### Build Browser Sensor Download Example Source: https://github.com/crowdstrike/falconjs/blob/main/examples/browser/README.md Builds the sensor download example using esbuild. Ensure you have npm installed and run this command in your terminal. ```bash npm run build:devel NAME=sensor_download ./node_modules/esbuild/bin/esbuild --bundle ./examples/browser/${NAME}.ts --outfile=./examples/browser/${NAME}.js --global-name=${NAME} ``` -------------------------------- ### Quick Start Falcon Client Initialization and API Call Source: https://github.com/crowdstrike/falconjs/blob/main/README.md Initialize the FalconClient with your credentials and cloud environment. This example demonstrates fetching sensor installers by CCID and includes error handling. ```typescript import { FalconClient, FalconErrorExplain } from "crowdstrike-falcon"; const client = new FalconClient({ cloud: "us-1", clientId: "your-client-id", clientSecret: "your-client-secret", }); await client.sensorDownload .getSensorInstallersCCIDByQuery() .catch(async function (err) { console.error("Could not fetch CCID: " + (await FalconErrorExplain(err))); }) .then((value) => { console.log("my CCID: ", value); }); ``` -------------------------------- ### Browser Sensor Download UI Example Source: https://context7.com/crowdstrike/falconjs/llms.txt This example shows how to initialize the FalconClient in a browser and use it to retrieve and download sensor installers. It utilizes the browser's native fetch and requires no special configuration for API calls. ```typescript import { FalconClient, FalconErrorExplain, DomainSensorInstallerV1 } from "crowdstrike-falcon"; let client: FalconClient | null = null; async function onLogin(clientId: string, clientSecret: string) { client = new FalconClient({ cloud: "us-1", // no fetchApi needed in browser clientId, clientSecret, }); const sensors = await client.sensorDownload .getCombinedSensorInstallersByQuery() .catch(async (err) => { alert("Error: " + (await FalconErrorExplain(err))); }); if (sensors?.resources) { renderSensorTable(sensors.resources); } } async function downloadSensor(sha256: string, fileName: string) { if (!client) return; const blob = await client.sensorDownload .downloadSensorInstallerById(sha256) .catch(async (err) => { alert("Download failed: " + (await FalconErrorExplain(err))); }); if (blob) { const url = URL.createObjectURL(blob); const a = document.createElement("a"); a.href = url; a.download = fileName; a.click(); setTimeout(() => URL.revokeObjectURL(url), 1000); } } function renderSensorTable(sensors: DomainSensorInstallerV1[]) { sensors.forEach((s) => { console.log(`${s.os} ${s.version} — ${s.description} (${Math.round(s.fileSize! / 1024 / 1024)} MiB)`); }); } ``` -------------------------------- ### Execute Example in Node.js Source: https://github.com/crowdstrike/falconjs/blob/main/docs/devel.md Compiles the TypeScript example file to JavaScript and then executes it using Node.js. This is how to run your SDK experiments locally. ```bash tsc && node ./build/example.js ``` -------------------------------- ### Sensor Installer Download Source: https://context7.com/crowdstrike/falconjs/llms.txt This section details how to use the `client.sensorDownload` instance to retrieve customer IDs, list available sensor installers for various platforms, and download specific installers. ```APIDOC ## client.sensorDownload — Sensor installer download `client.sensorDownload` (a `SensorDownloadApi` instance) retrieves the customer's CID and lists or downloads Falcon sensor binary installers for all supported platforms. ### getSensorInstallersCCIDByQuery Retrieves the customer's CID. ### getCombinedSensorInstallersByQuery Lists available sensor installers (Windows, Linux, macOS) with filtering, limiting, and sorting options. ### downloadSensorInstallerById Downloads a specific installer by its SHA256 ID. ``` -------------------------------- ### Install Fetch API for Node.js Source: https://github.com/crowdstrike/falconjs/blob/main/docs/devel.md Installs the `cross-fetch` package, which provides a `fetch` API implementation compatible with Node.js environments. This is necessary for using the SDK in Node.js. ```bash npm install cross-fetch ``` -------------------------------- ### Install FalconJS and Dependencies Source: https://context7.com/crowdstrike/falconjs/llms.txt Install the FalconJS SDK using npm. For Node.js environments, a fetch polyfill like 'cross-fetch' is also required. ```bash npm install crowdstrike-falcon # Node.js also needs a fetch polyfill npm install cross-fetch ``` -------------------------------- ### Install CrowdStrike FalconJS SDK Source: https://github.com/crowdstrike/falconjs/blob/main/README.md Use npm to install the CrowdStrike FalconJS SDK. This is the first step to integrating with the CrowdStrike Falcon API. ```bash