Intel - CrowdStrike/falconpy GitHub Wiki
This service collection has code examples posted to the repository.
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Get info about actors that match provided FQL filters. | ||||
|
Get info about indicators that match provided FQL filters. | ||||
|
Get info about reports that match provided FQL filters. | ||||
|
Retrieve specific actors using their actor IDs. | ||||
|
Retrieve specific indicators using their indicator IDs. | ||||
|
Get malware entities for specified IDs. | ||||
|
Export Mitre ATT&CK information for a given actor. | ||||
|
Retrieve report and observable IDs associated with the given actor and attacks. | ||||
|
Return a Report PDF attachment | ||||
|
Retrieve specific reports using their report IDs. | ||||
|
Download earlier rule sets. | ||||
|
Download the latest rule set. | ||||
|
Retrieve details for rule sets for the specified ids. | ||||
|
Get vulnerabilities | ||||
|
Get actor IDs that match provided FQL filters. | ||||
|
Get indicators IDs that match provided FQL filters. | ||||
|
Get malware family names that match provided FQL filters. | ||||
|
Gets MITRE tactics and techniques for the given malware. | ||||
|
Gets MITRE tactics and techniques for the given actor. | ||||
|
Get report IDs that match provided FQL filters. | ||||
|
Search for rule IDs that match provided filter criteria. | ||||
|
Get vulnerabilities IDs |
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Get info about actors that match provided FQL filters.
query_actor_entities
Method | Route |
---|---|
/intel/combined/actors/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
fields |
|
|
query | string | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
||||||||||||||||||||||||||||||||||||||
filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||||||||||||||||||
limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||
offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||
q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||
sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_actor_entities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelActorEntities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelActorEntities",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
Back to Table of Contents
Get info about indicators that match provided FQL filters.
query_indicator_entities
Method | Route |
---|---|
/intel/combined/indicators/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
fields |
|
|
query | string | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
||||||||||||||||||||||
filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||
include_deleted |
|
|
query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||
include_relations |
|
|
query | boolean | Flag indicating if related indicators should be returned. | ||||||||||||||||||||||
limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||
offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||
q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||
sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_indicator_entities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelIndicatorEntities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelIndicatorEntities",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
Back to Table of Contents
Get info about reports that match provided FQL filters.
query_report_entities
Method | Route |
---|---|
/intel/combined/reports/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
fields |
|
|
query | string | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
||||||||||||||||||||||||||||||||||||||
filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||||||||||||||||||
include_deleted |
|
|
query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||||||||||||||||||
limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||
offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||
q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||
sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_report_entities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelReportEntities(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelReportEntities",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
fields=["string", "string"]
)
print(response)
Back to Table of Contents
Retrieve specific actors using their actor IDs.
get_actor_entities
Method | Route |
---|---|
/intel/entities/actors/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | Actor IDs to retrieve. |
fields |
|
|
query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_actor_entities(fields=["string", "string"], ids=id_list)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelActorEntities(fields=["string", "string"], ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelActorEntities", fields=["string", "string"], ids=id_list)
print(response)
Back to Table of Contents
Retrieve specific indicators using their indicator IDs.
get_indicator_entities
Method | Route |
---|---|
/intel/entities/indicators/GET/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
body | string or list of strings | Indicator IDs to retrieve. |
body |
|
|
body | dictionary | Full body payload in JSON format. |
You must use either the body
or the ids
keywords in order to use this method.
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_indicator_entities(ids=id_list)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelIndicatorEntities(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("GetIntelIndicatorEntities", body=BODY)
print(response)
Back to Table of Contents
Get malware entities for specified IDs.
get_malware_entities
Method | Route |
---|---|
/intel/entities/malware/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | Malware family name in lower case with spaces replaced with dashes. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.get_malware_entities(ids=id_list)
print(response)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.GetMalwareEntities(ids=id_list)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.command("GetMalwareEntities", ids=id_list)
print(response)
Back to Table of Contents
Export Mitre ATT&CK information for a given actor.
