Intelligence Indicator Graph - CrowdStrike/falconpy GitHub Wiki
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Get indicator aggregates as specified via json in request body. | ||||
|
Get indicators based on their value. | ||||
|
Search indicators based on FQL filter. | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Get indicator aggregates as specified via json in request body.
aggregate_indicators
| Method | Route |
|---|---|
 |
/intelligence/aggregates/indicators/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |  |
|
body | dictionary | Full body payload as a dictionary. Not required when using other keywords. |
| date_ranges | |
 |
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude | |
|
body | string | Elements to exclude. |
| extended_bounds | |
|
body | dictionary | Extended aggregate boundaries. Contains max and min values as strings.Example: { "max": "string", "min": "string" } |
| field | |
|
body | string | The field on which to compute the aggregation. |
| filter | |
|
body | string | FQL syntax formatted string to use to filter the results. |
| from | |
|
body | integer | Starting position. |
| include | |
|
body | string | Elements to include. |
| interval | |
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count | |
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | |
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | |
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | |
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | |
|
body | string | Full text search across all metadata fields. |
| ranges | |
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size | |
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates | |
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort | |
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone | |
|
body | string | Time zone for bucket results. |
| type | |
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.aggregate_indicators(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.GetIndicatorAggregates(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = [
{
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"exclude": "string",
"extended_bounds": {
"max": "string",
"min": "string"
}
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}
]
response = falcon.command("GetIndicatorAggregates", body=body_payload)
print(response)Get indicators based on their value.
lookup
| Method | Route |
|---|---|
|
/intelligence/combined/indicators/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
 |
body | dictionary | Full body payload as a dictionary. Not required when using other keywords. |
| values | |
|
body | list of strings | List of indicator values to look up. |
from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.lookup_indicators(values=["string"])
print(response)from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.LookupIndicators(values=["string"])
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"values": ["string"]
}
response = falcon.command("LookupIndicators", body=body_payload)
print(response)Search indicators based on FQL filter.
search
| Method | Route |
|---|---|
|
/intelligence/combined/indicators/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
|
body | dictionary | Full body payload as JSON formatted dictionary. |
| filter | |
|
body | string | FQL formatted filter. |
| limit | |
|
query | integer | Limit |
| offset | |
|
query | string | Offset |
| parameters | |
|
query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
| sort | |
|
body | dictionary or list of dictionaries | List of sort operations to perform on the resultset. |
from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
sort_order = {
"field": "string",
"order": "string"
}
response = falcon.search(limit=integer, offset="string", filter="string", sort=sort_order)
print(response)from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
sort_order = {
"field": "string",
"order": "string"
}
response = falcon.SearchIndicators(limit=integer,
offset="string",
filter="string",
sort=sort_order
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"filter": "string",
"sort": [
{
"field": "string",
"order": "string"
}
]
}
response = falcon.command("SearchIndicators", limit="string", offset="string", body=body_payload)
print(response)