npm install crowdstrike-falcon ``` -------------------------------- ### Download Falcon Sensor Installers with FalconClient Source: https://context7.com/crowdstrike/falconjs/llms.txt Use `client.sensorDownload` to retrieve customer CID, list available installers, and download specific sensor binaries. Requires `cross-fetch` and `crowdstrike-falcon` libraries. ```typescript import fetch from "cross-fetch"; import { FalconClient, FalconErrorExplain } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); // Retrieve the customer CID const ccid = await client.sensorDownload .getSensorInstallersCCIDByQuery() .catch(async (err) => { throw new Error(await FalconErrorExplain(err)); }); console.log("My CCID:", ccid); // → "My CCID: ABCDEF1234567890-12" // List available sensor installers (Windows, Linux, macOS) const sensors = await client.sensorDownload.getCombinedSensorInstallersByQuery({ filter: "os:'Windows'", limit: 5, sort: "version.desc", }); sensors.resources?.forEach((s) => { console.log(s.name, s.version, s.os, s.fileSize); }); // Download a specific installer by its SHA256 ID const blob = await client.sensorDownload.downloadSensorInstallerById( sensors.resources![0].sha256!, ); // In Node.js, write blob to file: // fs.writeFileSync("sensor.exe", Buffer.from(await blob.arrayBuffer())); ``` -------------------------------- ### Initiate Batch Real-Time Response Sessions Source: https://context7.com/crowdstrike/falconjs/llms.txt Start batch RTR sessions on multiple hosts, run read-only commands, and check command status. Requires the FalconClient to be initialized and valid host IDs. ```typescript import fetch from "cross-fetch"; import { FalconClient } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); // Initialize a batch RTR session on multiple hosts const session = await client.realTimeResponse.batchInitSessions({ body: { host_ids: ["device-id-abc123", "device-id-def456"], queue_offline: true, }, }); const batchId = session.resources?.batchId; console.log("Batch session ID:", batchId); // Run a read-only command (ls) across all hosts in the batch const cmdResult = await client.realTimeResponse.batchActiveResponderCmd({ body: { base_command: "ls", batch_id: batchId!, command_string: "ls /tmp", optional_hosts: [], }, timeout: 30, }); // Check per-host command output Object.entries(cmdResult.combined?.resources ?? {}).forEach(([hostId, result]) => { console.log(`Host ${hostId}:`, result.stdout || result.stderr); }); // List active RTR sessions const sessions = await client.realTimeResponse.listSessions({ body: { ids: ["session-id-1"] }, }); console.log("Sessions:", sessions.resources); ``` -------------------------------- ### Get Vulnerability Remediations Source: https://context7.com/crowdstrike/falconjs/llms.txt Retrieves remediation details for specified vulnerability IDs. ```APIDOC ## client.spotlightVulnerabilities.getRemediationsV2 ### Description Retrieves remediation guidance for a list of vulnerability IDs. ### Method `client.spotlightVulnerabilities.getRemediationsV2(params: { ids: string[] })` ### Parameters #### Query Parameters - **ids** (array of strings) - Required - List of vulnerability IDs for which to retrieve remediations. ### Response #### Success Response (200) - **resources** (array) - List of remediation objects, each containing an 'id' and 'action'. ``` -------------------------------- ### Get Falcon Cloud Base URL Source: https://context7.com/crowdstrike/falconjs/llms.txt Use CloudBasePath utility to determine the base URL for a given Falcon cloud region. Supports all four major regions. ```typescript import { FalconClient, FalconCloud, CloudBasePath } from "crowdstrike-falcon"; // Inspect which base URL a cloud region resolves to const cloud: FalconCloud = "eu-1"; console.log(CloudBasePath(cloud)); // → "https://api.eu-1.crowdstrike.com" // All four supported regions: const regions: FalconCloud[] = ["us-1", "us-2", "eu-1", "us-gov-1"]; regions.forEach(r => console.log(r, "→", CloudBasePath(r))); // us-1 → https://api.crowdstrike.com // us-2 → https://api.us-2.crowdstrike.com // eu-1 → https://api.eu-1.crowdstrike.com // us-gov-1 → https://api.laggar.gcw.crowdstrike.com ``` -------------------------------- ### FalconClient Initialization Source: https://context7.com/crowdstrike/falconjs/llms.txt Demonstrates how to instantiate the FalconClient for browser or Node.js environments, including required options like cloud region and OAuth2 credentials. ```APIDOC ## FalconClient — Client initialization `FalconClient` is the single entry point to all API services. It accepts cloud region, OAuth2 credentials, an optional MSSP `memberCid`, and an optional custom `fetchApi` implementation (required under Node.js where the native `fetch` may not be present). ```typescript import fetch from "cross-fetch"; import { FalconClient } from "crowdstrike-falcon"; // Browser: omit fetchApi (uses native fetch) // Node.js: pass a fetch polyfill const client = new FalconClient({ fetchApi: fetch, // required for Node.js cloud: "us-1", // "us-1" | "us-2" | "eu-1" | "us-gov-1" clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, memberCid: "CHILD_CID_HERE", // optional: MSSP child CID targeting }); // The client is ready — no explicit login step needed. // OAuth2 tokens are fetched and refreshed automatically. console.log("FalconClient created for cloud:", "us-1"); ``` ``` -------------------------------- ### Query and Manage Hosts with Falcon SDK Source: https://context7.com/crowdstrike/falconjs/llms.txt Demonstrates querying device IDs using FQL filters, fetching full device details, performing network containment actions, and updating device tags. Requires FalconClient initialization with credentials. ```typescript import fetch from "cross-fetch"; import { FalconClient, FalconErrorExplain } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); // 1. Query device IDs by FQL filter const queryResult = await client.hosts.queryDevicesByFilter({ filter: "platform_name:'Windows'+status:'normal'", limit: 10, sort: "hostname.asc", }); console.log("Device IDs:", queryResult.resources); // → ["abc123", "def456", ...] // 2. Fetch full device details for those IDs const details = await client.hosts.postDeviceDetailsV2({ body: { ids: queryResult.resources }, }); details.resources?.forEach((device) => { console.log(device.hostname, device.localIp, device.osVersion); }); // 3. Network-contain a device await client.hosts.entitiesPerformAction({ ids: ["abc123"], actionName: "contain", body: { ids: [{ id: "abc123" }] }, }).catch(async (err) => { console.error(await FalconErrorExplain(err)); }); // 4. Update device tags await client.hosts.updateDeviceTags({ body: { action: "add", deviceIds: ["abc123"], tags: ["FalconGroupingTags/production", "FalconGroupingTags/us-east"], }, }); ``` -------------------------------- ### Initialize Falcon Client with Fetch API in Node.js Source: https://github.com/crowdstrike/falconjs/blob/main/docs/devel.md Demonstrates how to initialize the FalconClient in a Node.js environment by passing a `fetch` API implementation, such as `cross-fetch`, to the client's constructor. This ensures the SDK can make HTTP requests. ```typescript import fetch from "cross-fetch"; import { FalconClient } from "./src"; const client = new FalconClient({ fetchApi: fetch, ... }) ``` -------------------------------- ### FalconClientOptions and Cloud Base Path Source: https://context7.com/crowdstrike/falconjs/llms.txt Explains the `FalconClientOptions` interface and demonstrates how to use the `CloudBasePath` utility to determine the base URL for different Falcon cloud regions. ```APIDOC ## FalconClientOptions — Configuration interface `FalconClientOptions` defines the constructor contract for `FalconClient`. The `cloud` field maps directly to a Falcon API base URL via the `CloudBasePath` utility. ```typescript import { FalconClient, FalconCloud, CloudBasePath } from "crowdstrike-falcon"; // Inspect which base URL a cloud region resolves to const cloud: FalconCloud = "eu-1"; console.log(CloudBasePath(cloud)); // → "https://api.eu-1.crowdstrike.com" // All four supported regions: const regions: FalconCloud[] = ["us-1", "us-2", "eu-1", "us-gov-1"]; regions.forEach(r => console.log(r, "→", CloudBasePath(r))); // us-1 → https://api.crowdstrike.com // us-2 → https://api.us-2.crowdstrike.com // eu-1 → https://api.eu-1.crowdstrike.com // us-gov-1 → https://api.laggar.gcw.crowdstrike.com ``` ``` -------------------------------- ### Initialize FalconClient for Browser and Node.js Source: https://context7.com/crowdstrike/falconjs/llms.txt Instantiate the FalconClient with necessary credentials and cloud region. For Node.js, provide a fetch polyfill via 'fetchApi'. The client handles token management automatically. ```typescript import fetch from "cross-fetch"; import { FalconClient } from "crowdstrike-falcon"; // Browser: omit fetchApi (uses native fetch) // Node.js: pass a fetch polyfill const client = new FalconClient({ fetchApi: fetch, // required for Node.js cloud: "us-1", // "us-1" | "us-2" | "eu-1" | "us-gov-1" clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, memberCid: "CHILD_CID_HERE", // optional: MSSP child CID targeting }); // The client is ready — no explicit login step needed. // OAuth2 tokens are fetched and refreshed automatically. console.log("FalconClient created for cloud:", "us-1"); ``` -------------------------------- ### Query and Triage Alerts with Falcon SDK Source: https://context7.com/crowdstrike/falconjs/llms.txt Demonstrates querying alert IDs using FQL filters and retrieving full alert entities. Also shows how to triage alerts by marking them as in-progress with