Real Time Response
| API Function | Description |
|---|---|
| RTR_AggregateSessions | Get aggregates on session data. |
| BatchActiveResponderCmd | Batch executes a RTR active-responder command across the hosts mapped to the given batch ID. |
| BatchCmd | Batch executes a RTR read-only command across the hosts mapped to the given batch ID. |
| BatchGetCmdStatus | Retrieves the status of the specified batch get command. Will return successful files when they are finished processing. |
| BatchGetCmd | Batch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results. |
| BatchInitSessions | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. |
| BatchRefreshSessions | Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed. |
| RTR_CheckActiveResponderCommandStatus | Get status of an executed active-responder command on a single host. |
| RTR_ExecuteActiveResponderCommand | Execute an active responder command on a single host. |
| RTR_CheckCommandStatus | Get status of an executed command on a single host. |
| RTR_ExecuteCommand | Execute a command on a single host. |
| RTR_GetExtractedFileContents | Get RTR extracted file contents for specified session and sha256. |
| RTR_ListFiles | Get a list of files for the specified RTR session. |
| RTR_DeleteFile | Delete a RTR session file. |
| RTR_ListQueuedSessions | Get queued session metadata by session ID. |
| RTR_DeleteQueuedSession | Delete a queued session command |
| RTR_PulseSession | Refresh a session timeout on a single host. |
| RTR_ListSessions | Get session metadata by session id. |
| RTR_InitSession | Initialize a new session with the RTR cloud. |
| RTR_DeleteSession | Delete a session. |
| RTR_ListAllSessions | Get a list of session_ids. |
Get aggregates on session data.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Supported aggregations: - term - date_range Supported aggregation members: date_ranges If peforming a date range query specify the from and to date ranges. These can be in common date formats like 2019-07-18 or now field Term you want to aggregate on. If doing a date_range query, this is the date field you want to apply the date ranges to filter Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon. name Name of the aggregation size Size limit to apply to the queries. |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.RTR_AggregateSessions(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('RTR-AggregateSessions', body=BODY)
print(response)
falcon.deauthenticate()Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| timeout | query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. | |
| timeout_duration | query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
|
| ✅ | body | body | string | Use this endpoint to run these real time response commands: - cat - cd - clear - cp - encrypt - env - eventlog - filehash - get - getsid - help - history - ipconfig - kill - ls - map - memdump - mkdir - mount - mv - netstat - ps - reg query - reg set - reg delete - reg load - reg unload - restart - rm - runscript - shutdown - unmap - update history - update install - update list - update query - xmemdump - zip base_command Active-Responder command type we are going to execute, for example: get or cp. Refer to the RTR documentation for the full list of commands. batch_id Batch ID to execute the command on. Received from /real-time-response/combined/init-sessions/v1. command_string Full command string for the command. For example get some_file.txt optional_hosts List of a subset of hosts we want to run the command on. If this list is supplied, only these hosts will receive the command. |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.BatchActiveResponderCmd(parameters=PARAMS, body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('BatchActiveResponderCmd', parameters=PARAMS, body=BODY)
print(response)
falcon.deauthenticate()Batch executes a RTR read-only command across the hosts mapped to the given batch ID.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| timeout | query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. | |
| timeout_duration | query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
|
| ✅ | body | body | string | Use this endpoint to run these real time response commands: - cat - cd - clear - env - eventlog - filehash - getsid - help - history - ipconfig - ls - mount - netstat - ps - reg query base_command read-only command type we are going to execute, for example: ls or cd. Refer to the RTR documentation for the full list of commands. batch_id Batch ID to execute the command on. Received from /real-time-response/combined/init-sessions/v1. command_string Full command string for the command. For example cd C:some_directory optional_hosts List of a subset of hosts we want to run the command on. If this list is supplied, only these hosts will receive the command. |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.BatchCmd(parameters=PARAMS, body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('BatchCmd', parameters=PARAMS, body=BODY)
print(response)
falcon.deauthenticate()Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| timeout | query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. | |
| timeout_duration | query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
|
| ✅ | batch_get_cmd_req_id | query | string | Batch Get Command Request ID received from /real-time-response/combined/get-command/v1
|
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'timeout': integer,
'timeout_duration': 'string',
'batch_get_cmd_req_id': 'string'
}
response = falcon.BatchGetCmdStatus(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'timeout': integer,
