Using the Intel service collection
This service collection has code examples posted to the repository.
Table of Contents
Operation ID | Description | ||||
---|---|---|---|---|---|
| Get info about actors that match provided FQL filters. | ||||
| Get info about indicators that match provided FQL filters. | ||||
| Get info about reports that match provided FQL filters. | ||||
| Retrieve specific actors using their actor IDs. | ||||
| Retrieve specific indicators using their indicator IDs. | ||||
| Get malware entities for specified IDs. | ||||
| Export Mitre ATT&CK information for a given actor. | ||||
| Retrieve report and observable IDs associated with the given actor and attacks. | ||||
| Return a Report PDF attachment | ||||
| Retrieve specific reports using their report IDs. | ||||
| Download earlier rule sets. | ||||
| Download the latest rule set. | ||||
| Retrieve details for rule sets for the specified ids. | ||||
| Get vulnerabilities | ||||
| Get actor IDs that match provided FQL filters. | ||||
| Get indicators IDs that match provided FQL filters. | ||||
| Get malware family names that match provided FQL filters. | ||||
| Gets MITRE tactics and techniques for the given malware. | ||||
| Gets MITRE tactics and techniques for the given actor. | ||||
| Get report IDs that match provided FQL filters. | ||||
| Search for rule IDs that match provided filter criteria. | ||||
| Get vulnerabilities IDs |
Passing credentials
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
QueryIntelActorEntities
Get info about actors that match provided FQL filters.
PEP8 method name
query_actor_entities
Endpoint
Method | Route |
---|---|
/intel/combined/actors/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
fields | query | string | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. | ||||||||||||||||||||||||||||||||||||||||
filter | query | string | FQL query expression that should be used to limit the results. Filter parameters include:
| ||||||||||||||||||||||||||||||||||||||||
limit | query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||||
offset | query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||||
q | query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||||
sort | query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_actor_entities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelActorEntities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelActorEntities",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
Back to Table of Contents
QueryIntelIndicatorEntities
Get info about indicators that match provided FQL filters.
PEP8 method name
query_indicator_entities
Endpoint
Method | Route |
---|---|
/intel/combined/indicators/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
fields | query | string | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. | ||||||||||||||||||||||||
filter | query | string | FQL query expression that should be used to limit the results. Filter parameters include:
| ||||||||||||||||||||||||
include_deleted | query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||||
include_relations | query | boolean | Flag indicating if related indicators should be returned. | ||||||||||||||||||||||||
limit | query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||
offset | query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||
q | query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||
sort | query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_indicator_entities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelIndicatorEntities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelIndicatorEntities",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
Back to Table of Contents
QueryIntelReportEntities
Get info about reports that match provided FQL filters.
PEP8 method name
query_report_entities
Endpoint
Method | Route |
---|---|
/intel/combined/reports/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
fields | query | string | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. | ||||||||||||||||||||||||||||||||||||||||
filter | query | string | FQL query expression that should be used to limit the results. Filter parameters include:
| ||||||||||||||||||||||||||||||||||||||||
include_deleted | query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||||||||||||||||||||
limit | query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||||
offset | query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||||
q | query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||||
sort | query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_report_entities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelReportEntities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelReportEntities",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
Back to Table of Contents
GetIntelActorEntities
Retrieve specific actors using their actor IDs.
PEP8 method name
get_actor_entities
Endpoint
Method | Route |
---|---|
/intel/entities/actors/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids | query | string or list of strings | Actor IDs to retrieve. | ||
fields | query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_actor_entities(fields=["string", "string"], ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelActorEntities(fields=["string", "string"], ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelActorEntities", fields=["string", "string"], ids=id_list)
print(response)
Back to Table of Contents
GetIntelIndicatorEntities
Retrieve specific indicators using their indicator IDs.
PEP8 method name
get_indicator_entities
Endpoint
Method | Route |
---|---|
/intel/entities/indicators/GET/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids | body | string or list of strings | Indicator IDs to retrieve. | ||
body | body | dictionary | Full body payload in JSON format. |
Usage
You must use either the body
or the ids
keywords in order to use this method.
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_indicator_entities(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelIndicatorEntities(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("GetIntelIndicatorEntities", body=BODY)
print(response)
Back to Table of Contents
GetMalwareEntities
Get malware entities for specified IDs.
PEP8 method name
get_malware_entities
Endpoint
Method | Route |
---|---|
/intel/entities/malware/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids | query | string or list of strings | Malware family name in lower case with spaces replaced with dashes. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.get_malware_entities(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.GetMalwareEntities(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.command("GetMalwareEntities", ids=id_list)
print(response)
Back to Table of Contents
GetMitreReport
Export Mitre ATT&CK information for a given actor.
