Skip to content
Joshua Hiller edited this page Jul 15, 2024 · 23 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Intel service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
QueryIntelActorEntities
PEP 8 query_actor_entities
Get info about actors that match provided FQL filters.
QueryIntelIndicatorEntities
PEP 8 query_indicator_entities
Get info about indicators that match provided FQL filters.
QueryIntelReportEntities
PEP 8 query_report_entities
Get info about reports that match provided FQL filters.
GetIntelActorEntities
PEP 8 get_actor_entities
Retrieve specific actors using their actor IDs.
GetIntelIndicatorEntities
PEP 8 get_indicator_entities
Retrieve specific indicators using their indicator IDs.
GetMalwareEntities
PEP 8 get_malware_entities
Get malware entities for specified IDs.
GetMitreReport
PEP 8 get_mitre_report
Export Mitre ATT&CK information for a given actor.
PostMitreAttacks
PEP 8 mitre_attacks
Retrieve report and observable IDs associated with the given actor and attacks.
GetIntelReportPDF
PEP 8 get_report_pdf
Return a Report PDF attachment
GetIntelReportEntities
PEP 8 get_report_entities
Retrieve specific reports using their report IDs.
GetIntelRuleFile
PEP 8 get_rule_file
Download earlier rule sets.
GetLatestIntelRuleFile
PEP 8 get_latest_rule_file
Download the latest rule set.
GetIntelRuleEntities
PEP 8 get_rule_entities
Retrieve details for rule sets for the specified ids.
GetVulnerabilities
PEP8 get_vulnerabilities
Get vulnerabilities
QueryIntelActorIds
PEP 8 query_actor_ids
Get actor IDs that match provided FQL filters.
QueryIntelIndicatorIds
PEP 8 query_indicator_ids
Get indicators IDs that match provided FQL filters.
QueryMalware
PEP 8 query_malware
Get malware family names that match provided FQL filters.
QueryMitreAttacksForMalware
PEP 8 query_mitre_attacks_for_malware
Gets MITRE tactics and techniques for the given malware.
QueryMitreAttacks
PEP 8 query_mitre_attacks
Gets MITRE tactics and techniques for the given actor.
QueryIntelReportIds
PEP 8 query_report_ids
Get report IDs that match provided FQL filters.
QueryIntelRuleIds
PEP 8 query_rule_ids
Search for rule IDs that match provided filter criteria.
QueryVulnerabilities
PEP8 query_vulnerabilities
Get vulnerabilities IDs

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

QueryIntelActorEntities

Get info about actors that match provided FQL filters.

PEP8 method name

query_actor_entities

Endpoint

Method Route
GET /intel/combined/actors/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
fields
Service Class Support

Uber Class Support
query string The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.

Filter parameters include:
actors sub_type.name
actors.id sub_type.slug
actors.name tags
actors.slug tags.id
actors.url tags.slug
created_date tags.value
description target_countries
id target_countries.id
last_modified_date target_countries.slug
motivations target_countries.value
motivations.id target_industries
motivations.slug target_industries.id
motivations.value target_industries.slug
name target_industries.value
name.raw type
short_description type.id
slug type.name
sub_type type.slug
sub_type.id url
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actor_entities(offset=integer,
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string",
                                       fields=["string", "string"]
                                       )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelActorEntities(offset=integer,
                                          limit=integer,
                                          sort="string",
                                          filter="string",
                                          q="string",
                                          fields=["string", "string"]
                                          )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelActorEntities", 
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          fields=["string", "string"]
                          )

print(response)

Back to Table of Contents

QueryIntelIndicatorEntities

Get info about indicators that match provided FQL filters.

PEP8 method name

query_indicator_entities

Endpoint

Method Route
GET /intel/combined/indicators/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
fields
Service Class Support

Uber Class Support
query string The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.

Filter parameters include:
_marker labels.name
actors last_updated
deleted malicious_confidence
domain_types malware_families
id published_date
indicator reports
ip_address_types targets
kill_chains threat_types
labels type
labels.created_on vulnerabilities
labels.last_valid_on  
include_deleted
Service Class Support

Uber Class Support
query boolean Flag indicating if both published and deleted indicators should be returned.
include_relations
Service Class Support

Uber Class Support
query boolean Flag indicating if related indicators should be returned.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_indicator_entities(offset=integer,
                                           limit=integer,
                                           sort="string",
                                           filter="string",
                                           q="string",
                                           include_deleted=boolean
                                           )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelIndicatorEntities(offset=integer,
                                              limit=integer,
                                              sort="string",
                                              filter="string",
                                              q="string",
                                              include_deleted=boolean
                                              )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelIndicatorEntities",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          include_deleted=boolean
                          )

print(response)

Back to Table of Contents

QueryIntelReportEntities

Get info about reports that match provided FQL filters.