'timeout_duration': 'string',
'batch_get_cmd_req_id': 'string'
}
response = falcon.command('BatchGetCmdStatus', parameters=PARAMS)
print(response)
falcon.deauthenticate()Batch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| timeout | query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. | |
| timeout_duration | query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
|
| ✅ | body | body | string |
batch_id Batch ID to execute the command on. Received from /real-time-response/combined/init-sessions/v1. file_path Full path to the file that is to be retrieved from each host in the batch. optional_hosts List of a subset of hosts we want to run the command on. If this list is supplied, only these hosts will receive the command. |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.BatchGetCmd(parameters=PARAMS, body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('BatchGetCmd', parameters=PARAMS, body=BODY)
print(response)
falcon.deauthenticate()Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| timeout | query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. | |
| timeout_duration | query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
|
| ✅ | body | body | string |
host_ids List of host agent ID's to initialize a RTR session on existing_batch_id Optional batch ID. Use an existing batch ID if you want to initialize new hosts and add them to the existing batch |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.BatchInitSessions(parameters=PARAMS, body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('BatchInitSessions', parameters=PARAMS, body=BODY)
print(response)
falcon.deauthenticate()Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| timeout | query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. | |
| timeout_duration | query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
|
| ✅ | body | body | string |
batch_id Batch ID to execute the command on. Received from /real-time-response/combined/init-sessions/v1. hosts_to_remove Hosts to remove from the batch session. Heartbeats will no longer happen on these hosts and the sessions will expire. |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.BatchRefreshSessions(parameters=PARAMS, body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('BatchRefreshSessions', parameters=PARAMS, body=BODY)
print(response)
falcon.deauthenticate()Get status of an executed active-responder command on a single host.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | cloud_request_id | query | string | Cloud Request ID of the executed command to query |
| ✅ | sequence_id | query | integer | Sequence ID that we want to retrieve. Command responses are chunked across sequences |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'cloud_request_id': 'string',
'sequence_id': integer
}
response = falcon.RTR_CheckActiveResponderCommandStatus(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'cloud_request_id': 'string',
'sequence_id': integer
}
response = falcon.command('RTR-CheckActiveResponderCommandStatus', parameters=PARAMS)
print(response)
falcon.deauthenticate()Execute an active responder command on a single host.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Use this endpoint to run these real time response commands: - cat - cd - clear - cp - encrypt - env - eventlog - filehash - get - getsid - help - history - ipconfig - kill - ls - map - memdump - mkdir - mount - mv - netstat - ps - reg query - reg set - reg delete - reg load - reg unload - restart - rm - runscript - shutdown - unmap - update history - update install - update list - update query - xmemdump - zip Required values. The rest of the fields are unused. base_command Active-Responder command type we are going to execute, for example: get or cp. Refer to the RTR documentation for the full list of commands. command_string Full command string for the command. For example get some_file.txt session_id RTR session ID to run the command on |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.RTR_ExecuteActiveResponderCommand(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(response)
falcon.deauthenticate()Get status of an executed command on a single host.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | cloud_request_id | query | string | Cloud Request ID of the executed command to query |
| ✅ | sequence_id | query | integer | Sequence ID that we want to retrieve. Command responses are chunked across sequences |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'cloud_request_id': 'string',
'sequence_id': integer
}
response = falcon.RTR_CheckCommandStatus(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'cloud_request_id': 'string',
'sequence_id': integer
}
response = falcon.command('RTR-CheckCommandStatus', parameters=PARAMS)
print(response)
falcon.deauthenticate()Execute a command on a single host.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Use this endpoint to run these real time response commands: - cat - cd - clear - env - eventlog - filehash - getsid - help - history - ipconfig - ls - mount - netstat - ps - reg query Required values. The rest of the fields are unused. base_command read-only command type we are going to execute, for example: ls or cd. Refer to the RTR documentation for the full list of commands. command_string Full command string for the command. For example cd C:some_directory session_id RTR session ID to run the command on |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.RTR_ExecuteCommand(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('RTR-ExecuteCommand', body=BODY)
print(response)
falcon.deauthenticate()Get RTR extracted file contents for specified session and sha256.
