CAO Hunting - CrowdStrike/falconpy GitHub Wiki
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Aggregate intelligence queries. | ||||
|
Creates an Archive Export. | ||||
|
Retrieves a list of Intelligence queries. | ||||
|
Search intelligence queries that match the provided conditions. | ||||
Aggregate intelligence queries.
aggregate_queries
| Method | Route |
|---|---|
 |
/hunting/aggregates/intelligence-queries/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |  |
|
body | dictionary | Full body payload as a dictionary. Not required when using other keywords. |
| date_ranges | |
 |
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude | |
|
body | string | Elements to exclude. |
| extended_bounds | |
|
body | dictionary | Extended aggregate boundaries. Contains max and min values as strings.Example: { "max": "string", "min": "string" } |
| field | |
|
body | string | The field on which to compute the aggregation. |
| filter | |
|
body | string | FQL syntax formatted string to use to filter the results. |
| from | |
|
body | integer | Starting position. |
| include | |
|
body | string | Elements to include. |
| interval | |
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count | |
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | |
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | |
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | |
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | |
|
body | string | Full text search across all metadata fields. |
| ranges | |
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size | |
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates | |
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort | |
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone | |
|
body | string | Time zone for bucket results. |
| type | |
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.aggregate_queries(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.AggregateIntelligenceQueries(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = [
{
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"exclude": "string",
"extended_bounds": {
"max": "string",
"min": "string"
}
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}
]
response = falcon.command("AggregateIntelligenceQueries", body=body_payload)
print(response)Creates an Archive Export.
create_export_archive
| Method | Route |
|---|---|
 |
/hunting/entities/archive-exports/v1 |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| archive_type | |
|
query | string | The Archive Type can be one of 'zip' and 'gzip'. Defaults to 'zip'. |
| filter | |
|
query | string | The FQL Filter. |
| language | |
|
query | string | The Query Language. Accepted Values:
|
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.create_export_archive(language="string",
filter="string",
archive_type="string"
))from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.GetArchiveExport(language="string",
filter="string",
archive_type="string"
))from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.command("GetArchiveExport",
language="string",
filter="string",
archive_type="string"
))Retrieves a list of Intelligence queries.
get_queries
| Method | Route |
|---|---|
|
/hunting/entities/intelligence-queries/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | array (string) | Intelligence queries IDs. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_queries(ids=id_list)
print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelligenceQueries(ids=id_list)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelligenceQueries", ids=id_list)
print(response)Search intelligence queries that match the provided conditions.
search_queries
| Method | Route |
|---|---|
|
/hunting/queries/intelligence-queries/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | |
|
query | string | FQL query specifying the filter parameters. |
| limit | |
|
query | integer | Number of IDs to return. |
| offset | |
|
query | string | Starting index of result set from which to return IDs. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
| q | |
|
query | string | Match phrase_prefix query criteria; included fields: _all (all filter string fields indexed). |
| sort | |
|
query | string | Order by fields. |
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_queries(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.SearchIntelligenceQueries(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("SearchIntelligenceQueries",
offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)