CrowdStrike Falcon CrowdStrike Subreddit

Using the ThreatGraph service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
combined_edges_get
PEP8get_edges
Retrieve edges for a given vertex id. One edge type must be specified
combined_ran_on_get
PEP8get_ran_on
Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.
combined_summary_get
PEP8get_summary
Retrieve summary for a given vertex ID
entities_vertices_get
PEP8get_vertices_v1
Retrieve metadata for a given vertex ID
entities_vertices_getv2
PEP8get_vertices
Retrieve metadata for a given vertex ID
queries_edgetypes_get
PEP8get_edge_types
Show all available edge types

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

combined_edges_get

Retrieve edges for a given vertex id. One edge type must be specified

PEP8 method name

get_edges

Endpoint

MethodRoute
GET/threatgraph/combined/edges/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
idsService Class SupportUber Class SupportquerystringVertex ID to get details for. Only one value is supported
limitService Class SupportUber Class SupportqueryintegerHow many edges to return in a single request [1-100]
offsetService Class SupportUber Class SupportquerystringThe offset to use to retrieve the next page of results
edge_typeService Class SupportUber Class SupportquerystringThe type of edges that you would like to retrieve
directionService Class SupportUber Class SupportquerystringThe direction of edges that you would like to retrieve.
scopeService Class SupportUber Class SupportquerystringScope of the request
nanoService Class SupportUber Class SupportquerybooleanReturn nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_edges(limit=integer,
                            offset="string",
                            edge_type="string",
                            direction="string",
                            scope="string",
                            nano=boolean,
                            ids=id_list
                            )
print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.combined_edges_get(limit=integer,
                                     offset="string",
                                     edge_type="string",
                                     direction="string",
                                     scope="string",
                                     nano=boolean,
                                     ids=id_list
                                     )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("combined_edges_get", 
                          limit=integer,
                          offset="string",
                          edge_type="string",
                          direction="string",
                          scope="string",
                          nano=boolean,
                          ids=id_list
                          )
print(response)

Back to Table of Contents

combined_ran_on_get

Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.

PEP8 method name

get_ran_on

Endpoint

MethodRoute
GET/threatgraph/combined/ran-on/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
valueService Class SupportUber Class SupportquerystringThe value of the indicator to search by.
typeService Class SupportUber Class SupportquerystringThe type of indicator that you would like to retrieve
limitService Class SupportUber Class SupportqueryintegerHow many edges to return in a single request [1-100]
offsetService Class SupportUber Class SupportquerystringThe offset to use to retrieve the next page of results
nanoService Class SupportUber Class SupportquerybooleanReturn nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

response = falcon.get_ran_on(value="string",
                             type="string",
                             limit=integer,
                             offset="string",
                             nano=boolean
                             )
print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

response = falcon.combined_ran_on_get(value="string",
                                      type="string",
                                      limit=integer,
                                      offset="string",
                                      nano=boolean
                                      )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_ran_on_get",
                          value="string",
                          type="string",
                          limit=integer,
                          offset="string",
                          nano=boolean
                          )
print(response)

Back to Table of Contents

combined_summary_get

Retrieve summary for a given vertex ID

PEP8 method name

get_summary

Endpoint

MethodRoute
GET/threatgraph/combined/{vertex-type}/summary/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
vertex_typeService Class SupportUber Class SupportpathstringType of vertex to get properties for. Available values: accessory, accessories, actor, ad_computer, ad-computers, adfs_application, adfs-applications, ad_group, ad-groups, aggregate_indicator, aggregate-indicators, sensor, devices, mobile_app, mobile-apps, azure_application, azure-applications, azure_ad_user, azure-ad-users, containerized_app, containerized-apps, certificate, certificates, command_line, command-lines, control_graph, control-graphs, detection, detections, domain, domains, extracted_file, extracted-files, firmware, firmwares, mobile_fs_volume, mobile-fs-volumes, firewall, firewalls, firewall_rule_match, firewall_rule_matches, host_name, host-names, detection_index, detection-indices, idp_indicator, idp-indicators, idp_session, idp-sessions, incident, incidents, indicator, indicators, ipv4, ipv6, k8s_cluster, k8s_clusters, legacy_detection, legacy-detections, mobile_os_forensics_report, mobile_os_forensics_reports, mobile_indicator, mobile-indicators, module, modules, macro_script, macro_scripts, okta_application, okta-applications, okta_user, okta-users, process, processes, ping_fed_application, ping-fed-applications, quarantined_file, quarantined-files, script, scripts, shield, shields, sensor_self_diagnostic, sensor-self-diagnostics, kerberos_ticket, kerberos-tickets, user_id, users, user_session, user-sessions, wifi_access_point, wifi-access-points, xdr, any-vertex
idsService Class SupportUber Class Supportqueryarray (string)Vertex ID to get details for
scopeService Class SupportUber Class SupportquerystringScope of the request
nanoService Class SupportUber Class SupportquerybooleanReturn nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_summary(scope="string", nano=boolean, ids=id_list, vertex_type="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.combined_summary_get(scope="string",
                                       nano=boolean,
                                       ids=id_list,
                                       vertex_type="string"
                                       )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("combined_summary_get",
                          scope="string",
                          nano=boolean,
                          ids=id_list,
                          vertex_type="string"
                          )

print(response)