get_mitre_report
Method | Route |
---|---|
/intel/entities/mitre-reports/v1 |
- Produces: application/octet-stream
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
actor_id |
|
|
query | string | Actor IDs (derived from actor name). |
format |
|
|
query | string | Report format (json or csv ). |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.ext", "wb") as output_file:
output_file.write(falcon.get_mitre_report(actor_id="string", format="string"))
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.ext", "wb") as output_file:
output_file.write(falcon.GetMitreReport(actor_id="string", format="string"))
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("filename.ext", "wb") as output_file:
output_file.write(falcon.command("GetMitreReport", actor_id="string", format="string"))
print(response)
Back to Table of Contents
Retrieves report and observable IDs associated with the given actor and attacks.
mitre_attacks
Method | Route |
---|---|
/intel/entities/mitre/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
ids |
|
|
body | string or list of strings | The actor / attack IDs to retrieve. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.mitre_attacks(ids=id_list)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.PostMitreAttacks(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("PostMitreAttacks", ids=id_list)
print(response)
Back to Table of Contents
Return a Report PDF attachment
get_report_pdf
Method | Route |
---|---|
/intel/entities/report-files/v1 |
- Produces: application/octet-stream
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
id |
|
|
query | string | Report ID to download as a PDF. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
The id
parameter must be passed to the Uber class as part of the parameters dictionary.
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
response = falcon.get_report_pdf(id="string")
open(save_file, 'wb').write(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
response = falcon.GetIntelReportPDF(id="string")
open(save_file, 'wb').write(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
response = falcon.command("GetIntelReportPDF", id="string")
open(save_file, 'wb').write(response)
Back to Table of Contents
Retrieve specific reports using their report IDs.
get_report_entities
Method | Route |
---|---|
/intel/entities/reports/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | Report IDs to retrieve. |
fields |
|
|
query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_report_entities(fields=["string", "string"], ids=id_list)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelReportEntities(fields=["string", "string"], ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelReportEntities", fields=["string", "string"], ids=id_list)
print(response)
Back to Table of Contents
Download earlier rule sets.
get_rule_file
Method | Route |
---|---|
/intel/entities/rules-files/v1 |
- Produces: application/zip
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
id |
|
|
query | string | Rule set ID to retrieve. |
format |
|
|
query | string | Choose the format you want the ruleset in. Valid formats are zip and gzip . Defaults to zip. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.get_rule_file(id=integer, format="string")
open(save_file, 'wb').write(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.GetIntelRuleFile(id=integer, format="string")
open(save_file, 'wb').write(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.command("GetIntelRuleFile", format="string", id=integer)
open(save_file, 'wb').write(response)
Back to Table of Contents
Download the latest rule set.
get_latest_rule_file
Method | Route |
---|---|
/intel/entities/rules-latest-files/v1 |
- Produces: application/zip
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
type |
|
|
query | string | The rule news report type. Accepted values:
|
format |
|
|
query | string | Choose the format you want the rule set in. Valid formats are zip and gzip . Defaults to zip. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.get_latest_rule_file(type="string", format="string")
open(save_file, 'wb').write(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.GetLatestIntelRuleFile(type="string", format="string")
open(save_file, 'wb').write(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.zip"
response = falcon.command("GetLatestIntelRuleFile", type="string", format="string")
open(save_file, 'wb').write(response)
Back to Table of Contents
Retrieve details for rule sets for the specified ids.
get_rule_entities
Method | Route |
---|---|
/intel/entities/rules/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | Rule IDs to retrieve. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_entities(ids=id_list)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelRuleEntities(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelRuleEntities", ids=id_list)
print(response)
Back to Table of Contents
Get vulnerabilities by ID(s).
get_vulnerabilities
Method | Route |
---|---|
/intel/entities/vulnerabilities/GET/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
ids |
|
|
body | string or list of strings | Vulnerability IDs to retrieve. |
from falconpy.intel import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_vulnerabilities(ids=id_list)
print(response)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetVulnerabilities(ids=id_list)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetVulnerabilities", ids=id_list)
print(response)
Back to Table of Contents
Get actor IDs that match provided FQL filters.
query_actor_ids
Method | Route |
---|---|
/intel/queries/actors/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||||||||||||||||||
limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||
offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||
q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||
sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_actor_ids(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelActorIds(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelActorIds",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Back to Table of Contents
Get indicators IDs that match provided FQL filters.
query_indicator_ids
Method | Route |
---|---|
/intel/queries/indicators/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||
include_deleted |
|
|
query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||
include_relations |
|
|
query | boolean | Flag indicating if related indicators should be returned. | ||||||||||||||||||||||
limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||
offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||
q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||
sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_indicator_ids(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelIndicatorIds(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelIndicatorIds",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string",
include_deleted=boolean
)
print(response)
Back to Table of Contents
Get malware family names that match provided FQL filters.
