Real Time Response
This service collection has code examples posted to the repository.
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Get aggregates on session data. | ||||
|
Batch executes a RTR active-responder command across the hosts mapped to the given batch ID. | ||||
|
Batch executes a RTR read-only command across the hosts mapped to the given batch ID. | ||||
|
Retrieves the status of the specified batch get command. Will return successful files when they are finished processing. | ||||
|
Batch executes get command across hosts to retrieve files. After this call is made BatchGetCmdStatusis used to query for the results. |
||||
|
Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. | ||||
|
Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed. | ||||
|
Get status of an executed active-responder command on a single host. | ||||
|
Execute an active responder command on a single host. | ||||
|
Get status of an executed command on a single host. | ||||
|
Execute a command on a single host. | ||||
|
Get RTR extracted file contents for specified session and sha256. | ||||
|
Get a list of files for the specified RTR session. | ||||
|
Get a list of files for the specified RTR session. (Expanded output detail.) |
||||
|
Delete a RTR session file. | ||||
|
Delete a RTR session file. (Expanded output detail, use with RTR_ListFilesV2.) |
||||
|
Get queued session metadata by session ID. | ||||
|
Delete a queued session command | ||||
|
Refresh a session timeout on a single host. | ||||
|
Get session metadata by session id. | ||||
|
Initialize a new session with the RTR cloud. | ||||
|
Delete a session. | ||||
|
Get a list of session_ids. | ||||
Get aggregates on session data.
aggregate_sessions
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
 |
 |
body | dictionary | Full body payload in JSON format. |
| date_ranges |
|
 |
body | list of dictionaries | |
| field |
|
|
body | string | |
| filter |
|
|
body | string | FQL syntax |
| interval |
|
|
body | string | |
| min_doc_count |
|
|
body | integer | Minimum number of documents required to match. |
| missing |
|
|
body | string | |
| name |
|
|
body | string | |
| q |
|
|
body | string | FQL syntax |
| ranges |
|
|
body | list of dictionaries | |
| size |
|
|
body | integer | |
| sort |
|
|
body | string | FQL syntax |
| time_zone |
|
|
body | string | |
| type |
|
|
body | string |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_sessions(date_ranges=date_ranges,
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.RTR_AggregateSessions(date_ranges=date_ranges,
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = {
"date_ranges": date_ranges,
"field": "string",
"filter": "string",
"interval": "string",
"min_doc_count": 0,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": 0,
"sort": "string",
"time_zone": "string",
"type": "string"
}
response = falcon.command("RTR_AggregateSessions", body=BODY)
print(response)Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.
batch_active_responder_command
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| base_command |
|
|
body | string | Active Responder base command to perform. For example: get or cp. Refer to this list for a complete listing of available commands. |
| batch_id |
|
|
body | string | RTR Batch ID to execute the command against. Received from batch_init_session. |
| command_string |
|
|
body | string | Full command line of the command to execute. Example: get some_file.txt. |
| host_timeout_duration |
|
|
body | string | Timeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 10 minutes. Example, 10s. Valid units: ns, us, ms, s, m, h. |
| optional_hosts |
|
|
body | string or list of strings | List of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch. |
| persist_all |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. |
| timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. |
| timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| Command |
Description |
Operating System |
|---|---|---|
cat |
View file contents |  |
cd |
Change directory | |
clear |
Clear the screen | |
cp |
Copy a file | |
encrypt |
Encrypt a file | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
eventlog backup is the recommended solution as opposed to eventlog export, as this method is faster and follows industry-standard file format. |
 |
filehash |
Calculate a file hash (MD5 or SHA256) | |
get |
Retrieve a file | |
getsid |
Retrieve the current SID |
|
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ipconfig |
Review TCP configuration | |
kill |
Kill a running process | |
ls |
List the contents of a directory | |
map |
Map a UNC (SMB) path to a drive letter | |
memdump |
Dump memory of a running process | |
mkdir |
Create a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
mv |
Move a file | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
reg |
Registry operations. Subcommands:
|
|
restart |
Restart the system | |
rm |
Remove a file | |
runscript |
Run a script | |
shutdown |
Shutdown the system | |
unmap |
Unmap a UNC (SMB) path from a drive letter | |
update |
Install patches through Windows Update. Subcommands:
|
|
xmemdump |
Dump complete memory (kernel) for the system | |
zip |
Create a zip archive | |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_active_responder_command(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchActiveResponderCmd(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"base_command": "string",
"batch_id": "string",
"command_string": "string",
"optional_hosts": target_hosts,
"persist_all": boolean
}
response = falcon.command("BatchActiveResponderCmd",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)Batch executes a RTR read-only command across the hosts mapped to the given batch ID.