PEP8 method name
get_mitre_report
Endpoint
Method | Route |
---|---|
/intel/entities/mitre-reports/v1 |
Required Scope
Content-Type
- Produces: application/octet-stream
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
actor_id | query | string | Actor IDs (derived from actor name). | ||
format | query | string | Report format (json or csv ). | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.ext", "wb") as output_file:
output_file.write(falcon.get_mitre_report(actor_id="string", format="string"))
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.ext", "wb") as output_file:
output_file.write(falcon.GetMitreReport(actor_id="string", format="string"))
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.ext", "wb") as output_file:
output_file.write(falcon.command("GetMitreReport", actor_id="string", format="string"))
print(response)
Back to Table of Contents
PostMitreAttacks
Retrieves report and observable IDs associated with the given actor and attacks.
PEP8 method name
mitre_attacks
Endpoint
Method | Route |
---|---|
/intel/entities/mitre/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body | body | dictionary | Full body payload in JSON format. | ||
ids | body | string or list of strings | The actor / attack IDs to retrieve. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.mitre_attacks(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.PostMitreAttacks(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("PostMitreAttacks", ids=id_list)
print(response)
Back to Table of Contents
GetIntelReportPDF
Return a Report PDF attachment
PEP8 method name
get_report_pdf
Endpoint
Method | Route |
---|---|
/intel/entities/report-files/v1 |
Required Scope
Content-Type
- Produces: application/octet-stream
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
id | query | string | Report ID to download as a PDF. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
The id
parameter must be passed to the Uber class as part of the parameters dictionary.
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
response = falcon.get_report_pdf(id="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
response = falcon.GetIntelReportPDF(id="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
response = falcon.command("GetIntelReportPDF", id="string")
open(save_file, 'wb').write(response)
Back to Table of Contents
GetIntelReportEntities
Retrieve specific reports using their report IDs.
PEP8 method name
get_report_entities
Endpoint
Method | Route |
---|---|
/intel/entities/reports/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids | query | string or list of strings | Report IDs to retrieve. | ||
fields | query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_report_entities(fields=["string", "string"], ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelReportEntities(fields=["string", "string"], ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelReportEntities", fields=["string", "string"], ids=id_list)
print(response)
Back to Table of Contents
GetIntelRuleFile
Download earlier rule sets.
PEP8 method name
get_rule_file
Endpoint
Method | Route |
---|---|
/intel/entities/rules-files/v1 |
Required Scope
Content-Type
- Produces: application/zip
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
id | query | string | Rule set ID to retrieve. | ||
format | query | string | Choose the format you want the ruleset in. Valid formats are zip and gzip . Defaults to zip. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.get_rule_file(id=integer, format="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.GetIntelRuleFile(id=integer, format="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.command("GetIntelRuleFile", format="string", id=integer)
open(save_file, 'wb').write(response)
Back to Table of Contents
GetLatestIntelRuleFile
Download the latest rule set.
PEP8 method name
get_latest_rule_file
Endpoint
Method | Route |
---|---|
/intel/entities/rules-latest-files/v1 |
Required Scope
Content-Type
- Produces: application/zip
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
type | query | string | The rule news report type. Accepted values:
| ||
format | query | string | Choose the format you want the rule set in. Valid formats are zip and gzip . Defaults to zip. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.get_latest_rule_file(type="string", format="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.GetLatestIntelRuleFile(type="string", format="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.command("GetLatestIntelRuleFile", type="string", format="string")
open(save_file, 'wb').write(response)
Back to Table of Contents
GetIntelRuleEntities
Retrieve details for rule sets for the specified ids.
PEP8 method name
get_rule_entities
Endpoint
Method | Route |
---|---|
/intel/entities/rules/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids | query | string or list of strings | Rule IDs to retrieve. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_entities(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelRuleEntities(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelRuleEntities", ids=id_list)
print(response)
Back to Table of Contents
GetVulnerabilities
Get vulnerabilities by ID(s).
PEP8 method name
get_vulnerabilities
Endpoint
Method | Route |
---|---|
/intel/entities/vulnerabilities/GET/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body | body | dictionary | Full body payload in JSON format. | ||
ids | body | string or list of strings | Vulnerability IDs to retrieve. |
Usage
Service class example (PEP8 syntax)
from falconpy.intel import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_vulnerabilities(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetVulnerabilities(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetVulnerabilities", ids=id_list)
print(response)
Back to Table of Contents
QueryIntelActorIds
Get actor IDs that match provided FQL filters.
PEP8 method name
query_actor_ids
Endpoint
Method | Route |
---|---|
/intel/queries/actors/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
filter | query | string | FQL query expression that should be used to limit the results. Filter parameters include:
| ||||||||||||||||||||||||||||||||||||||||
limit | query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||||
offset | query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||||
q | query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||||
sort | query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_actor_ids(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelActorIds(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelActorIds",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Back to Table of Contents
QueryIntelIndicatorIds
Get indicators IDs that match provided FQL filters.
