Intel - CrowdStrike/falconpy GitHub Wiki
This service collection has code examples posted to the repository.
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Get info about actors that match provided FQL filters. | ||||
|
Get info about indicators that match provided FQL filters. | ||||
|
Get info about reports that match provided FQL filters. | ||||
|
Retrieve specific actors using their actor IDs. | ||||
|
Retrieve specific indicators using their indicator IDs. | ||||
|
Get malware entities for specified IDs. | ||||
|
Export Mitre ATT&CK information for a given actor. | ||||
|
Retrieve report and observable IDs associated with the given actor and attacks. | ||||
|
Return a Report PDF attachment | ||||
|
Retrieve specific reports using their report IDs. | ||||
|
Download earlier rule sets. | ||||
|
Download the latest rule set. | ||||
|
Retrieve details for rule sets for the specified ids. | ||||
|
Get vulnerabilities | ||||
|
Get actor IDs that match provided FQL filters. | ||||
|
Get indicators IDs that match provided FQL filters. | ||||
|
Get malware family names that match provided FQL filters. | ||||
|
Gets MITRE tactics and techniques for the given malware. | ||||
|
Gets MITRE tactics and techniques for the given actor. | ||||
|
Get report IDs that match provided FQL filters. | ||||
|
Search for rule IDs that match provided filter criteria. | ||||
|
Get vulnerabilities IDs | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Get info about actors that match provided FQL filters.
query_actor_entities
| Method | Route |
|---|---|
 |
/intel/combined/actors/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| fields |
 |
|
query | string | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
||||||||||||||||||||||||||||||||||||||
| filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||||||||||||||||||
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||
| q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||
| sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_actor_entities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelActorEntities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelActorEntities",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)Back to Table of Contents
Get info about indicators that match provided FQL filters.
query_indicator_entities
| Method | Route |
|---|---|
|
/intel/combined/indicators/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| fields |
|
|
query | string | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
||||||||||||||||||||||
| filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||
| include_deleted |
|
|
query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||
| include_relations |
|
|
query | boolean | Flag indicating if related indicators should be returned. | ||||||||||||||||||||||
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||
| q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||
| sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_indicator_entities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelIndicatorEntities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelIndicatorEntities",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)Back to Table of Contents
Get info about reports that match provided FQL filters.
query_report_entities
| Method | Route |
|---|---|
|
/intel/combined/reports/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| fields |
|
|
query | string | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
||||||||||||||||||||||||||||||||||||||
| filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||||||||||||||||||
| include_deleted |
|
|
query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||||||||||||||||||
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||
| q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||
| sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_report_entities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelReportEntities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelReportEntities",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)Back to Table of Contents
Retrieve specific actors using their actor IDs.
get_actor_entities
| Method | Route |
|---|---|
|
/intel/entities/actors/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | Actor IDs to retrieve. |
| fields |
|
|
query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_actor_entities(fields=["string", "string"], ids=id_list)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelActorEntities(fields=["string", "string"], ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelActorEntities", fields=["string", "string"], ids=id_list)
print(response)Back to Table of Contents
Retrieve specific indicators using their indicator IDs.
get_indicator_entities
| Method | Route |
|---|---|
 |
/intel/entities/indicators/GET/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
 |
body | string or list of strings | Indicator IDs to retrieve. |
| body |
|
 |
body | dictionary | Full body payload in JSON format. |
You must use either the body or the ids keywords in order to use this method.
