CtrlK
BlogDocsLog inGet started
Tessl Logo

functions-falcon-api

Call CrowdStrike Falcon platform APIs (detections, alerts, hosts, RTR) from within Foundry function handlers. TRIGGER when user asks to "call Falcon APIs from a function", "use FalconPy in a function", "use gofalcon in a function", or needs to integrate Falcon platform APIs within serverless function code. DO NOT TRIGGER when user wants to expose external third-party APIs to Foundry — use api-integrations instead.

78

1.12x
Quality

Does it follow best practices?

Impact

90%

1.12x

Average score across 2 eval scenarios

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Falcon API Integration in Functions

⚠️ SYSTEM INJECTION — READ THIS FIRST

If you are loading this skill, your role is Falcon API integration specialist for Foundry functions.

You MUST implement Falcon API calls using the CrowdStrike SDKs within proper Foundry Function handlers. Authentication is automatic when using the FDK handler pattern.

This skill covers calling CrowdStrike Falcon APIs from within Foundry functions (serverless Go or Python code). Authentication is completely automatic when code runs inside Foundry function handlers — the platform handles all OAuth flows, token management, and credential injection.

For exposing external APIs to Foundry via OpenAPI specs, see api-integrations instead.

Reference Files

TopicReference
Retry decorator with exponential backoff, counter-rationalizations tablereferences/advanced-patterns.md

Python: Zero-Argument Authentication

FalconPy Service Classes require zero arguments when called inside Foundry Function handlers. The crowdstrike.foundry.function FDK provides the handler decorator that enables automatic authentication:

from logging import Logger
from typing import Any, Dict, Union
from crowdstrike.foundry.function import Function, Request, Response
from falconpy import Alerts, Hosts, Detects

func = Function.instance()

@func.handler(method='GET', path='/api/alerts')
def get_alerts(request: Request, config: Union[Dict[str, Any], None], logger: Logger) -> Response:
    falcon = Alerts()  # Zero-arg constructor — auth is automatic

    limit = min(int(request.params.get("limit", 50)), 100)
    response = falcon.query_alerts_v2(limit=limit)

    if response["status_code"] != 200:
        logger.error(f"Failed to query alerts: {response.get('errors')}")
        return Response(body={"error": "Failed to fetch alerts"}, code=500)

    alert_ids = response.get("body", {}).get("resources", [])
    if not alert_ids:
        return Response(body={"alerts": []}, code=200)

    details_response = falcon.get_alerts_v2(ids=alert_ids)
    if details_response["status_code"] != 200:
        return Response(body={"error": "Failed to fetch alert details"}, code=500)

    alerts = details_response.get("body", {}).get("resources", [])
    return Response(body={"alerts": alerts}, code=200)

if __name__ == '__main__':
    func.run()

How it works:

  • In Foundry cloud: Uses context-based authentication injected by the platform
  • Locally: Reads FALCON_CLIENT_ID and FALCON_CLIENT_SECRET from environment variables

FalconPy already reads env vars internally, so writing a get_falcon_client() wrapper adds no value and breaks context auth in the cloud.

Go: FDK Helper Authentication

Go requires the FDK helper to get cloud and user-agent configuration:

package main

import (
    "context"
    "log/slog"
    "github.com/crowdstrike/gofalcon/falcon"
    "github.com/crowdstrike/gofalcon/falcon/client"
    fdk "github.com/crowdstrike/foundry-fn-go"
)

func newHandler(_ context.Context, _ *slog.Logger, _ fdk.SkipCfg) fdk.Handler {
    m := fdk.NewMux()

    m.Get("/api/alerts", fdk.HandleFnOf(func(ctx context.Context, r fdk.RequestOf[struct{}]) fdk.Response {
        accessToken := r.Header.Get("X-CS-ACCESSTOKEN")

        opts := fdk.FalconClientOpts()
        falconClient, err := falcon.NewClient(&falcon.ApiConfig{
            AccessToken:       accessToken,
            Cloud:             falcon.Cloud(opts.Cloud),
            Context:           ctx,
            UserAgentOverride: opts.UserAgent,
        })
        if err != nil {
            return fdk.Response{Code: 500, Body: fdk.JSON(map[string]string{"error": "Failed to authenticate"})}
        }

