically refreshing your token when it expires.
• Interact with newly released API operations not yet available in the library via the override keyword.
• Provides simple programmatic patterns for interacting with CrowdStrike Falcon APIs.
• Supports cloud region autodiscovery for the CrowdStrike US-1, US-2 and EU-1 regions.
• Supports CrowdStrike Falcon API parameter abstraction functionality.
• Supports all environment configuration options supported by FalconPy Service Classes.

Comparing FalconPy class types

While the usage syntax varies slightly, the Uber Class provides the same performance and output as FalconPy Service Classes, and can perform all of the same operations. The Uber Class does not support body payload abstraction.

Quick Start 💫

Stable releases of FalconPy are available on the Python Package Index. In a terminal, execute the following command:

shell python3 -m pip install crowdstrike-falconpy

Once installed, you can immediately begin using CrowdStrike functionality in your Python projects.

```python """CrowdStrike FalconPy Quick Start.""" import os from falconpy import Hosts

Use the API Clients and Keys page within your Falcon console to generate credentials.

You will need to assign the Hosts: READ scope to your client to run this example.

CrowdStrike does not recommend you hardcode credentials within source code.

Instead, provide these values as variables that are retrieved from the environment,

read from an encrypted file or secrets store, provided at runtime, etc.

hosts = Hosts(clientid=os.getenv("FALCONCLIENTID"), clientsecret=os.getenv("FALCONCLIENTSECRET") )

While this example retrieves credentials from the environment as the variables

"FALCONCLIENTID" and "FALCONCLIENTSECRET". Developers leveraging environment

authentication do not need to specify the clientid or clientsecret keywords.

hosts = Hosts()

SEARCH_FILTER = "hostname-search-string"

Retrieve a list of hosts that have a hostname that matches our search filter

hostssearchresult = hosts.querydevicesbyfilter(filter=f"hostname:'{SEARCHFILTER}*'")

Confirm we received a success response back from the CrowdStrike API

if hostssearchresult["statuscode"] == 200: hostsfound = hostssearchresult["body"]["resources"] # Confirm our search produced results if hostsfound: # Retrieve the details for all matches hostsdetail = hosts.getdevicedetails(ids=hostsfound)["body"]["resources"] for detail in hostsdetail: # Display the AID and hostname for this match aid = detail["deviceid"] hostname = detail["hostname"] print(f"{hostname} ({aid})") else: print("No hosts found matching that hostname within your Falcon tenant.") else: # Retrieve the details of the error response errordetail = hostssearchresult["body"]["errors"] for error in errordetail: # Display the API error detail errorcode = error["code"] errormessage = error["message"] print(f"[Error {errorcode}] {error_message}") ```

More samples

If you are interested in reviewing more examples of FalconPy usage, this repository also maintains a collection of samples to help get you started with integrating CrowdStrike Falcon into your DevOps processes.

Documentation and Support 📖

FalconPy is a community-driven, open source project designed to assist developers in leveraging the power of CrowdStrike APIs within their solutions. While not a formal CrowdStrike product, FalconPy is maintained by CrowdStrike and supported in partnership with the open source developer community.

Official Project Documentation: falconpy.io

Extended documentation is also available via the wiki for this repository.

Issues and Questions

Is something going wrong? 🔥

GitHub Issues are used to report bugs and errors.

Have a question you can't find answered in the documentation?

Please submit usage questions to the Q&A section of our discussion board.

Community forums

The discussion board for this repository also provides the community with means to communicate regarding enhancements ideas, integration examples and new releases.

More information regarding FalconPy documentation and support can be found here.

Contribute to FalconPy ☕

Interested in being acknowledged as a member of an elite community of security-focused Python developers that stop breaches?

There are many ways you can contribute to the FalconPy project!

• Providing feedback by opening a GitHub ticket. Even a fly-by "hey, this worked..." is appreciated and helps validate approaches. Ideas on improving the project are most welcome.
• Documenting, blogging, or creating videos, of how you've used FalconPy. This type of content is invaluable and helps our community grow. Post these in the Show and Tell category of our discussion board.
• Submit a sample demonstrating how you're using FalconPy by opening a pull request for inclusion in the Samples Library.
• Fix a bug or implement a new feature. Check out our open issues on GitHub or our discussion board for inspiration.
• Review pull requests by going through the queue of open pull requests on GitHub and giving feedback to the authors.

To get started, review the Code of Conduct for community guidelines, and the contribution guide for more detail regarding contributing to the CrowdStrike FalconPy project.

WE STOP BREACHES