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_indicator_entities(ids=id_list)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelIndicatorEntities(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("GetIntelIndicatorEntities", body=BODY)
print(response)Back to Table of Contents
Get malware entities for specified IDs.
get_malware_entities
| Method | Route |
|---|---|
|
/intel/entities/malware/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | Malware family name in lower case with spaces replaced with dashes. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.get_malware_entities(ids=id_list)
print(response)from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.GetMalwareEntities(ids=id_list)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.command("GetMalwareEntities", ids=id_list)
print(response)Back to Table of Contents
Export Mitre ATT&CK information for a given actor.
get_mitre_report
| Method | Route |
|---|---|
|
/intel/entities/mitre-reports/v1 |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| actor_id |
|
|
query | string | Actor IDs (derived from actor name). |
| format |
|
|
query | string | Report format (json or csv). |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.ext", "wb") as output_file:
output_file.write(falcon.get_mitre_report(actor_id="string", format="string"))from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.ext", "wb") as output_file:
output_file.write(falcon.GetMitreReport(actor_id="string", format="string"))
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.ext", "wb") as output_file:
output_file.write(falcon.command("GetMitreReport", actor_id="string", format="string"))
print(response)Back to Table of Contents
Retrieves report and observable IDs associated with the given actor and attacks.
mitre_attacks
| Method | Route |
|---|---|
|
/intel/entities/mitre/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | The actor / attack IDs to retrieve. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.mitre_attacks(ids=id_list)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.PostMitreAttacks(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("PostMitreAttacks", ids=id_list)
print(response)Back to Table of Contents
Return a Report PDF attachment
get_report_pdf
| Method | Route |
|---|---|
|
/intel/entities/report-files/v1 |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| id |
|
|
query | string | Report ID to download as a PDF. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
The id parameter must be passed to the Uber class as part of the parameters dictionary.
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
response = falcon.get_report_pdf(id="string")
open(save_file, 'wb').write(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
response = falcon.GetIntelReportPDF(id="string")
open(save_file, 'wb').write(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
response = falcon.command("GetIntelReportPDF", id="string")
open(save_file, 'wb').write(response)Back to Table of Contents
Retrieve specific reports using their report IDs.
get_report_entities
| Method | Route |
|---|---|
|
/intel/entities/reports/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | Report IDs to retrieve. |
| fields |
|
|
query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_report_entities(fields=["string", "string"], ids=id_list)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelReportEntities(fields=["string", "string"], ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelReportEntities", fields=["string", "string"], ids=id_list)
print(response)Back to Table of Contents
Download earlier rule sets.
get_rule_file
| Method | Route |
|---|---|
|
/intel/entities/rules-files/v1 |
- Produces: application/zip
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| id |
|
|
query | string | Rule set ID to retrieve. |
| format |
|
|
query | string | Choose the format you want the ruleset in. Valid formats are zip and gzip. Defaults to zip. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.get_rule_file(id=integer, format="string")
open(save_file, 'wb').write(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.GetIntelRuleFile(id=integer, format="string")
open(save_file, 'wb').write(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.command("GetIntelRuleFile", format="string", id=integer)
open(save_file, 'wb').write(response)Back to Table of Contents
Download the latest rule set.
get_latest_rule_file
| Method | Route |
|---|---|
|
/intel/entities/rules-latest-files/v1 |
- Produces: application/zip
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type |
|
|
query | string | The rule news report type. Accepted values:
|
| format |
|
|
query | string | Choose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.get_latest_rule_file(type="string", format="string")
open(save_file, 'wb').write(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.GetLatestIntelRuleFile(type="string", format="string")
open(save_file, 'wb').write(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.command("GetLatestIntelRuleFile", type="string", format="string")
open(save_file, 'wb').write(response)Back to Table of Contents
Retrieve details for rule sets for the specified ids.
get_rule_entities
| Method | Route |
|---|---|
|
/intel/entities/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | Rule IDs to retrieve. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_entities(ids=id_list)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelRuleEntities(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelRuleEntities", ids=id_list)
print(response)Back to Table of Contents
Get vulnerabilities by ID(s).
get_vulnerabilities
| Method | Route |
|---|---|
|
/intel/entities/vulnerabilities/GET/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | Vulnerability IDs to retrieve. |
from falconpy.intel import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_vulnerabilities(ids=id_list)
print(response)from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetVulnerabilities(ids=id_list)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetVulnerabilities", ids=id_list)
print(response)Back to Table of Contents
Get actor IDs that match provided FQL filters.