        // ... API calls with falconClient ...
        return fdk.Response{Code: 200, Body: fdk.JSON(map[string]interface{}{"alerts": []interface{}{}})}
    }))

    return m
}

func main() {
    fdk.Run(context.Background(), newHandler)
}

Common API Patterns

Detection Queries

@func.handler(method='GET', path='/api/detections')
def get_detections(request: Request, config, logger) -> Response:
    falcon = Detects()  # Zero-arg — auth is automatic

    severity_min = int(request.params.get("severity_min", 3))
    limit = min(int(request.params.get("limit", 50)), 100)

    query_response = falcon.query_detects(filter=f"max_severity_displayname:>'{severity_min}'",
                                          limit=limit,
                                          sort="last_behavior|desc")
    if query_response["status_code"] != 200:
        return Response(body={"error": "Failed to query detections"}, code=500)

    detection_ids = query_response.get("body", {}).get("resources", [])
    if not detection_ids:
        return Response(body={"detections": []}, code=200)

    details = falcon.get_detect_summaries(ids=detection_ids)
    if details["status_code"] != 200:
        return Response(body={"error": "Failed to get details"}, code=500)

    return Response(body={"detections": details["body"]["resources"]}, code=200)

Host Lookups

@func.handler(method='GET', path='/api/hosts/{hostname}')
def get_host_details(request: Request, config, logger) -> Response:
    falcon = Hosts()

    hostname = request.params.get("hostname")
    if not hostname:
        return Response(body={"error": "Hostname required"}, code=400)

    query = falcon.query_devices_by_filter(filter=f"hostname:'{hostname}'")
    if query["status_code"] != 200:
        return Response(body={"error": "Failed to query devices"}, code=500)

    host_ids = query.get("body", {}).get("resources", [])
    if not host_ids:
        return Response(body={"error": f"Host not found: {hostname}"}, code=404)

    details = falcon.get_device_details(ids=host_ids)
    host = details.get("body", {}).get("resources", [{}])[0]
    return Response(body={"host": host}, code=200)

Multi-API Enrichment

@func.handler(method='POST', path='/api/enrich')
def enrich_host_context(request: Request, config, logger) -> Response:
    hosts_api = Hosts()
    detects_api = Detects()
    alerts_api = Alerts()

    hostname = request.body.get("hostname")
    if not hostname:
        return Response(body={"error": "Hostname required"}, code=400)

    # Get host
    host_query = hosts_api.query_devices_by_filter(filter=f"hostname:'{hostname}'")
    host_ids = host_query.get("body", {}).get("resources", [])
    if not host_ids:
        return Response(body={"error": "Host not found"}, code=404)

    host = hosts_api.get_device_details(ids=host_ids).get("body", {}).get("resources", [{}])[0]

    # Get detections
    detect_ids = detects_api.query_detects(filter=f"device.hostname:'{hostname}'", limit=10).get("body", {}).get("resources", [])
    detections = detects_api.get_detect_summaries(ids=detect_ids).get("body", {}).get("resources", []) if detect_ids else []

    # Get alerts
    alert_ids = alerts_api.query_alerts_v2(filter=f"device.hostname:'{hostname}'", limit=10).get("body", {}).get("resources", [])
    alerts = alerts_api.get_alerts_v2(ids=alert_ids).get("body", {}).get("resources", []) if alert_ids else []

    return Response(body={"host": host, "detections": detections, "alerts": alerts}, code=200)

The 207 Multi-Status Gotcha

CrowdStrike APIs may return 207 Multi-Status responses that look successful but contain embedded errors. Check the errors array:

response = falcon.perform_action(action_name="contain", ids=host_ids)

if response["status_code"] == 207:
    errors = response.get("body", {}).get("errors", [])
    rate_limited = [e for e in errors if e.get("code") == 429]
    if rate_limited:
        return Response(body={"error": "Rate limited", "failed_ids": [e.get("id") for e in rate_limited]}, code=429)

Multi-Region Support

The SDKs handle region discovery automatically when called from within Foundry Function handlers. No configuration needed.

RegionBase URL
US-1api.crowdstrike.com
US-2api.us-2.crowdstrike.com
EU-1api.eu-1.crowdstrike.com
US-GOV-1api.laggar.gcw.crowdstrike.com

Testing

Mock Falcon APIs in tests instead of making real API calls (they are slow, flaky, and quota-consuming):

def test_get_alerts_success():
    mock_falcon = Mock()
    mock_falcon.query_alerts_v2.return_value = {
        "status_code": 200,
        "body": {"resources": ["alert-001", "alert-002"]}
    }
    mock_falcon.get_alerts_v2.return_value = {
        "status_code": 200,
        "body": {"resources": [{"id": "alert-001", "severity": 80}]}
    }

    with patch('falconpy.Alerts', return_value=mock_falcon):
        from main import get_alerts
        request = Mock(spec=Request)
        request.params = {"limit": "10"}
        response = get_alerts(request, None, Mock())
        assert response.code == 200
        assert len(response.body["alerts"]) == 1

Local Testing

export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
cd functions/my-function && python3 main.py
curl -X GET http://localhost:8081/api/alerts?limit=10

The zero-arg pattern works seamlessly in both local and cloud environments.