- Produces: application/x-7z-compressed
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | session_id | query | string | RTR Session id |
| ✅ | sha256 | query | string | Extracted SHA256 (e.g. 'efa256a96af3b556cd3fc9d8b1cf587d72807d7805ced441e8149fc279db422b') |
| filename | query | string | Filename to use for the archive name and the file within the archive. |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'session_id': 'string',
'sha256': 'string',
'filename': 'string'
}
response = falcon.RTR_GetExtractedFileContents(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'session_id': 'string',
'sha256': 'string',
'filename': 'string'
}
response = falcon.command('RTR-GetExtractedFileContents', parameters=PARAMS)
print(response)
falcon.deauthenticate()Get a list of files for the specified RTR session.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | session_id | query | string | RTR Session id |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'session_id': 'string'
}
response = falcon.RTR_ListFiles(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'session_id': 'string'
}
response = falcon.command('RTR-ListFiles', parameters=PARAMS)
print(response)
falcon.deauthenticate()Delete a RTR session file.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | string | RTR Session file id |
| ✅ | session_id | query | string | RTR Session id |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'session_id': 'string'
}
IDS = 'ID1,ID2,ID3'
response = falcon.RTR_DeleteFile(parameters=PARAMS, ids=IDS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'session_id': 'string'
}
IDS = 'ID1,ID2,ID3'
response = falcon.command('RTR-DeleteFile', parameters=PARAMS, ids=IDS)
print(response)
falcon.deauthenticate()Get queued session metadata by session ID.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string |
ids List of RTR sessions to retrieve. RTR will only return the sessions that were created by the calling user |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.RTR_ListQueuedSessions(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('RTR-ListQueuedSessions', body=BODY)
print(response)
falcon.deauthenticate()Delete a queued session command
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | session_id | query | string | RTR Session id |
| ✅ | cloud_request_id | query | string | Cloud Request ID of the executed command to query |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'session_id': 'string',
'cloud_request_id': 'string'
}
response = falcon.RTR_DeleteQueuedSession(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'session_id': 'string',
'cloud_request_id': 'string'
}
response = falcon.command('RTR-DeleteQueuedSession', parameters=PARAMS)
print(response)
falcon.deauthenticate()Refresh a session timeout on a single host.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string |
device_id The host agent ID to refresh the RTR session on. RTR will retrieve an existing session for the calling user on this host |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.RTR_PulseSession(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('RTR-PulseSession', body=BODY)
print(response)
falcon.deauthenticate()Get session metadata by session id.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string |
ids List of RTR sessions to retrieve. RTR will only return the sessions that were created by the calling user |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.RTR_ListSessions(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('RTR-ListSessions', body=BODY)
print(response)
falcon.deauthenticate()Initialize a new session with the RTR cloud.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string |
device_id The host agent ID to initialize the RTR session on. RTR will retrieve an existing session for the calling user on this host |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.RTR_InitSession(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('RTR-InitSession', body=BODY)
print(response)
falcon.deauthenticate()Delete a session.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | session_id | query | string | RTR Session id |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'session_id': 'string'
}
response = falcon.RTR_DeleteSession(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'session_id': 'string'
}
response = falcon.command('RTR-DeleteSession', parameters=PARAMS)
print(response)
falcon.deauthenticate()Get a list of session_ids.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | string | Starting index of overall result set from which to return ids. | |
| limit | query | integer | Number of ids to return. | |
| sort | query | string | Sort by spec. Ex: 'date_created | |
| filter | query | string | Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon. “user_id” can accept a special value ‘@me’ which will restrict results to records with current user’s ID. |
from falconpy import real_time_response as FalconRTR
falcon = FalconRTR.Real_Time_Response(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'offset': 'string',
'limit': integer,
'sort': 'string',
'filter': 'string'
}
response = falcon.RTR_ListAllSessions(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'offset': 'string',
'limit': integer,
'sort': 'string',
'filter': 'string'
}
response = falcon.command('RTR-ListAllSessions', parameters=PARAMS)
print(response)
falcon.deauthenticate()
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