query_actor_ids
| Method | Route |
|---|---|
|
/intel/queries/actors/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||||||||||||||||||
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||
| q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||
| sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_actor_ids(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelActorIds(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelActorIds",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)Back to Table of Contents
Get indicators IDs that match provided FQL filters.
query_indicator_ids
| Method | Route |
|---|---|
|
/intel/queries/indicators/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||
| include_deleted |
|
|
query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||
| include_relations |
|
|
query | boolean | Flag indicating if related indicators should be returned. | ||||||||||||||||||||||
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||
| q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||
| sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_indicator_ids(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelIndicatorIds(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelIndicatorIds",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)Back to Table of Contents
Get malware family names that match provided FQL filters.
query_malware
| Method | Route |
|---|---|
|
/intel/queries/malware/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string | FQL query expression that should be used to limit the results. |
| limit |
|
|
query | integer | Set the number of malware IDs to return. (Max: 5000) |
| offset |
|
|
query | string | Set the starting row number to return malware IDs from. Defaults to 0. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_malware(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryMalware(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryMalware",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)Back to Table of Contents
Gets MITRE tactics and techniques for the given malware.
query_mitre_attacks_for_malware
| Method | Route |
|---|---|
|
/intel/queries/mitre-malware/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | Malware family name in lower case with spaces replaced with dashes. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.query_mitre_attacks_for_malware(ids=id_list)
print(response)from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.QueryMitreAttacksForMalware(ids=id_list)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.command("QueryMitreAttacksForMalware", ids=id_list)
print(response)Back to Table of Contents
Gets MITRE tactics and techniques for the given actor.
query_mitre_attacks
| Method | Route |
|---|---|
|
/intel/queries/mitre/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| id |
|
|
query | string | Actor ID for which to retrieve a list of attacks. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_mitre_attacks(id="string")
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryMitreAttacks(id="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryMitreAttacks", id="string")
print(response)Back to Table of Contents
Get report IDs that match provided FQL filters.
query_report_ids
| Method | Route |
|---|---|
|
/intel/queries/reports/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||||||||||||||||||
| include_deleted |
|
|
query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||||||||||||||||||
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||
| q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||
| sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_report_ids(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelReportIds(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelReportIds",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)Back to Table of Contents
Search for rule IDs that match provided filter criteria.
query_rule_ids
| Method | Route |
|---|---|
|
/intel/queries/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) |
| name |
|
|
query | string or list of strings | Search by rule title. |
| description |
|
|
query | string or list of strings | Substring match on description field. |
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) |
| type |
|
|
query | string | The rule news report type. Accept values:
|
| tags |
|
|
query | string or list of strings | Search for rules by tag. |
| min_created_date |
|
|
query | string | Filter results to those created on or after a certain date. |
| max_created_date |
|
|
query | string | Filter results to those created on or before a certain date. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_ids(offset=integer,
limit=integer,
sort="string",
name=["string", "string"],
type="string",
description=["string", "string"],
tags=["string", "string"],
min_created_date=integer,
max_created_date="string",
q="string"
)
print(response)from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelRuleIds(offset=integer,
limit=integer,
sort="string",
name=["string", "string"],
type="string",
description=["string", "string"],
tags=["string", "string"],
min_created_date=integer,
max_created_date="string",
q="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelRuleIds",
offset=integer,
limit=integer,
sort="string",
name=["string", "string"],
type="string",
description=["string", "string"],
tags=["string", "string"],
min_created_date=integer,
max_created_date="string",
q="string"
)
print(response)Back to Table of Contents
Query for vulnerabilities IDs.
query_vulnerabilities
| Method | Route |
|---|---|
|
/intel/queries/vulnerabilities/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string | FQL query expression that should be used to limit the results. |
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) |
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
| q |
|
|
query | string | Free text search across all indexed fields. |
| sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy.intel import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_vulnerabilities(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryVulnerabilities(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryVulnerabilities",
offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)Back to Table of Contents