Back to Table of Contents

entities_vertices_get

Retrieve metadata for a given vertex ID

PEP8 method name

get_vertices_v1

Endpoint

MethodRoute
GET/threatgraph/entities/{vertex-type}/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
vertex_typeService Class SupportUber Class SupportpathstringType of vertex to get properties for. Available values : accessory, accessories, actor, ad_computer, ad-computers, adfs_application, adfs-applications, ad_group, ad-groups, aggregate_indicator, aggregate-indicators, sensor, devices, mobile_app, mobile-apps, azure_application, azure-applications, azure_ad_user, azure-ad-users, containerized_app, containerized-apps, certificate, certificates, command_line, command-lines, control_graph, control-graphs, detection, detections, domain, domains, extracted_file, extracted-files, firmware, firmwares, mobile_fs_volume, mobile-fs-volumes, firewall, firewalls, firewall_rule_match, firewall_rule_matches, host_name, host-names, detection_index, detection-indices, idp_indicator, idp-indicators, idp_session, idp-sessions, incident, incidents, indicator, indicators, ipv4, ipv6, k8s_cluster, k8s_clusters, legacy_detection, legacy-detections, mobile_os_forensics_report, mobile_os_forensics_reports, mobile_indicator, mobile-indicators, module, modules, macro_script, macro_scripts, okta_application, okta-applications, okta_user, okta-users, process, processes, ping_fed_application, ping-fed-applications, quarantined_file, quarantined-files, script, scripts, shield, shields, sensor_self_diagnostic, sensor-self-diagnostics, kerberos_ticket, kerberos-tickets, user_id, users, user_session, user-sessions, wifi_access_point, wifi-access-points, xdr, any-vertex
idsService Class SupportUber Class Supportqueryarray (string)Vertex ID to get details for
scopeService Class SupportUber Class SupportquerystringScope of the request
nanoService Class SupportUber Class SupportquerybooleanReturn nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_vertices_v1(scope="string", nano=boolean, ids=id_list, vertex_type="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_vertices_get(scope="string",
                                        nano=boolean,
                                        ids=id_list,
                                        vertex_type="string"
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_vertices_get",
                          scope="string",
                          nano="string",
                          ids=id_list,
                          vertex_type="string"
                          )
print(response)

Back to Table of Contents

entities_vertices_getv2

Retrieve metadata for a given vertex ID

PEP8 method name

get_vertices

Endpoint

MethodRoute
GET/threatgraph/entities/{vertex-type}/v2

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
vertex_typeService Class SupportUber Class SupportpathstringType of vertex to get properties for. Available values : accessory, accessories, actor, ad_computer, ad-computers, adfs_application, adfs-applications, ad_group, ad-groups, aggregate_indicator, aggregate-indicators, sensor, devices, mobile_app, mobile-apps, azure_application, azure-applications, azure_ad_user, azure-ad-users, containerized_app, containerized-apps, certificate, certificates, command_line, command-lines, control_graph, control-graphs, detection, detections, domain, domains, extracted_file, extracted-files, firmware, firmwares, mobile_fs_volume, mobile-fs-volumes, firewall, firewalls, firewall_rule_match, firewall_rule_matches, host_name, host-names, detection_index, detection-indices, idp_indicator, idp-indicators, idp_session, idp-sessions, incident, incidents, indicator, indicators, ipv4, ipv6, k8s_cluster, k8s_clusters, legacy_detection, legacy-detections, mobile_os_forensics_report, mobile_os_forensics_reports, mobile_indicator, mobile-indicators, module, modules, macro_script, macro_scripts, okta_application, okta-applications, okta_user, okta-users, process, processes, ping_fed_application, ping-fed-applications, quarantined_file, quarantined-files, script, scripts, shield, shields, sensor_self_diagnostic, sensor-self-diagnostics, kerberos_ticket, kerberos-tickets, user_id, users, user_session, user-sessions, wifi_access_point, wifi-access-points, xdr, any-vertex
idsService Class SupportUber Class Supportqueryarray (string)Vertex ID to get details for
scopeService Class SupportUber Class SupportquerystringScope of the request
nanoService Class SupportUber Class SupportquerybooleanReturn nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_vertices(scope="string", nano=boolean, ids=id_list, vertex_type="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_vertices_getv2(scope="string",
                                          nano=boolean,
                                          ids=id_list,
                                          vertex_type="string"
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_vertices_getv2",
                          scope="string",
                          nano=boolean,
                          ids=id_list,
                          vertex_type="string"
                          )
print(response)

Back to Table of Contents

queries_edgetypes_get

Show all available edge types

PEP8 method name

get_edge_types

Endpoint

MethodRoute
GET/threatgraph/queries/edge-types/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

No keywords or arguments accepted

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

response = falcon.get_edge_types()

print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

response = falcon.queries_edgetypes_get()

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queries_edgetypes_get")

print(response)

Back to Table of Contents