batch_command
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| base_command |
|
|
body | string | Active Responder base command to perform. For example: get or cp. Refer to this list for a complete listing of available commands. |
| batch_id |
|
|
body | string | RTR Batch ID to execute the command against. Received from batch_init_session. |
| command_string |
|
|
body | string | Full command line of the command to execute. Example: cat some_file.txt. |
| host_timeout_duration |
|
|
body | string | Timeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 10 minutes. Example, 10s. Valid units: ns, us, ms, s, m, h. |
| optional_hosts |
|
|
body | string or list of strings | List of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch. |
| persist_all |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. |
| timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. |
| timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| Command |
Description |
Operating System |
|---|---|---|
cat |
View file contents | |
cd |
Change directory | |
clear |
Clear the screen | |
csrutil |
Get system integrity protection status | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
|
|
filehash |
Calculate a file hash (MD5 or SHA256) | |
getsid |
Retrieve the current SID |
|
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ipconfig |
Review TCP configuration | |
ls |
List the contents of a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
reg |
Registry operations. Subcommands:
|
|
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_command(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchCmd(base_command="string",
batch_id="string",
command_string="string",
optional_hosts=target_hosts,
persist_all=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"base_command": "string",
"batch_id": "string",
"command_string": "string",
"optional_hosts": target_hosts,
"persist_all": boolean
}
response = falcon.command("BatchCmd",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.
batch_get_command_status
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| batch_get_cmd_req_id |
|
|
query | string | Batch Get Command Request ID (usually retrieved when making a call to BatchGetCmd). |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. |
| timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.batch_get_command_status(timeout=integer,
timeout_duration="string",
batch_get_cmd_req_id="string"
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.BatchGetCmdStatus(timeout=integer,
timeout_duration="string",
batch_get_cmd_req_id="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("BatchGetCmdStatus",
timeout=integer,
timeout_duration="string",
batch_get_cmd_req_id="string"
)
print(response)Batch executes a get command across hosts to retrieve files. After this call is made BatchGetCmdStatus is used to query for the results.
batch_get_command
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| batch_id |
|
|
body | string | RTR Batch ID to execute the get command against. Received from batch_init_session. |
| file_path |
|
|
body | string | Full path to the file that is to be retrieved from each host in the batch. |
| host_timeout_duration |
|
|
body | string | Timeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 10 minutes. Example, 10s. Valid units: ns, us, ms, s, m, h. |
| optional_hosts |
|
|
body | string or list of strings | List of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. |
| timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_get_command(batch_id="string",
file_path="string",
optional_hosts=target_hosts,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchGetCmd(batch_id="string",
file_path="string",
optional_hosts=target_hosts,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"batch_id": "string",
"file_path": "string",
"optional_hosts": target_hosts
}
response = falcon.command("BatchGetCmd",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
batch_init_sessions
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| existing_batch_id |
|
|
body | string | Optional existing RTR batch ID. Use this to initialize new hosts and add them to the existing batch. |
| host_ids |
|
|
body | string or list of strings | List of host agent IDs to initialize a RTR session on. |
| host_timeout_duration |
|
|
body | string | Timeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 10 minutes. Example, 10s. Valid units: ns, us, ms, s, m, h. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| queue_offline |
|
|
body | boolean | Flag indicating if the command should be queued for execution when the host returns to service. |
| timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. |
| timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_init_sessions(existing_batch_id="string",
host_ids=target_hosts,
queue_offline=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchInitSessions(existing_batch_id="string",
host_ids=target_hosts,
queue_offline=boolean,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
target_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"existing_batch_id": "string",
"host_ids": target_hosts,
"queue_offline": boolean
}
response = falcon.command("BatchInitSessions",
timeout=integer,
timeout_duration="string"
body=BODY
)
print(response)Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.