an assignee and comment. Requires FalconClient initialization. ```typescript import fetch from "cross-fetch"; import { FalconClient } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); // Query alert IDs with an FQL filter const alertIds = await client.alerts.getQueriesAlertsV1({ filter: "status:'new'+severity_name:'Critical'", limit: 50, sort: "created_timestamp.desc", }); console.log("Alert IDs:", alertIds.resources); // Retrieve full alert entities by ID const alerts = await client.alerts.getV2({ body: { ids: alertIds.resources }, }); alerts.resources?.forEach((alert) => { console.log(alert.id, alert.status, alert.severity); }); // Triage: mark alerts as in-progress await client.alerts.patchEntitiesAlertsV2({ body: { ids: alertIds.resources, request: { assignee_uuid: "analyst-uuid-here", status: "in_progress", comment: "Investigating critical alerts", }, }, }); ``` -------------------------------- ### client.hosts — Host / Device management Source: https://context7.com/crowdstrike/falconjs/llms.txt Provides host inventory queries, device detail lookups, tag management, containment actions, and login history using FQL filter strings. ```APIDOC ## client.hosts — Host / Device management ### Description Provides host inventory queries, device detail lookups, tag management, containment actions, and login history. FQL filter strings are used throughout for flexible querying. ### Methods #### queryDevicesByFilter ##### Description Queries device IDs based on FQL filter strings. ##### Parameters - **filter** (string) - Required - FQL filter string for querying devices. - **limit** (number) - Optional - The maximum number of results to return. - **sort** (string) - Optional - The field to sort the results by. ##### Request Example ```typescript await client.hosts.queryDevicesByFilter({ filter: "platform_name:'Windows'+status:'normal'", limit: 10, sort: "hostname.asc", }); ``` #### postDeviceDetailsV2 ##### Description Fetches full device details for a given list of device IDs. ##### Parameters - **body** (object) - Required - An object containing the list of device IDs. - **ids** (array) - Required - An array of device IDs. ##### Request Example ```typescript await client.hosts.postDeviceDetailsV2({ body: { ids: queryResult.resources }, }); ``` #### entitiesPerformAction ##### Description Performs an action on specified devices, such as network containment. ##### Parameters - **ids** (array) - Required - An array of device IDs to perform the action on. - **actionName** (string) - Required - The name of the action to perform (e.g., "contain"). - **body** (object) - Required - An object containing details for the action. - **ids** (array) - Required - An array of objects, each with an 'id' property for the device. ##### Request Example ```typescript await client.hosts.entitiesPerformAction({ ids: ["abc123"], actionName: "contain", body: { ids: [{ id: "abc123" }] }, }); ``` #### updateDeviceTags ##### Description Updates tags for specified devices. ##### Parameters - **body** (object) - Required - An object containing the update details. - **action** (string) - Required - The action to perform (e.g., "add"). - **deviceIds** (array) - Required - An array of device IDs to update. - **tags** (array) - Required - An array of tags to add or remove. ##### Request Example ```typescript await client.hosts.updateDeviceTags({ body: { action: "add", deviceIds: ["abc123"], tags: ["FalconGroupingTags/production", "FalconGroupingTags/us-east"], }, }); ``` ``` -------------------------------- ### OAuth2 Token Management with FalconClient (MSSP) Source: https://context7.com/crowdstrike/falconjs/llms.txt Demonstrates using `FalconClient` in an MSSP scenario with a `memberCid` to scope tokens to a specific child tenant. Tokens are automatically fetched, cached, refreshed, and deduplicated. ```typescript import fetch from "cross-fetch"; import { FalconClient } from "crowdstrike-falcon"; // MSSP scenario: use a single key pair to target a specific child CID const msspClient = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, memberCid: "CHILD_TENANT_CID_HERE", // tokens are scoped to this child CID }); // Tokens are automatically: // - Fetched on the first API call // - Cached until expiry (expiresIn seconds from the token response) // - Refreshed transparently on expiry before the next call // - Deduplicated: concurrent calls share a single in-flight refresh promise const ccid = await msspClient.sensorDownload.getSensorInstallersCCIDByQuery(); console.log("Child tenant CCID:", ccid); ``` -------------------------------- ### Build with npm Source: https://github.com/crowdstrike/falconjs/blob/main/docs/devel.md Builds the TypeScript code to JavaScript using the npm command. This is an alternative to using the `tsc` command directly. ```bash npm run build ``` -------------------------------- ### Manage Incidents with Falcon SDK Source: https://context7.com/crowdstrike/falconjs/llms.txt Demonstrates retrieving the CrowdScore, querying open incidents using FQL filters, fetching incident details, and performing lifecycle actions such as closing an incident. Requires FalconClient initialization. ```typescript import fetch from "cross-fetch"; import { FalconClient } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); // Get the CrowdScore (environmental risk score) const scores = await client.incidents.crowdScore({ limit: 1, sort: "timestamp.desc", }); console.log("Current CrowdScore:", scores.resources?.