PEP8 method name

query_report_entities

Endpoint

Method Route
GET /intel/combined/reports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
fields
Service Class Support

Uber Class Support
query string The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.

Filter parameters include:
actors sub_type.name
actors.id sub_type.slug
actors.name tags
actors.slug tags.id
actors.url tags.slug
created_date tags.value
description target_countries
id target_countries.id
last_modified_date target_countries.slug
motivations target_countries.value
motivations.id target_industries
motivations.slug target_industries.id
motivations.value target_industries.slug
name target_industries.value
name.raw type
short_description type.id
slug type.name
sub_type type.slug
sub_type.id url
include_deleted
Service Class Support

Uber Class Support
query boolean Flag indicating if both published and deleted indicators should be returned.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_report_entities(offset=integer,
                                        limit=integer,
                                        sort="string",
                                        filter="string",
                                        q="string",
                                        fields=["string", "string"]
                                        )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelReportEntities(offset=integer,
                                           limit=integer,
                                           sort="string",
                                           filter="string",
                                           q="string",
                                           fields=["string", "string"]
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelReportEntities",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          fields=["string", "string"]
                          )

print(response)

Back to Table of Contents

GetIntelActorEntities

Retrieve specific actors using their actor IDs.

PEP8 method name

get_actor_entities

Endpoint

Method Route
GET /intel/entities/actors/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings Actor IDs to retrieve.
fields
Service Class Support

Uber Class Support
query array (string) The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_actor_entities(fields=["string", "string"], ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelActorEntities(fields=["string", "string"], ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelActorEntities", fields=["string", "string"], ids=id_list)

print(response)

Back to Table of Contents

GetIntelIndicatorEntities

Retrieve specific indicators using their indicator IDs.

PEP8 method name

get_indicator_entities

Endpoint

Method Route
POST /intel/entities/indicators/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
body string or list of strings Indicator IDs to retrieve.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.

Usage

You must use either the body or the ids keywords in order to use this method.

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_indicator_entities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelIndicatorEntities(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
  "ids": id_list
}

response = falcon.command("GetIntelIndicatorEntities", body=BODY)

print(response)

Back to Table of Contents

GetMalwareEntities

Get malware entities for specified IDs.

PEP8 method name

get_malware_entities

Endpoint

Method Route
GET /intel/entities/malware/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings Malware family name in lower case with spaces replaced with dashes.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.get_malware_entities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.GetMalwareEntities(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.command("GetMalwareEntities", ids=id_list)

print(response)

Back to Table of Contents

GetMitreReport

Export Mitre ATT&CK information for a given actor.

PEP8 method name

get_mitre_report

Endpoint

Method Route
GET /intel/entities/mitre-reports/v1

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

Name Service Uber Type Data type Description
actor_id
Service Class Support

Uber Class Support
query string Actor IDs (derived from actor name).
format
Service Class Support

Uber Class Support
query string Report format (json or csv).
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

with open("filename.ext", "wb") as output_file:
    output_file.write(falcon.get_mitre_report(actor_id="string", format="string"))
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

with open("filename.ext", "wb") as output_file:
    output_file.write(falcon.GetMitreReport(actor_id="string", format="string"))

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("filename.ext", "wb") as output_file:
    output_file.write(falcon.command("GetMitreReport", actor_id="string", format="string"))

print(response)

Back to Table of Contents

PostMitreAttacks

Retrieves report and observable IDs associated with the given actor and attacks.

PEP8 method name

mitre_attacks

Endpoint

Method Route
POST /intel/entities/mitre/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
ids
Service Class Support

Uber Class Support
body string or list of strings The actor / attack IDs to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.mitre_attacks(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.PostMitreAttacks(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("PostMitreAttacks", ids=id_list)

print(response)

Back to Table of Contents

GetIntelReportPDF

Return a Report PDF attachment

PEP8 method name

get_report_pdf

Endpoint

Method Route
GET /intel/entities/report-files/v1

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

Name Service Uber Type Data type Description
id
Service Class Support

Uber Class Support
query string Report ID to download as a PDF.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

The id parameter must be passed to the Uber class as part of the parameters dictionary.

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.get_report_pdf(id="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.GetIntelReportPDF(id="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.ext"

response = falcon.command("GetIntelReportPDF", id="string")
open(save_file, 'wb').write(response)

Back to Table of Contents

GetIntelReportEntities

Retrieve specific reports using their report IDs.