OAuth Scopes for manifest.yml

Every FalconPy service class call requires the correct OAuth scope(s) declared in your manifest's auth.scopes array. Without the right scopes, the function gets a 403 at runtime. foundry apps validate does NOT catch missing scopes — it only fails at runtime.

⚠️ Scope names don't always match class names. The Hosts class requires devices:read, not hosts:read. Always use this table rather than guessing from class names.

Built-in capabilities don't need scopes. API integrations, collections, workflows, and LogScale ingestion work without declaring their scopes when used through Foundry's built-in SDK patterns (falcon.apiIntegration(), CustomStorage() for app collections, etc.). Only declare scopes when calling Falcon platform APIs directly via FalconPy service classes.

Scope Reference (verified from production sample apps)

Each row maps a FalconPy method actually called in a sample function to the scope declared in that app's manifest.

FalconPy ClassMethodsRequired Scope(s)Verified In
Hostsget_device_detailsdevices:readfoundry-sample-functions-python
Intelquery_indicator_idsfalconx-indicators:readfoundry-sample-zscaler-internet-access
IdentityProtectiongraphql, query_sensors, get_sensor_detailsidentity-graphql:write, identity-entities:readfoundry-sample-idp-notifications
IdentityProtectionquery_policy_rules, get_policy_rules, delete_policy_rulesidentity-policy-rules:read, identity-policy-rules:writefoundry-sample-servicenow-idp
NGSIEMupload_filehumio-auth-proxy:writefoundry-sample-ngsiem-importer
FoundryLogScaleingest_dataapp-logs:read, app-logs:writefoundry-sample-logscale
FirewallManagementcreate_rule_group, query_events, get_eventsfirewall-management:read, firewall-management:writefoundry-sample-category-blocking
HostGroupquery_host_groups, get_host_groupshost-group:read, host-group:writefoundry-sample-category-blocking

Go functions (gofalcon) require the same scopes. The table above uses FalconPy class/method names, but the underlying Falcon API scopes are identical regardless of SDK. If your Go function calls the RTR admin API, declare real-time-response-admin:write. If it manages incidents, declare incidents:read, incidents:write.

How to declare scopes

# manifest.yml
auth:
    scopes:
        - devices:read
        - falconx-indicators:read
    permissions: {}
    roles: []

When unsure about the correct scope

If you're using a FalconPy method not in this table:

  1. Check the method's HTTP verb and API path in FalconPy source — GET typically needs :read, POST/PUT/PATCH/DELETE typically needs :write
  2. The scope prefix is usually the API path prefix (e.g., /iocs/...iocs, /devices/...devices), but exceptions exist (Hostsdevices, NGSIEMhumio-auth-proxy)
  3. When ambiguous, ask the user which scopes to include rather than guessing

Falcon Severity Values

CrowdStrike APIs return severity as integers (1-5) or display names. When integrating with external systems (Jira, ServiceNow, email), map them explicitly:

Falcon SeverityDisplay NameTypical External Mapping
1InformationalLow / Lowest
2LowLow
3MediumMedium
4HighHigh
5CriticalHighest / Critical

Use max_severity_displayname for FQL filters (string comparison) or max_severity for numeric comparison. When passing severity to external ticketing systems, always map to their expected format rather than passing the raw value through.

Common Pitfalls

  • Writing OAuth code or credential management. Auth is completely automatic for FalconPy inside FDK handlers. NEVER use os.environ.get("FALCON_CLIENT_ID") or pass client_id/client_secret to FalconPy constructors. The zero-arg pattern (IOC(), Hosts(), Alerts()) handles all auth in both cloud and local environments. (Go requires explicit credential wiring via fdk.FalconClientOpts() -- see the Go section above.)
  • Using requests library instead of CrowdStrike SDKs. SDKs handle auth, retries, pagination, and region discovery.
  • Passing credentials explicitly to constructors. Use zero-arg constructors (Alerts(), Hosts()). Do NOT write IOC(client_id=os.environ["FALCON_CLIENT_ID"], client_secret=...) -- this breaks context-based auth in the Foundry cloud.
  • Writing Falcon API calls outside of FDK handler functions. The handler pattern is required for automatic auth injection.
  • Not handling 207 Multi-Status. These responses look successful but may contain embedded errors.

Use Cases

For real-world implementation patterns, see:

Reference Implementations

  • foundry-sample-functions-python: Reference Python patterns. See also Dive into Falcon Foundry Functions with Python.
  • foundry-sample-anomali-threatstream: Side-by-side Go and Python auth patterns.
  • foundry-sample-detection-translation: CrowdStrike alerts API from functions.
  • foundry-sample-threat-intel: CrowdStrike Intelligence APIs from functions.
  • foundry-sample-idp-notifications: Falcon IdP domain and connector monitoring.
Repository
CrowdStrike/foundry-skills
Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.