CAO Hunting - CrowdStrike/falconpy GitHub Wiki
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Aggregate Hunting Guides | ||||
|
Aggregate intelligence queries. | ||||
|
Creates an Archive Export. | ||||
|
Retrieves a list of Hunting Guides | ||||
|
Retrieves a list of Intelligence queries. | ||||
|
Search for Hunting Guides that match the provided conditions | ||||
|
Search intelligence queries that match the provided conditions. | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Aggregate intelligence queries.
aggregate_queries
| Method | Route |
|---|---|
 |
/hunting/aggregates/intelligence-queries/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |  |
|
body | dictionary | Full body payload as a dictionary. Not required when using other keywords. |
| date_ranges | |
 |
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude | |
|
body | string | Elements to exclude. |
| extended_bounds | |
|
body | dictionary | Extended aggregate boundaries. Contains max and min values as strings.Example: { "max": "string", "min": "string" } |
| field | |
|
body | string | The field on which to compute the aggregation. |
| filter | |
|
body | string | FQL syntax formatted string to use to filter the results. |
| from | |
|
body | integer | Starting position. |
| include | |
|
body | string | Elements to include. |
| interval | |
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count | |
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | |
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | |
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | |
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | |
|
body | string | Full text search across all metadata fields. |
| ranges | |
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size | |
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates | |
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort | |
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone | |
|
body | string | Time zone for bucket results. |
| type | |
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.aggregate_queries(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.AggregateIntelligenceQueries(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = [
{
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"exclude": "string",
"extended_bounds": {
"max": "string",
"min": "string"
},
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}
]
response = falcon.command("AggregateIntelligenceQueries", body=body_payload)
print(response)Back to Table of Contents
Creates an Archive Export.
create_export_archive
| Method | Route |
|---|---|
 |
/hunting/entities/archive-exports/v1 |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| archive_type | |
|
query | string | The Archive Type can be one of 'zip' and 'gzip'. Defaults to 'zip'. |
| filter | |
|
query | string | The FQL Filter. |
| language | |
|
query | string | The Query Language. Accepted Values:
|
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.create_export_archive(language="string",
filter="string",
archive_type="string"
))from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.GetArchiveExport(language="string",
filter="string",
archive_type="string"
))from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.command("GetArchiveExport",
language="string",
filter="string",
archive_type="string"
))Back to Table of Contents
Retrieves a list of Intelligence queries.
get_queries
| Method | Route |
|---|---|
|
/hunting/entities/intelligence-queries/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string or list of strings | Intelligence queries IDs. |
| include_translated_content | |
|
query | string or list of strings | The AI translated language that should be returned if it exists. Accepted values are: SPL, __all__. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
translated_langs = 'SPL,__all__' # Can also pass a list here: ['SPL', '__all__']
response = falcon.get_queries(ids=id_list,
include_translated_content=translated_langs
)
print(response)from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
translated_langs = 'SPL,__all__' # Can also pass a list here: ['SPL', '__all__']
response = falcon.GetIntelligenceQueries(ids=id_list,
include_translated_content=translated_langs
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
translated_langs = 'SPL,__all__' # Can also pass a list here: ['SPL', '__all__']
response = falcon.command("GetIntelligenceQueries",
ids=id_list,
include_translated_content=translated_langs
)
print(response)Back to Table of Contents
Search intelligence queries that match the provided conditions.
search_queries
| Method | Route |
|---|---|
|
/hunting/queries/intelligence-queries/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | |
|
query | string | FQL query specifying the filter parameters. |
| limit | |
|
query | integer | Number of IDs to return. |
| offset | |
|
query | string | Starting index of result set from which to return IDs. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
| q | |
|
query | string | Match phrase_prefix query criteria; included fields: _all (all filter string fields indexed). |
| sort | |
|
query | string | Order by fields. |
from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_queries(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.SearchIntelligenceQueries(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("SearchIntelligenceQueries",
offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)Back to Table of Contents
Aggregate Hunting Guides
aggregate_guides
| Method | Route |
|---|---|
|
/hunting/aggregates/hunting-guides/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
 |
body | list of dictionaries | Full body payload as a list of dictionaries. Not required when using other keywords. |
| date_ranges | |
|
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude | |
|
body | string | Elements to exclude. |
| extended_bounds | |
|
body | dictionary | Extended aggregate boundaries. Contains max and min values as strings.Example: { "max": "string", "min": "string" } |
| field | |
|
body | string | The field on which to compute the aggregation. |
| filter | |
|
body | string | FQL syntax formatted string to use to filter the results. |
| filters_spec | |
|
body | dictionary | Filters specification containing filters, other_bucket, and other_bucket_key. Example: { "filters": { "additionalProp1": "string", "additionalProp2": "string" }, "other_bucket": boolean, "other_bucket_key": "string" } |
| from | |
|
body | integer | Starting position. |
| include | |
|
body | string | Elements to include. |
| interval | |
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count | |
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | |
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | |
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | |
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| percents | |
|
body | list of integers | Percentile values for percentile aggregations. |
| q | |
|
body | string | Full text search across all metadata fields. |
| ranges | |
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size | |
|
body | integer | The max number of term buckets to be returned. |
| sort | |
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| sub_aggregates | |
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| time_zone | |
|
body | string | Time zone for bucket results. |
| type | |
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
filter_spec = {
"filters": {
"additionalProp1": "string",
"additionalProp2": "string"
},
"other_bucket": boolean,
"other_bucket_key": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.aggregate_guides(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
filters_spec=filter_spec,
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
percents=[integer],
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
filter_spec = {
"filters": {
"additionalProp1": "string",
"additionalProp2": "string"
},
"other_bucket": boolean,
"other_bucket_key": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.AggregateHuntingGuides(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
filters_spec=filter_spec,
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
percents=[integer],
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = [
{
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"exclude": "string",
"extended_bounds": {
"max": "string",
"min": "string"
},
"field": "string",
"filter": "string",
"filters_spec": {
"filters": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"other_bucket": boolean,
"other_bucket_key": "string"
},
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"percents": [
integer
],
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}
]
response = falcon.command("AggregateHuntingGuides", body=body_payload)
print(response)Back to Table of Contents
Retrieves a list of Hunting Guides
get_guides
| Method | Route |
|---|---|
|
/hunting/entities/hunting-guides/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string or list of strings | Hunting Guides IDs. Required parameter. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_guides(ids=id_list)
print(response)from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetHuntingGuides(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetHuntingGuides", ids=id_list)
print(response)Back to Table of Contents
Search for Hunting Guides that match the provided conditions
search_guides
| Method | Route |
|---|---|
|
/hunting/queries/hunting-guides/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | |
|
query | string | FQL query specifying the filter parameters. |
| limit | |
|
query | integer | Number of IDs to return. |
| offset | |
|
query | string | Starting index of result set from which to return IDs. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
| sort | |
|
query | string | Order by fields. |
| q | |
|
query | string | Match phrase_prefix query criteria; included fields: _all (all filter string fields indexed). |
from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_guides(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import CAOHunting
# Do not hardcode API credentials!
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.SearchHuntingGuides(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("SearchHuntingGuides",
offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)Back to Table of Contents