PEP8 method name

get_report_entities

Endpoint

Method Route
GET /intel/entities/reports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings Report IDs to retrieve.
fields
Service Class Support

Uber Class Support
query array (string) The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_report_entities(fields=["string", "string"], ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelReportEntities(fields=["string", "string"], ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelReportEntities", fields=["string", "string"], ids=id_list)

print(response)

Back to Table of Contents

GetIntelRuleFile

Download earlier rule sets.

PEP8 method name

get_rule_file

Endpoint

Method Route
GET /intel/entities/rules-files/v1

Content-Type

  • Produces: application/zip

Keyword Arguments

Name Service Uber Type Data type Description
id
Service Class Support

Uber Class Support
query string Rule set ID to retrieve.
format
Service Class Support

Uber Class Support
query string Choose the format you want the ruleset in. Valid formats are zip and gzip. Defaults to zip.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.get_rule_file(id=integer, format="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.GetIntelRuleFile(id=integer, format="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.zip"

response = falcon.command("GetIntelRuleFile", format="string", id=integer)
open(save_file, 'wb').write(response)

Back to Table of Contents

GetLatestIntelRuleFile

Download the latest rule set.

PEP8 method name

get_latest_rule_file

Endpoint

Method Route
GET /intel/entities/rules-latest-files/v1

Content-Type

  • Produces: application/zip

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The rule news report type.

Accepted values:
  • snort-suricata-master
  • snort-suricata-update
  • snort-suricata-changelog
  • yara-master
  • yara-update
  • yara-changelog
  • common-event-format
  • netwitness
  • cql-master
  • cql-update
  • cql-changelog
format
Service Class Support

Uber Class Support
query string Choose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.get_latest_rule_file(type="string", format="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.GetLatestIntelRuleFile(type="string", format="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.zip"

response = falcon.command("GetLatestIntelRuleFile", type="string", format="string")
open(save_file, 'wb').write(response)

Back to Table of Contents

GetIntelRuleEntities

Retrieve details for rule sets for the specified ids.

PEP8 method name

get_rule_entities

Endpoint

Method Route
GET /intel/entities/rules/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings Rule IDs to retrieve.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_entities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelRuleEntities(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelRuleEntities", ids=id_list)

print(response)

Back to Table of Contents

GetVulnerabilities

Get vulnerabilities by ID(s).

PEP8 method name

get_vulnerabilities

Endpoint

Method Route
POST /intel/entities/vulnerabilities/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
ids
Service Class Support

Uber Class Support
body string or list of strings Vulnerability IDs to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy.intel import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_vulnerabilities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetVulnerabilities(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetVulnerabilities", ids=id_list)

print(response)

Back to Table of Contents

QueryIntelActorIds

Get actor IDs that match provided FQL filters.

PEP8 method name

query_actor_ids

Endpoint

Method Route
GET /intel/queries/actors/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.

Filter parameters include:
actors sub_type.name
actors.id sub_type.slug
actors.name tags
actors.slug tags.id
actors.url tags.slug
created_date tags.value
description target_countries
id target_countries.id
last_modified_date target_countries.slug
motivations target_countries.value
motivations.id target_industries
motivations.slug target_industries.id
motivations.value target_industries.slug
name target_industries.value
name.raw type
short_description type.id
slug type.name
sub_type type.slug
sub_type.id url
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actor_ids(offset=integer,
                                  limit=integer,
                                  sort="string",
                                  filter="string",
                                  q="string"
                                  )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelActorIds(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string",
                                     q="string"
                                     )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelActorIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryIntelIndicatorIds

Get indicators IDs that match provided FQL filters.

PEP8 method name

query_indicator_ids

Endpoint

Method Route
GET /intel/queries/indicators/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.

Filter parameters include:
_marker labels.name
actors last_updated
deleted malicious_confidence
domain_types malware_families
id published_date
indicator reports
ip_address_types targets
kill_chains threat_types
labels type
labels.created_on vulnerabilities
labels.last_valid_on  
include_deleted
Service Class Support

Uber Class Support
query boolean Flag indicating if both published and deleted indicators should be returned.
include_relations
Service Class Support

Uber Class Support
query boolean Flag indicating if related indicators should be returned.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_indicator_ids(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string",
                                      include_deleted=boolean
                                      )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelIndicatorIds(offset=integer,
                                         limit=integer,
                                         sort="string",
                                         filter="string",
                                         q="string",
                                         include_deleted=boolean
                                         )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelIndicatorIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          include_deleted=boolean
                          )

print(response)

Back to Table of Contents

QueryMalware

Get malware family names that match provided FQL filters.