query_malware
Method | Route |
---|---|
/intel/queries/malware/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | FQL query expression that should be used to limit the results. |
limit |
|
|
query | integer | Set the number of malware IDs to return. (Max: 5000) |
offset |
|
|
query | string | Set the starting row number to return malware IDs from. Defaults to 0. |
q |
|
|
query | string | Free text search across all indexed fields. |
sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_malware(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryMalware(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryMalware",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Back to Table of Contents
Gets MITRE tactics and techniques for the given malware.
query_mitre_attacks_for_malware
Method | Route |
---|---|
/intel/queries/mitre-malware/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | Malware family name in lower case with spaces replaced with dashes. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.query_mitre_attacks_for_malware(ids=id_list)
print(response)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.QueryMitreAttacksForMalware(ids=id_list)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'
response = falcon.command("QueryMitreAttacksForMalware", ids=id_list)
print(response)
Back to Table of Contents
Gets MITRE tactics and techniques for the given actor.
query_mitre_attacks
Method | Route |
---|---|
/intel/queries/mitre/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
id |
|
|
query | string | Actor ID for which to retrieve a list of attacks. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_mitre_attacks(id="string")
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryMitreAttacks(id="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryMitreAttacks", id="string")
print(response)
Back to Table of Contents
Get report IDs that match provided FQL filters.
query_report_ids
Method | Route |
---|---|
/intel/queries/reports/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
filter |
|
|
query | string |
FQL query expression that should be used to limit the results. Filter parameters include:
|
||||||||||||||||||||||||||||||||||||||
include_deleted |
|
|
query | boolean | Flag indicating if both published and deleted indicators should be returned. | ||||||||||||||||||||||||||||||||||||||
limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) | ||||||||||||||||||||||||||||||||||||||
offset |
|
|
query | string | Starting index of overall result set from which to return ids. | ||||||||||||||||||||||||||||||||||||||
q |
|
|
query | string | Free text search across all indexed fields. | ||||||||||||||||||||||||||||||||||||||
sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) | ||||||||||||||||||||||||||||||||||||||
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_report_ids(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelReportIds(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelReportIds",
offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Back to Table of Contents
Search for rule IDs that match provided filter criteria.
query_rule_ids
Method | Route |
---|---|
/intel/queries/rules/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) |
name |
|
|
query | string or list of strings | Search by rule title. |
description |
|
|
query | string or list of strings | Substring match on description field. |
offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
q |
|
|
query | string | Free text search across all indexed fields. |
sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) |
type |
|
|
query | string | The rule news report type. Accept values:
|
tags |
|
|
query | string or list of strings | Search for rules by tag. |
min_created_date |
|
|
query | string | Filter results to those created on or after a certain date. |
max_created_date |
|
|
query | string | Filter results to those created on or before a certain date. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_ids(offset=integer,
limit=integer,
sort="string",
name=["string", "string"],
type="string",
description=["string", "string"],
tags=["string", "string"],
min_created_date=integer,
max_created_date="string",
q="string"
)
print(response)
from falconpy import Intel
# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIntelRuleIds(offset=integer,
limit=integer,
sort="string",
name=["string", "string"],
type="string",
description=["string", "string"],
tags=["string", "string"],
min_created_date=integer,
max_created_date="string",
q="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIntelRuleIds",
offset=integer,
limit=integer,
sort="string",
name=["string", "string"],
type="string",
description=["string", "string"],
tags=["string", "string"],
min_created_date=integer,
max_created_date="string",
q="string"
)
print(response)
Back to Table of Contents
Query for vulnerabilities IDs.
query_vulnerabilities
Method | Route |
---|---|
/intel/queries/vulnerabilities/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | FQL query expression that should be used to limit the results. |
limit |
|
|
query | integer | Maximum number of records to return. (Max: 5000) |
offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
q |
|
|
query | string | Free text search across all indexed fields. |
sort |
|
|
query | string | The property to sort by. (Ex: created_date|desc) |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy.intel import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_vulnerabilities(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import Intel
falcon = Intel(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryVulnerabilities(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryVulnerabilities",
offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Back to Table of Contents