batch_refresh_sessions
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| batch_id |
|
|
body | string | Existing RTR batch ID to refresh. |
| host_to_remove |
|
|
body | string or list of strings | List of host agent IDs to remove from the batch. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| timeout |
|
|
query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. |
| timeout_duration |
|
|
query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
remove_hosts = ["ID1", "ID2", "ID3"]
response = falcon.batch_refresh_sessions(batch_id="string",
hosts_to_remove=remove_hosts,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
remove_hosts = ["ID1", "ID2", "ID3"]
response = falcon.BatchRefreshSessions(batch_id="string",
hosts_to_remove=remove_hosts,
timeout=integer,
timeout_duration="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
remove_hosts = ["ID1", "ID2", "ID3"]
BODY = {
"batch_id": "string",
"hosts_to_remove": remove_hosts
}
response = falcon.command("BatchRefreshSessions",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)Get status of an executed active-responder command on a single host.
check_active_responder_command_status
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| cloud_request_id |
|
|
query | string | Cloud Request ID of the executed command to query. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| sequence_id |
|
|
query | integer | Sequence ID that we want to retrieve. Command responses are chunked across sequences. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.check_active_responder_command_status(cloud_request_id="string",
sequence_id=integer
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_CheckActiveResponderCommandStatus(cloud_request_id="string",
sequence_id=integer
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("RTR_CheckActiveResponderCommandStatus",
cloud_request_id="string",
sequence_id=integer
)
print(response)Execute an active responder command on a single host.
execute_active_responder_command
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| base_command |
|
|
body | string | Active Responder base command to perform. For example: get or cp. Refer to this list for a complete listing of available commands. |
| command_string |
|
|
body | string | Full command line of the command to execute. Example: get some_file.txt. |
| persist |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. Unused |
| session_id |
|
|
body | string | RTR Session ID. |
| Command |
Description |
Operating System |
|---|---|---|
cat |
View file contents | |
cd |
Change directory | |
clear |
Clear the screen | |
cp |
Copy a file | |
encrypt |
Encrypt a file | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
eventlog backup is the recommended solution as opposed to eventlog export, as this method is faster and follows industry-standard file format. |
|
filehash |
Calculate a file hash (MD5 or SHA256) | |
get |
Retrieve a file | |
getsid |
Retrieve the current SID |
|
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ipconfig |
Review TCP configuration | |
kill |
Kill a running process | |
ls |
List the contents of a directory | |
map |
Map a UNC (SMB) path to a drive letter | |
memdump |
Dump memory of a running process | |
mkdir |
Create a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
mv |
Move a file | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
reg |
Registry operations. Subcommands:
|
|
restart |
Restart the system | |
rm |
Remove a file | |
runscript |
Run a script | |
shutdown |
Shutdown the system | |
unmap |
Unmap a UNC (SMB) path from a drive letter | |
update |
Install patches through Windows Update. Subcommands:
|
|
xmemdump |
Dump complete memory (kernel) for the system | |
zip |
Create a zip archive | |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.execute_active_responder_command(base_command="string",
command_string="string",
persist=boolean,
session_id="string",
timeout=integer,
timeout_duraction="string"
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_ExecuteActiveResponderCommand(base_command="string",
command_string="string",
persist=boolean,
session_id="string",
timeout=integer,
timeout_duraction="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"base_command": "string",
"command_string": "string",
"persist": boolean,
"session_id": "string"
}
response = falcon.command("RTR_ExecuteActiveResponderCommand",
timeout=integer,
timeout_duration="string",
body=BODY
)
print(response)Get status of an executed command on a single host.
