Intelligence Indicator Graph - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the Intelligence Indicator Graph service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
GetIndicatorAggregates
PEP8 aggregate_indicators
Get indicator aggregates as specified via json in request body.
SearchIndicators
PEP8 search
Search indicators based on FQL filter.

GetIndicatorAggregates

Get indicator aggregates as specified via json in request body.

PEP8 method name

aggregate_indicators

Endpoint

Method Route
POST /intelligence/aggregates/indicators/v1

Required Scope

indicator-graph:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload as a dictionary. Not required when using other keywords.
date_ranges Service Class Support No Uber Class Support body list of dictionaries Applies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude Service Class Support No Uber Class Support body string Elements to exclude.
extended_bounds Service Class Support No Uber Class Support body dictionary Extended aggregate boundaries. Contains max and min values as strings.
Example:
  {
    "max": "string",
    "min": "string"
  }
field Service Class Support No Uber Class Support body string The field on which to compute the aggregation.
filter Service Class Support No Uber Class Support body string FQL syntax formatted string to use to filter the results.
from Service Class Support No Uber Class Support body integer Starting position.
include Service Class Support No Uber Class Support body string Elements to include.
interval Service Class Support No Uber Class Support body string Time interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count Service Class Support No Uber Class Support body integer Only return buckets if values are less than or equal to the value here.
min_doc_count Service Class Support No Uber Class Support body integer Only return buckets if values are greater than or equal to the value here.
missing Service Class Support No Uber Class Support body string Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name Service Class Support No Uber Class Support body string Name of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q Service Class Support No Uber Class Support body string Full text search across all metadata fields.
ranges Service Class Support No Uber Class Support body list of dictionaries Applies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size Service Class Support No Uber Class Support body integer The max number of term buckets to be returned.
sub_aggregates Service Class Support No Uber Class Support body list of dictionaries A nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort Service Class Support No Uber Class Support body string FQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone Service Class Support No Uber Class Support body string Time zone for bucket results.
type Service Class Support No Uber Class Support body string Type of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import IntelligenceIndicatorGraph

falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

date_range = {
    "from": "string",
    "to": "string"
}
bounds = {
    "max": "string",
    "min": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.aggregate_indicators(date_ranges=[date_range],
                                       exclude="string",
                                       extended_bounds=bounds,
                                       field="string",
                                       filter="string",
                                       from=integer,
                                       include="string",
                                       interval="string",
                                       max_doc_count=integer,
                                       min_doc_count=integer,
                                       missing="string",
                                       name="string",
                                       q="string",
                                       ranges=[search_range],
                                       size=integer,
                                       sort="string",
                                       time_zone="string",
                                       type="string"
                                       )
print(response)
Service class example (Operation ID syntax)
from falconpy import IntelligenceIndicatorGraph

falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

date_range = {
    "from": "string",
    "to": "string"
}
bounds = {
    "max": "string",
    "min": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.GetIndicatorAggregates(date_ranges=[date_range],
                                         exclude="string",
                                         extended_bounds=bounds,
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=[search_range],
                                         size=integer,
                                         sort="string",
                                         time_zone="string",
                                         type="string"
                                         )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = [
    {
        "date_ranges": [
            {
                "from": "string",
                "to": "string"
            }
        ],
        "exclude": "string",
        "extended_bounds": {
            "max": "string",
            "min": "string"
        }
        "field": "string",
        "filter": "string",
        "from": integer,
        "include": "string",
        "interval": "string",
        "max_doc_count": integer,
        "min_doc_count": integer,
        "missing": "string",
        "name": "string",
        "q": "string",
        "ranges": [
            {
                "From": integer,
                "To": integer
            }
        ],
        "size": integer,
        "sort": "string",
        "sub_aggregates": [
            null
        ],
        "time_zone": "string",
        "type": "string"
    }
]

response = falcon.command("GetIndicatorAggregates", body=body_payload)

print(response)

SearchIndicators

Search indicators based on FQL filter.

PEP8 method name

search

Endpoint

Method Route
POST /intelligence/combined/indicators/v1

Required Scope

indicator-graph:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload as JSON formatted dictionary.
filter Service Class Support Uber Class Support body string FQL formatted filter.
limit Service Class Support Uber Class Support query integer Limit
offset Service Class Support Uber Class Support query string Offset
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.
sort Service Class Support Uber Class Support body dictionary or list of dictionaries List of sort operations to perform on the resultset.

Usage

Service class example (PEP8 syntax)
from falconpy import IntelligenceIndicatorGraph

falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

sort_order = {
    "field": "string",
    "order": "string"
}

response = falcon.search(limit=integer, offset="string", filter="string", sort=sort_order)

print(response)
Service class example (Operation ID syntax)
from falconpy import IntelligenceIndicatorGraph

falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

sort_order = {
    "field": "string",
    "order": "string"
}

response = falcon.SearchIndicators(limit=integer,
                                   offset="string",
                                   filter="string",
                                   sort=sort_order
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "filter": "string",
  "sort": [
    {
      "field": "string",
      "order": "string"
    }
  ]
}

response = falcon.command("SearchIndicators", limit="string", offset="string", body=body_payload)

print(response)

⚠️ **GitHub.com Fallback** ⚠️