CAO Hunting - CrowdStrike/falconpy GitHub Wiki
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Aggregate intelligence queries. | ||||
|
Creates an Archive Export. | ||||
|
Retrieves a list of Intelligence queries. | ||||
|
Search intelligence queries that match the provided conditions. | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Aggregate intelligence queries.
aggregate_queries
| Method | Route |
|---|---|
 |
/hunting/aggregates/intelligence-queries/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |  |
|
body | dictionary | Full body payload as a dictionary. Not required when using other keywords. |
| date_ranges | |
 |
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude | |
|
body | string | Elements to exclude. |
| extended_bounds | |
|
body | dictionary | Extended aggregate boundaries. Contains max and min values as strings.Example: { "max": "string", "min": "string" } |
| field | |
|
body | string | The field on which to compute the aggregation. |
| filter | |
|
body | string | FQL syntax formatted string to use to filter the results. |
| from | |
|
body | integer | Starting position. |
| include | |
|
body | string | Elements to include. |
| interval | |
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count | |
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | |
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | |
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | |
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | |
|
body | string | Full text search across all metadata fields. |
| ranges | |
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size | |
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates | |
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort | |
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone | |
|
body | string | Time zone for bucket results. |
| type | |
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.aggregate_queries(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.AggregateIntelligenceQueries(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = [
{
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"exclude": "string",
"extended_bounds": {
"max": "string",
"min": "string"
}
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}
]
response = falcon.command("AggregateIntelligenceQueries", body=body_payload)
print(response)Creates an Archive Export.
create_export_archive
| Method | Route |
|---|---|
 |
/hunting/entities/archive-exports/v1 |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| archive_type | |
|
query | string | The Archive Type can be one of 'zip' and 'gzip'. Defaults to 'zip'. |
| filter | |
|
query | string | The FQL Filter. |
| language | |
|
query | string | The Query Language. Accepted Values:
|
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.create_export_archive(language="string",
filter="string",
archive_type="string"
))from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.GetArchiveExport(language="string",
filter="string",
archive_type="string"
))from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.command("GetArchiveExport",
language="string",
filter="string",
archive_type="string"
))Retrieves a list of Intelligence queries.
get_queries
| Method | Route |
|---|---|
|
/hunting/entities/intelligence-queries/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | array (string) | Intelligence queries IDs. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_queries(ids=id_list)
print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelligenceQueries(ids=id_list)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelligenceQueries", ids=id_list)
print(response)Search intelligence queries that match the provided conditions.
search_queries
| Method | Route |
|---|---|
|
/hunting/queries/intelligence-queries/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | |
|
query | string | FQL query specifying the filter parameters. |
| limit | |
|
query | integer | Number of IDs to return. |
| offset | |
|
query | string | Starting index of result set from which to return IDs. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
| q | |
|
query | string | Match phrase_prefix query criteria; included fields: _all (all filter string fields indexed). |
| sort | |
|
query | string | Order by fields. |
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_queries(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.SearchIntelligenceQueries(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("SearchIntelligenceQueries",
offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)