check_command_status
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| cloud_request_id |
|
|
query | string | Cloud Request ID of the executed command to query. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| sequence_id |
|
|
query | integer | Sequence ID that we want to retrieve. Command responses are chunked across sequences. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.check_command_status(cloud_request_id="string", sequence_id=integer)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_CheckCommandStatus(cloud_request_id="string", sequence_id=integer)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("RTR_CheckCommandStatus",
cloud_request_id="string",
sequence_id=integer
)
print(response)Execute a command on a single host.
execute_command
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| base_command |
|
|
body | string | Read-only base command to perform. For example: ls or ps. Refer to this list for a complete listing of available commands. |
| command_string |
|
|
body | string | Full command line of the command to execute. Example: cat some_file.txt. |
| persist |
|
|
body | boolean | Flag indicating if this command should be executed when the host returns to service. |
| session_id |
|
|
body | string | RTR Session ID to execute the command against. |
| Command |
Description |
Operating System |
|---|---|---|
cat |
View file contents | |
cd |
Change directory | |
clear |
Clear the screen | |
csrutil |
Get system integrity protection status | |
env |
Display environment variables | |
eventlog |
Inspect the event log. Subcommands:
|
|
filehash |
Calculate a file hash (MD5 or SHA256) | |
getsid |
Retrieve the current SID |
|
help |
Access help for a specific command or sub-command | |
history |
Review command history for the current user | |
ipconfig |
Review TCP configuration | |
ls |
List the contents of a directory | |
mount |
Mount a file system (MacOS, Linux) or list available drives (Windows) | |
netstat |
Retrieve network connection detail | |
ps |
List running processes | |
reg |
Registry operations. Subcommands:
|
|
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.execute_command(base_command="string",
command_string="string",
persist=boolean,
session_id="string",
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_ExecuteCommand(base_command="string",
command_string="string",
persist=boolean,
session_id="string",
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"base_command": "string",
"command_string": "string",
"persist": true,
"session_id": "string"
}
response = falcon.command("RTR_ExecuteCommand", body=BODY)
print(response)Get RTR extracted file contents for specified session and sha256.
get_extracted_file_contents
- Produces: application/x-7z-compressed
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| filename |
|
|
query | string | Filename to use for the archive name and the file within the archive. |
| session_id |
|
|
query | string | RTR Session ID. |
| sha256 |
|
|
query | string | Extracted SHA256. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
save_file = "some_file.7z"
response = falcon.get_extracted_file_contents(session_id="string",
sha256="string",
filename="string"
)
open(save_file, 'wb').write(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
save_file = "some_file.7z"
response = falcon.RTR_GetExtractedFileContents(session_id="string",
sha256="string",
filename="string"
)
open(save_file, 'wb').write(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
save_file = "some_file.7z"
response = falcon.command("RTR_GetExtractedFileContents",
session_id="string",
sha256="string",
filename="string"
)
open(save_file, 'wb').write(response)Get a list of files for the specified RTR session.
list_files
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.list_files(session_id="string")
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_ListFiles(session_id="string")
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("RTR_ListFiles", session_id="string")
print(response)Get a list of files for the specified RTR session.
list_files_v2
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.list_files_v2(session_id="string")
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_ListFilesV2(session_id="string")
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("RTR_ListFilesV2", session_id="string")
print(response)Delete a RTR session file.
delete_file
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| ids |
|
|
query | string | RTR Session file ID (SHA256). |
| session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.delete_file(session_id="string", ids="string")
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_DeleteFile(session_id="string", ids="string")
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("RTR_DeleteFile", session_id="string", ids="string")
print(response)Delete a RTR session file.
