Skip to content

Container Detections

Joshua Hiller edited this page Dec 10, 2024 · 5 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Container Detections service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
GetRuntimeDetectionsCombinedV2
PEP8 search_runtime_detections
Retrieve image assessment detections identified by the provided filter criteria.
ReadDetectionsCountBySeverity
PEP8 read_detection_counts_by_severity
Aggregate counts of detections by severity.
ReadDetectionsCountByType
PEP8 read_detections_count_by_type
Aggregate counts of detections by detection type.
ReadDetectionsCount
PEP8 read_detections_count
Aggregate count of detections.
ReadCombinedDetections
PEP8 read_combined_detections
Retrieve image assessment detections identified by the provided filter criteria.
ReadDetections
PEP8 read_detections
Retrieve image assessment detection entities identified by the provided filter criteria.
SearchDetections
PEP8 search_detections
Retrieve image assessment detection entities identified by the provided filter criteria.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

GetRuntimeDetectionsCombinedV2

Retrieve image assessment detections identified by the provided filter criteria.

PEP8 method name

search_runtime_detections

Endpoint

Method Route
GET /container-security/combined/runtime-detections/v2

Required Scope

falcon-container-image:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter container runtime detections using a query in Falcon Query Language (FQL). Supported filters: action_taken, aid, cid, cloud, cluster_name, command_line, computer_name, container_id, detect_timestamp, detection_description, detection_id, file_name, file_path, host_id, host_type, image_id, name, namespace, pod_name, severity, tactic
limit
Service Class Support

Uber Class Support
query integer The upper-bound on the number of records to retrieve.
offset
Service Class Support

Uber Class Support
query integer The offset from where to begin.
parameters Service Class Support
Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required if using other keywords.
sort
Service Class Support

Uber Class Support
query string The fields to sort the records on. Supported fields: containers_impacted, detection_name, detection_severity, detection_type, images_impacted, last_detected

Usage

Service class example (PEP8 syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.search_runtime_detections(filter="string",
                                            limit=integer,
                                            offset=integer,
                                            sort="string"
                                            )
print(response)
Service class example (Operation ID syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.GetRuntimeDetectionsCombinedV2(filter="string",
                                                 limit=integer,
                                                 offset=integer,
                                                 sort="string"
                                                 )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("GetRuntimeDetectionsCombinedV2",
                          filter="string",
                          limit=integer,
                          offset=integer,
                          sort="string"
                          )
print(response)

ReadDetectionsCountBySeverity

Aggregate counts of detections by severity

PEP8 method name

read_detection_counts_by_severity

Endpoint

Method Route
GET /container-security/aggregates/detections/count-by-severity/v1

Required Scope

falcon-container-image:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,container_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity
parameters Service Class Support
Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required if using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.read_detection_counts_by_severity(filter="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.ReadDetectionsCountBySeverity(filter="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ReadDetectionsCountBySeverity", filter="string")

print(response)

ReadDetectionsCountByType

Aggregate counts of detections by detection type

PEP8 method name

read_detections_count_by_type

Endpoint

Method Route
GET /container-security/aggregates/detections/count-by-type/v1

Required Scope

falcon-container-image:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,container_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity
parameters Service Class Support
Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required if using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.read_detections_count_by_type(filter="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.ReadDetectionsCountByType(filter="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ReadDetectionsCountByType", filter="string")

print(response)

ReadDetectionsCount

Aggregate count of detections

PEP8 method name

read_detections_count

Endpoint

Method Route
GET /container-security/aggregates/detections/count/v1

Required Scope

falcon-container-image:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,container_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity
parameters Service Class Support
Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required if using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.read_detections_count(filter="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.ReadDetectionsCount(filter="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ReadDetectionsCount", filter="string")

print(response)

ReadCombinedDetections

Retrieve image assessment detections identified by the provided filter criteria

PEP8 method name

read_combined_detections

Endpoint

Method Route
GET /container-security/combined/detections/v1

Required Scope

falcon-container-image:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,container_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity
limit
Service Class Support

Uber Class Support
query integer The upper-bound on the number of records to retrieve.
offset
Service Class Support

Uber Class Support
query integer The offset from where to begin.
parameters Service Class Support
Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required if using other keywords.
sort
Service Class Support

Uber Class Support
query string The fields to sort the records on. Supported columns: [containers_impacted detection_name detection_severity detection_type images_impacted last_detected]

Usage

Service class example (PEP8 syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.read_combined_detections(filter="string",
                                           limit=integer,
                                           offset=integer,
                                           sort="string"
                                           )
print(response)
Service class example (Operation ID syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.ReadCombinedDetections(filter="string",
                                         limit=integer,
                                         offset=integer,
                                         sort="string"
                                         )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ReadCombinedDetections",
                          filter="string",
                          limit=integer,
                          offset=integer,
                          sort="string"
                          )
print(response)

ReadDetections

Retrieve image assessment detection entities identified by the provided filter criteria

PEP8 method name

read_detections

Endpoint

Method Route
GET /container-security/entities/detections/v1

Required Scope

falcon-container-image:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,detection_type,image_registry,image_repository,image_tag
limit
Service Class Support

Uber Class Support
query integer The upper-bound on the number of records to retrieve.
offset
Service Class Support

Uber Class Support
query integer The offset from where to begin.
parameters Service Class Support
Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required if using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.read_detections(filter="string",
                                  limit=integer,
                                  offset=integer
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.ReadDetections(filter="string",
                                 limit=integer,
                                 offset=integer
                                 )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ReadDetections",
                          filter="string",
                          limit=integer,
                          offset=integer
                          )

print(response)

SearchDetections

Retrieve image assessment detection entities identified by the provided filter criteria

PEP8 method name

search_detections

Endpoint

Method Route
GET /container-security/queries/detections/v1

Required Scope

falcon-container-image:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Filter images using a query in Falcon Query Language (FQL). Supported filters: cid,container_id,detection_type,id,image_digest,image_id,image_registry,image_repository,image_tag,name,severity
limit
Service Class Support

Uber Class Support
query integer The upper-bound on the number of records to retrieve.
offset
Service Class Support

Uber Class Support
query integer The offset from where to begin.
parameters Service Class Support
Uber Class Support query dictionary Full query string parameters payload in JSON format. Not required if using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.search_detections(filter="string",
                                    limit=integer,
                                    offset=integer
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import ContainerDetections

# Do not hardcode API credentials!
falcon = ContainerDetections(client_id=CLIENT_ID,
                             client_secret=CLIENT_SECRET
                             )

response = falcon.SearchDetections(filter="string",
                                   limit=integer,
                                   offset=integer
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("SearchDetections",
                          filter="string",
                          limit=integer,
                          offset=integer
                          )
print(response)

CrowdStrike Falcon

Clone this wiki locally