PEP8 method name
query_indicator_ids
Endpoint
Method | Route |
---|---|
/intel/queries/indicators/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
filter | query | string | FQL query expression that should be used to limit the results. Filter parameters include:
| ||||||||||||||||||||||||
include_deleted | query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||||
include_relations | query | boolean | Flag indicating if related indicators should be returned. | ||||||||||||||||||||||||
limit | query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||
offset | query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||
q | query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||
sort | query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_indicator_ids(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelIndicatorIds(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelIndicatorIds",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
Back to Table of Contents
QueryMalware
Get malware family names that match provided FQL filters.
PEP8 method name
query_malware
Endpoint
Method | Route |
---|---|
/intel/queries/malware/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter | query | string | FQL query expression that should be used to limit the results. | ||
limit | query | integer | Set the number of malware IDs to return. (Max: 5000) | ||
offset | query | string | Set the starting row number to return malware IDs from. Defaults to 0. | ||
q | query | string | Free text search across all indexed fields. | ||
sort | query | string | The property to sort by. (Ex: created_date|desc) | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_malware(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryMalware(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryMalware",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Back to Table of Contents
QueryMitreAttacksForMalware
Gets MITRE tactics and techniques for the given malware.
PEP8 method name
query_mitre_attacks_for_malware
Endpoint
Method | Route |
---|---|
/intel/queries/mitre-malware/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids | query | string or list of strings | Malware family name in lower case with spaces replaced with dashes. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.query_mitre_attacks_for_malware(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.QueryMitreAttacksForMalware(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.command("QueryMitreAttacksForMalware", ids=id_list)
print(response)
Back to Table of Contents
QueryMitreAttacks
Gets MITRE tactics and techniques for the given actor.
PEP8 method name
query_mitre_attacks
Endpoint
Method | Route |
---|---|
/intel/queries/mitre/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
id | query | string | Actor ID for which to retrieve a list of attacks. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_mitre_attacks(id="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryMitreAttacks(id="string")
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryMitreAttacks", id="string")
print(response)
Back to Table of Contents
QueryIntelReportIds
Get report IDs that match provided FQL filters.
PEP8 method name
query_report_ids
Endpoint
Method | Route |
---|---|
/intel/queries/reports/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
filter | query | string | FQL query expression that should be used to limit the results. Filter parameters include:
| ||||||||||||||||||||||||||||||||||||||||
include_deleted | query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||||||||||||||||||||
limit | query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||||
offset | query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||||
q | query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||||
sort | query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_report_ids(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelReportIds(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelReportIds",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Back to Table of Contents
QueryIntelRuleIds
Search for rule IDs that match provided filter criteria.
PEP8 method name
query_rule_ids
Endpoint
Method | Route |
---|---|
/intel/queries/rules/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
limit | query | integer | Maximum number of records to return. (Max: 5000) | ||
name | query | string or list of strings | Search by rule title. | ||
description | query | string or list of strings | Substring match on description field. | ||
offset | query | string | Starting index of overall result set from which to return ids. | ||
q | query | string | Free text search across all indexed fields. | ||
sort | query | string | The property to sort by. (Ex: created_date|desc) | ||
type | query | string | The rule news report type. Accept values:
| ||
tags | query | string or list of strings | Search for rules by tag. | ||
min_created_date | query | string | Filter results to those created on or after a certain date. | ||
max_created_date | query | string | Filter results to those created on or before a certain date. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_ids(offset=integer,
limit=integer,
sort="string",
name=["string", "string"],
type="string",
description=["string", "string"],
tags=["string", "string"],
min_created_date=integer,
max_created_date="string",
q="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelRuleIds(offset=integer,
limit=integer,
sort="string",
name=["string", "string"],
type="string",
description=["string", "string"],
tags=["string", "string"],
min_created_date=integer,
max_created_date="string",
q="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelRuleIds",
offset=integer,
limit=integer,
sort="string",
name=["string", "string"],
type="string",
description=["string", "string"],
tags=["string", "string"],
min_created_date=integer,
max_created_date="string",
q="string"
)
print(response)
Back to Table of Contents
QueryVulnerabilities
Query for vulnerabilities IDs.
PEP8 method name
query_vulnerabilities
Endpoint
Method | Route |
---|---|
/intel/queries/vulnerabilities/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter | query | string | FQL query expression that should be used to limit the results. | ||
limit | query | integer | Maximum number of records to return. (Max: 5000) | ||
offset | query | string | Starting index of overall result set from which to return ids. | ||
q | query | string | Free text search across all indexed fields. | ||
sort | query | string | The property to sort by. (Ex: created_date|desc) | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy.intel import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_vulnerabilities(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryVulnerabilities(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryVulnerabilities",
offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Back to Table of Contents