delete_file_v2
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| ids |
|
|
query | string | RTR Session file ID (SHA256). |
| session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.delete_file_v2(session_id="string", ids="string")
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_DeleteFileV2(session_id="string", ids="string")
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("RTR_DeleteFileV2", session_id="string", ids="string")
print(response)Get queued session metadata by session ID.
list_queued_sessions
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | List of RTR sessions to retrieve. Will only return sessions created by the calling user. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = "ID1,ID2,ID3" # Can also use a list here ['ID1','ID2','ID3']
response = falcon.list_queued_sessions(ids=id_list)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = "ID1,ID2,ID3" # Can also use a list here ['ID1','ID2','ID3']
response = falcon.RTR_ListQueuedSessions(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = ['ID1','ID2','ID3']
BODY = {
"ids": id_list
}
response = falcon.command("RTR_ListQueuedSessions", body=BODY)
print(response)Delete a queued session command
delete_queued_session
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| cloud_request_id |
|
|
query | string | Cloud Request ID of the executed command to query. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.delete_queued_session(session_id="string", cloud_request_id="string")
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_DeleteQueuedSession(session_id="string", cloud_request_id="string")
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("RTR_DeleteQueuedSession",
session_id="string",
cloud_request_id="string"
)
print(response)Refresh a session timeout on a single host.
pulse_session
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| device_id |
|
|
body | string | The host agent ID to refresh the RTR session on. RTR will retrieve an existing session for the calling user on this host. |
| origin |
|
|
body | string | Origin of the request. |
| queue_offline |
|
|
body | boolean | Flag indicating if this should be queued to pulse after the host returns to service. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.pulse_session(device_id="string",
origin="string",
queue_offline=boolean
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_PulseSession(device_id="string",
origin="string",
queue_offline=boolean
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"device_id": "string",
"origin": "string",
"queue_offline": boolean
}
response = falcon.command("RTR_PulseSession", body=BODY)
print(response)Get session metadata by session id.
list_sessions
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | List of RTR sessions to retrieve. Will only return sessions created by the calling user. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = "ID1,ID2,ID3" # Can also use a list here ['ID1','ID2','ID3']
response = falcon.list_sessions(ids=id_list)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = "ID1,ID2,ID3" # Can also use a list here ['ID1','ID2','ID3']
response = falcon.RTR_ListSessions(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = ['ID1','ID2','ID3']
BODY = {
"ids": id_list
}
response = falcon.command("RTR_ListSessions", body=BODY)
print(response)Initialize a new session with the RTR cloud.
init_session
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| device_id |
|
|
body | string | The host agent ID to refresh the RTR session on. RTR will retrieve an existing session for the calling user on this host. |
| origin |
|
|
body | string | Origin of the request. |
| queue_offline |
|
|
body | boolean | Flag indicating if this should be queued to pulse after the host returns to service. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.init_session(device_id="string",
origin="string",
queue_offline=boolean
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_InitSession(device_id="string",
origin="string",
queue_offline=boolean
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"device_id": "string",
"origin": "string",
"queue_offline": boolean
}
response = falcon.command("RTR_InitSession", body=BODY)
print(response)Delete a session.
delete_session
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| session_id |
|
|
query | string | RTR Session ID. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.delete_session(session_id="string")
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_DeleteSession(session_id="string")
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("RTR_DeleteSession", session_id="string")
print(response)Get a list of session_ids.
You will only be able to retrieve sessions that were created using the same API credentials.
list_all_sessions
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL query expression that should be used to limit the results.user_id can accept a special value ‘@me’ which will restrict results to records with current user’s ID. |
| limit |
|
|
query | integer | Maximum number of records to return. Max: 5000. |
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
| sort |
|
|
query | string | The property to sort by. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.list_all_sessions(offset="string",
limit=integer,
sort="string",
filter="string"
)
print(response)from falconpy import RealTimeResponse
falcon = RealTimeResponse(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.RTR_ListAllSessions(offset="string",
limit=integer,
sort="string",
filter="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("RTR_ListAllSessions",
offset="string",
limit=integer,
sort="string",
filter="string"
)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