[0]?.score); // → "Current CrowdScore: 342" // Query open incidents const incidentIds = await client.incidents.queryIncidents({ filter: "status:'20'", // 20 = New limit: 10, }); // Retrieve full incident details const incidents = await client.incidents.getIncidents({ body: { ids: incidentIds.resources }, }); incidents.resources?.forEach((inc) => { console.log(inc.incidentId, inc.name, inc.state); }); // Close an incident await client.incidents.performIncidentAction({ body: { action_parameters: [{ name: "update_status", value: "40" }], // 40 = Closed ids: incidentIds.resources, }, }); ``` -------------------------------- ### Reformat Codebase Source: https://github.com/crowdstrike/falconjs/blob/main/docs/devel.md Reformats the codebase to ensure consistent styling. This command should be run as part of the pre-PR checklist. ```bash npm run format:fix ``` -------------------------------- ### Query Vulnerabilities and Remediation Details Source: https://context7.com/crowdstrike/falconjs/llms.txt Fetch vulnerability data, including critical open vulnerabilities, and retrieve remediation guidance. The FalconClient must be initialized. Pagination is handled for large result sets. ```typescript import fetch from "cross-fetch"; import { FalconClient } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); // Combined query: returns both IDs and full entity data in one call const vulns = await client.spotlightVulnerabilities.combinedQueryVulnerabilities({ filter: "status:'open'+cve.severity:'CRITICAL'", limit: 100, facet: ["cve.id", "host_info.hostname"], }); vulns.resources?.forEach((v) => { console.log( v.id, v.cve?.id, // e.g. "CVE-2024-12345" v.hostInfo?.hostname, v.status, ); }); // Fetch paginated vulnerability IDs let after: string | undefined; do { const page = await client.spotlightVulnerabilities.queryVulnerabilities({ filter: "status:'open'", limit: 500, after, }); console.log("Page of IDs:", page.resources?.length); after = page.meta?.pagination?.after; } while (after); // Get remediation details const remediations = await client.spotlightVulnerabilities.getRemediationsV2({ ids: ["remediation-id-1", "remediation-id-2"], }); remediations.resources?.forEach((r) => console.log(r.id, r.action)); ``` -------------------------------- ### Build TypeScript to JavaScript Source: https://github.com/crowdstrike/falconjs/blob/main/docs/devel.md Builds the TypeScript code in the `src/` directory to JavaScript in the `dist/` directory. This is a required step before submitting a PR. ```bash tsc ``` -------------------------------- ### Run Linter Source: https://github.com/crowdstrike/falconjs/blob/main/docs/devel.md Runs the linter to check for any remaining issues that could not be automatically fixed. The output should be empty to ensure code quality. ```bash npm run lint ``` -------------------------------- ### Real-time Response Batch Operations Source: https://context7.com/crowdstrike/falconjs/llms.txt Initiate batch RTR sessions, run commands across multiple hosts, and manage session status. ```APIDOC ## client.realTimeResponse.batchInitSessions ### Description Initializes a batch Real-Time Response (RTR) session on multiple hosts. ### Method `client.realTimeResponse.batchInitSessions(params: { body: { host_ids: string[], queue_offline?: boolean } })` ### Parameters #### Request Body - **host_ids** (array of strings) - Required - List of host IDs to include in the session. - **queue_offline** (boolean) - Optional - Whether to queue commands for offline hosts. ### Response #### Success Response (200) - **resources.batchId** (string) - The ID of the initiated batch session. ## client.realTimeResponse.batchActiveResponderCmd ### Description Runs a read-only command across all hosts within a specified batch RTR session. ### Method `client.realTimeResponse.batchActiveResponderCmd(params: { body: { base_command: string, batch_id: string, command_string: string, optional_hosts?: string[] }, timeout?: number })` ### Parameters #### Request Body - **base_command** (string) - Required - The base command to execute (e.g., "ls"). - **batch_id** (string) - Required - The ID of the batch session. - **command_string** (string) - Required - The full command string to execute. - **optional_hosts** (array of strings) - Optional - Specific hosts within the batch to target. #### Query Parameters - **timeout** (number) - Optional - Timeout in seconds for the command execution. ### Response #### Success Response (200) - **combined.resources** (object) - An object mapping host IDs to their command results. ## client.realTimeResponse.listSessions ### Description Lists active RTR sessions based on provided session IDs. ### Method `client.realTimeResponse.listSessions(params: { body: { ids: string[] } })` ### Parameters #### Request Body - **ids** (array of strings) - Required - List of session IDs to query. ### Response #### Success Response (200) - **resources** (array) - List of active RTR session objects. ``` -------------------------------- ### FalconErrorExplain for Error Handling Source: https://context7.com/crowdstrike/falconjs/llms.txt Shows how to use the `FalconErrorExplain` helper to parse and display human-readable error messages from Falcon API responses or errors. ```APIDOC ## FalconErrorExplain — Error message extraction `FalconErrorExplain` unwraps a caught API `Response` or `ResponseError` into the first human-readable message from the Falcon `errors[]` array. Falls back to HTTP status and URL if the body cannot be parsed. ```typescript import fetch from "cross-fetch"; import { FalconClient, FalconErrorExplain } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); await client.sensorDownload .getSensorInstallersCCIDByQuery() .then((value) => { console.log("CCID:", value); }) .catch(async (err) => { // Converts raw Response/ResponseError → readable string const message = await FalconErrorExplain(err); console.error("Falcon API error:", message); // Example output: "Falcon API error: access_denied: Access denied, authorization failed." }); ``` ``` -------------------------------- ### Real-time Event Streaming Source: https://context7.com/crowdstrike/falconjs/llms.txt This section explains how to use the `client.availableEventStreams` method to access real-time data feeds from the Falcon Streaming API. It covers listing available streams and processing events from each stream. ```APIDOC ## client.availableEventStreams — Real-time event streaming `availableEventStreams` is a hand-written method on `FalconClient` that lists available Falcon Streaming API data feeds and returns `EventStream` objects. Each stream's `process(callback)` method consumes the NDJSON event feed and fires the callback for each event object. ### availableEventStreams Lists available Falcon Streaming API data feeds and returns `EventStream` objects. ### EventStream.process Consumes the NDJSON event feed and fires a callback for each event object. It accepts an optional offset to resume from a specific point. ``` -------------------------------- ### Query Vulnerabilities Source: https://context7.com/crowdstrike/falconjs/llms.txt Query for CVE-based vulnerability data across enrolled hosts, with options for combined results or paginated ID fetching. ```APIDOC ## client.spotlightVulnerabilities.combinedQueryVulnerabilities ### Description Combines querying for vulnerability IDs and their full entity data in a single call. ### Method `client.spotlightVulnerabilities.combinedQueryVulnerabilities(params: { filter: string, limit?: number, facet?: string[] })` ### Parameters #### Query Parameters - **filter** (string) - Required - FQL filter string for vulnerabilities (e.g., "status:'open'+cve.severity:'CRITICAL'"). - **limit** (number) - Optional - Maximum number of results to return. - **facet** (array of strings) - Optional - Fields to use for faceting results. ### Response #### Success Response (200) - **resources** (array) - List of vulnerability objects with entity data. ## client.spotlightVulnerabilities.queryVulnerabilities ### Description Fetches paginated vulnerability IDs based on FQL filters. ### Method `client.spotlightVulnerabilities.queryVulnerabilities(params: { filter: string, limit?: number, after?: string })` ### Parameters #### Query Parameters - **filter** (string) - Required - FQL filter string for vulnerabilities. - **limit** (number) - Optional - Maximum number of results per page. - **after** (string) - Optional - Pagination token for fetching the next page. ### Response #### Success Response (200) - **resources** (array) - List of vulnerability IDs. - **meta.pagination.after** (string) - Pagination token for the next page. ``` -------------------------------- ### Query Threat Actors and Indicators of Compromise Source: https://context7.com/crowdstrike/falconjs/llms.txt Query threat actors by name or region and search for indicators of compromise. Ensure the FalconClient is initialized with valid credentials and cloud region. ```typescript import fetch from "cross-fetch"; import { FalconClient } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); // Query threat actors by name / region const actorIds = await client.intel.queryIntelActorIds({ filter: "origins:'Russia'", limit: 5, }); const actors = await client.intel.getIntelActorEntities({ ids: actorIds.resources, fields: ["name", "description", "origins", "motivations"], }); actors.resources?.forEach((actor) => { console.log(actor.name, actor.origins?.map((o) => o.value)); }); // Search indicators of compromise const indicators = await client.intel.queryIntelIndicatorIds({ filter: "type:'domain'+malicious_confidence:'high'", limit: 20, sort: "last_updated.desc", }); console.log("Malicious high-confidence domain IOC IDs:", indicators.resources); // MITRE ATT&CK technique mapping for an actor const mitre = await client.intel.getIntelActorEntities({ ids: actorIds.resources, fields: ["attack_techniques"], }); ``` -------------------------------- ### client.alerts — Alert queries and triage Source: https://context7.com/crowdstrike/falconjs/llms.txt Provides current generation alert API for querying, bulk retrieval, and status updates (triage) using FQL filters. ```APIDOC ## client.alerts — Alert queries and triage ### Description Provides the current generation alert API, replacing the deprecated Detects API. Supports querying, bulk retrieval, and status updates (triage) using FQL filters. ### Methods #### getQueriesAlertsV1 ##### Description Queries alert IDs with an FQL filter. ##### Parameters - **filter** (string) - Required - FQL filter string for querying alerts. - **limit** (number) - Optional - The maximum number of results to return. - **sort** (string) - Optional - The field to sort the results by. ##### Request Example ```typescript await client.alerts.getQueriesAlertsV1({ filter: "status:'new'+severity_name:'Critical'", limit: 50, sort: "created_timestamp.desc", }); ``` #### getV2 ##### Description Retrieves full alert entities by their IDs. ##### Parameters - **body** (object) - Required - An object containing the list of alert IDs. - **ids** (array) - Required - An array of alert IDs. ##### Request Example ```typescript await client.alerts.getV2({ body: { ids: alertIds.resources }, }); ``` #### patchEntitiesAlertsV2 ##### Description Updates the status of alerts, such as marking them as in-progress. ##### Parameters - **body** (object) - Required - An object containing the update details. - **ids** (array) - Required - An array of alert IDs to update. - **request** (object) - Required - An object with the triage request details. - **assignee_uuid** (string) - Optional - The UUID of the assignee. - **status** (string) - Required - The new status for the alerts (e.g., "in_progress"). - **comment** (string) - Optional - A comment for the triage action. ##### Request Example ```typescript await client.alerts.patchEntitiesAlertsV2({ body: { ids: alertIds.resources, request: { assignee_uuid: "analyst-uuid-here", status: "in_progress", comment: "Investigating critical alerts", }, }, }); ``` ``` -------------------------------- ### Real-time Event Streaming with FalconClient Source: https://context7.com/crowdstrike/falconjs/llms.txt Utilize `client.availableEventStreams` to access Falcon Streaming API data feeds. The `process` method on each `EventStream` object consumes NDJSON feeds and invokes a callback for each event. ```typescript import fetch from "cross-fetch"; import { FalconClient } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); const appName = "my-siem-integration-v1"; const streams = await client.availableEventStreams(appName); console.log(`Found ${streams.length} stream(s)`); streams.forEach((stream) => { // process() attaches a Node.js readable stream listener // and invokes the callback for each parsed JSON event line stream.process( (event) => { console.log("Falcon event received:", JSON.stringify(event)); // Example event: { metadata: { eventType: "AuthActivityAuditEvent", ... }, event: { ... } } }, 0, // optional: resume from a specific offset ); }); ``` -------------------------------- ### Search Indicators of Compromise Source: https://context7.com/crowdstrike/falconjs/llms.txt Search for indicators of compromise (IOCs) using FQL filters and sort criteria. ```APIDOC ## client.intel.queryIntelIndicatorIds ### Description Searches for indicators of compromise (IOCs) based on filters and sorting. ### Method `client.intel.queryIntelIndicatorIds(params: { filter: string, limit?: number, sort?: string })` ### Parameters #### Query Parameters - **filter** (string) - Required - FQL filter string (e.g., "type:'domain'+malicious_confidence:'high'"). - **limit** (number) - Optional - Maximum number of results to return. - **sort** (string) - Optional - Sorting criteria (e.g., "last_updated.desc"). ### Response #### Success Response (200) - **resources** (array) - List of IOC IDs matching the query. ``` -------------------------------- ### Fix Linting Issues Source: https://github.com/crowdstrike/falconjs/blob/main/docs/devel.md Automatically fixes any linting issues that the linter can resolve. This is a required step before submitting a PR. ```bash npm run lint:fix ``` -------------------------------- ### client.incidents — Incident management Source: https://context7.com/crowdstrike/falconjs/llms.txt Exposes CrowdScore environmental risk scoring, incident and behavior querying, and incident lifecycle actions. ```APIDOC ## client.incidents — Incident management ### Description Exposes CrowdScore environmental risk scoring, incident and behavior querying, and incident lifecycle actions. ### Methods #### crowdScore ##### Description Retrieves the CrowdScore, which is the environmental risk score. ##### Parameters - **limit** (number) - Optional - The maximum number of results to return. - **sort** (string) - Optional - The field to sort the results by. ##### Request Example ```typescript await client.incidents.crowdScore({ limit: 1, sort: "timestamp.desc", }); ``` #### queryIncidents ##### Description Queries open incidents based on FQL filter strings. ##### Parameters - **filter** (string) - Required - FQL filter string for querying incidents (e.g., "status:'20'"). - **limit** (number) - Optional - The maximum number of results to return. ##### Request Example ```typescript await client.incidents.queryIncidents({ filter: "status:'20'", // 20 = New limit: 10, }); ``` #### getIncidents ##### Description Retrieves full incident details for a given list of incident IDs. ##### Parameters - **body** (object) - Required - An object containing the list of incident IDs. - **ids** (array) - Required - An array of incident IDs. ##### Request Example ```typescript await client.incidents.getIncidents({ body: { ids: incidentIds.resources }, }); ``` #### performIncidentAction ##### Description Performs an action on incidents, such as closing them. ##### Parameters - **body** (object) - Required - An object containing the action details. - **action_parameters** (array) - Required - An array of action parameters. - **name** (string) - Required - The name of the action (e.g., "update_status"). - **value** (string) - Required - The value for the action (e.g., "40" for Closed). - **ids** (array) - Required - An array of incident IDs to perform the action on. ##### Request Example ```typescript await client.incidents.performIncidentAction({ body: { action_parameters: [{ name: "update_status", value: "40" }], // 40 = Closed ids: incidentIds.resources, }, }); ``` ``` -------------------------------- ### Query Threat Actors Source: https://context7.com/crowdstrike/falconjs/llms.txt Query threat actors by name or region and retrieve detailed entity information. ```APIDOC ## client.intel.queryIntelActorIds ### Description Queries for threat actor IDs based on specified filters. ### Method `client.intel.queryIntelActorIds(params: { filter: string, limit?: number })` ### Parameters #### Query Parameters - **filter** (string) - Required - FQL filter string to narrow down results. - **limit** (number) - Optional - Maximum number of results to return. ### Response #### Success Response (200) - **resources** (array) - List of threat actor IDs. ## client.intel.getIntelActorEntities ### Description Retrieves detailed entity information for specified threat actors. ### Method `client.intel.getIntelActorEntities(params: { ids: string[], fields?: string[] })` ### Parameters #### Query Parameters - **ids** (array of strings) - Required - List of actor IDs to retrieve. - **fields** (array of strings) - Optional - List of fields to include in the response. ### Response #### Success Response (200) - **resources** (array) - List of actor entities with requested fields. ``` -------------------------------- ### Extract Falcon API Error Messages Source: https://context7.com/crowdstrike/falconjs/llms.txt Use FalconErrorExplain to parse API errors into human-readable strings. It handles Response and ResponseError objects, falling back to status and URL if parsing fails. ```typescript import fetch from "cross-fetch"; import { FalconClient, FalconErrorExplain } from "crowdstrike-falcon"; const client = new FalconClient({ fetchApi: fetch, cloud: "us-1", clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!, }); await client.sensorDownload .getSensorInstallersCCIDByQuery() .then((value) => { console.log("CCID:", value); }) .catch(async (err) => { // Converts raw Response/ResponseError → readable string const message = await FalconErrorExplain(err); console.error("Falcon API error:", message); // Example output: "Falcon API error: access_denied: Access denied, authorization failed." }); ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.