PEP8 method name

query_malware

Endpoint

Method Route
GET /intel/queries/malware/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Set the number of malware IDs to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
query string Set the starting row number to return malware IDs from. Defaults to 0.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_malware(offset=integer,
                                limit=integer,
                                sort="string",
                                filter="string",
                                q="string"
                                )
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryMalware(offset=integer,
                               limit=integer,
                               sort="string",
                               filter="string",
                               q="string"
                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryMalware", 
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

Back to Table of Contents

QueryMitreAttacksForMalware

Gets MITRE tactics and techniques for the given malware.

PEP8 method name

query_mitre_attacks_for_malware

Endpoint

Method Route
GET /intel/queries/mitre-malware/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings Malware family name in lower case with spaces replaced with dashes.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.query_mitre_attacks_for_malware(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.QueryMitreAttacksForMalware(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.command("QueryMitreAttacksForMalware", ids=id_list)

print(response)

Back to Table of Contents

QueryMitreAttacks

Gets MITRE tactics and techniques for the given actor.

PEP8 method name

query_mitre_attacks

Endpoint

Method Route
GET /intel/queries/mitre/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
id
Service Class Support

Uber Class Support
query string Actor ID for which to retrieve a list of attacks.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_mitre_attacks(id="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryMitreAttacks(id="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryMitreAttacks", id="string")

print(response)

Back to Table of Contents

QueryIntelReportIds

Get report IDs that match provided FQL filters.

PEP8 method name

query_report_ids

Endpoint

Method Route
GET /intel/queries/reports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.

Filter parameters include:
actors sub_type.name
actors.id sub_type.slug
actors.name tags
actors.slug tags.id
actors.url tags.slug
created_date tags.value
description target_countries
id target_countries.id
last_modified_date target_countries.slug
motivations target_countries.value
motivations.id target_industries
motivations.slug target_industries.id
motivations.value target_industries.slug
name target_industries.value
name.raw type
short_description type.id
slug type.name
sub_type type.slug
sub_type.id url
include_deleted
Service Class Support

Uber Class Support
query boolean Flag indicating if both published and deleted indicators should be returned.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_report_ids(offset=integer,
                                   limit=integer,
                                   sort="string",
                                   filter="string",
                                   q="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelReportIds(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelReportIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryIntelRuleIds

Search for rule IDs that match provided filter criteria.

PEP8 method name

query_rule_ids

Endpoint

Method Route
GET /intel/queries/rules/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. (Max: 5000)
name
Service Class Support

Uber Class Support
query string or list of strings Search by rule title.
description
Service Class Support

Uber Class Support
query string or list of strings Substring match on description field.
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_date|desc)
type
Service Class Support

Uber Class Support
query string The rule news report type.

Accept values:
  • snort-suricata-master
  • snort-suricata-update
  • snort-suricata-changelog
  • yara-master
  • yara-update
  • yara-changelog
  • common-event-format
  • netwitness
  • cql-master
  • cql-update
  • cql-changelog
tags
Service Class Support

Uber Class Support
query string or list of strings Search for rules by tag.
min_created_date
Service Class Support

Uber Class Support
query string Filter results to those created on or after a certain date.
max_created_date
Service Class Support

Uber Class Support
query string Filter results to those created on or before a certain date.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_rule_ids(offset=integer,
                                 limit=integer,
                                 sort="string",
                                 name=["string", "string"],
                                 type="string",
                                 description=["string", "string"],
                                 tags=["string", "string"],
                                 min_created_date=integer,
                                 max_created_date="string",
                                 q="string"
                                 )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelRuleIds(offset=integer,
                                    limit=integer,
                                    sort="string",
                                    name=["string", "string"],
                                    type="string",
                                    description=["string", "string"],
                                    tags=["string", "string"],
                                    min_created_date=integer,
                                    max_created_date="string",
                                    q="string"
                                    )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelRuleIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          name=["string", "string"],
                          type="string",
                          description=["string", "string"],
                          tags=["string", "string"],
                          min_created_date=integer,
                          max_created_date="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryVulnerabilities

Query for vulnerabilities IDs.

PEP8 method name

query_vulnerabilities

Endpoint

Method Route
GET /intel/queries/vulnerabilities/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query expression that should be used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
query string Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Free text search across all indexed fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.intel import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_vulnerabilities(offset="string",
                                        limit=integer,
                                        sort="string",
                                        filter="string",
                                        q="string"
                                        )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryVulnerabilities(offset="string",
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string"
                                       )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryVulnerabilities",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

CrowdStrike Falcon

Clone this wiki locally