ThreatGraph - CrowdStrike/falconpy GitHub Wiki
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Retrieve edges for a given vertex id. One edge type must be specified | ||||
|
Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment. | ||||
|
Retrieve summary for a given vertex ID | ||||
|
Retrieve metadata for a given vertex ID | ||||
|
Retrieve metadata for a given vertex ID | ||||
|
Show all available edge types |
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Retrieve edges for a given vertex id. One edge type must be specified
get_edges
Method | Route |
---|---|
/threatgraph/combined/edges/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids | query | string | Vertex ID to get details for. Only one value is supported | ||
limit | query | integer | How many edges to return in a single request [1-100] | ||
offset | query | string | The offset to use to retrieve the next page of results | ||
edge_type | query | string | The type of edges that you would like to retrieve | ||
direction | query | string | The direction of edges that you would like to retrieve. | ||
scope | query | string | Scope of the request | ||
nano | query | boolean | Return nano-precision entity timestamps |
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_edges(limit=integer,
offset="string",
edge_type="string",
direction="string",
scope="string",
nano=boolean,
ids=id_list
)
print(response)
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.combined_edges_get(limit=integer,
offset="string",
edge_type="string",
direction="string",
scope="string",
nano=boolean,
ids=id_list
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("combined_edges_get",
limit=integer,
offset="string",
edge_type="string",
direction="string",
scope="string",
nano=boolean,
ids=id_list
)
print(response)
Back to Table of Contents
Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.
get_ran_on
Method | Route |
---|---|
/threatgraph/combined/ran-on/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
value | query | string | The value of the indicator to search by. | ||
type | query | string | The type of indicator that you would like to retrieve | ||
limit | query | integer | How many edges to return in a single request [1-100] | ||
offset | query | string | The offset to use to retrieve the next page of results | ||
nano | query | boolean | Return nano-precision entity timestamps |
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_ran_on(value="string",
type="string",
limit=integer,
offset="string",
nano=boolean
)
print(response)
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.combined_ran_on_get(value="string",
type="string",
limit=integer,
offset="string",
nano=boolean
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("combined_ran_on_get",
value="string",
type="string",
limit=integer,
offset="string",
nano=boolean
)
print(response)
Back to Table of Contents
Retrieve summary for a given vertex ID
get_summary
Method | Route |
---|---|
/threatgraph/combined/{vertex-type}/summary/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
vertex_type | path | string | Type of vertex to get properties for. Available values: accessory , accessories , actor , ad_computer , ad-computers , adfs_application , adfs-applications , ad_group , ad-groups , aggregate_indicator , aggregate-indicators , sensor , devices , mobile_app , mobile-apps , azure_application , azure-applications , azure_ad_user , azure-ad-users , containerized_app , containerized-apps , certificate , certificates , command_line , command-lines , control_graph , control-graphs , detection , detections , domain , domains , extracted_file , extracted-files , firmware , firmwares , mobile_fs_volume , mobile-fs-volumes , firewall , firewalls , firewall_rule_match , firewall_rule_matches , host_name , host-names , detection_index , detection-indices , idp_indicator , idp-indicators , idp_session , idp-sessions , incident , incidents , indicator , indicators , ipv4 , ipv6 , k8s_cluster , k8s_clusters , legacy_detection , legacy-detections , mobile_os_forensics_report , mobile_os_forensics_reports , mobile_indicator , mobile-indicators , module , modules , macro_script , macro_scripts , okta_application , okta-applications , okta_user , okta-users , process , processes , ping_fed_application , ping-fed-applications , quarantined_file , quarantined-files , script , scripts , shield , shields , sensor_self_diagnostic , sensor-self-diagnostics , kerberos_ticket , kerberos-tickets , user_id , users , user_session , user-sessions , wifi_access_point , wifi-access-points , xdr , any-vertex
|
||
ids | query | array (string) | Vertex ID to get details for | ||
scope | query | string | Scope of the request | ||
nano | query | boolean | Return nano-precision entity timestamps |
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_summary(scope="string", nano=boolean, ids=id_list, vertex_type="string")
print(response)
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.combined_summary_get(scope="string",
nano=boolean,
ids=id_list,
vertex_type="string"
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("combined_summary_get",
scope="string",
nano=boolean,
ids=id_list,
vertex_type="string"
)
print(response)
Back to Table of Contents
Retrieve metadata for a given vertex ID
get_vertices_v1
Method | Route |
---|---|
/threatgraph/entities/{vertex-type}/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
vertex_type | path | string | Type of vertex to get properties for. Available values : accessory , accessories , actor , ad_computer , ad-computers , adfs_application , adfs-applications , ad_group , ad-groups , aggregate_indicator , aggregate-indicators , sensor , devices , mobile_app , mobile-apps , azure_application , azure-applications , azure_ad_user , azure-ad-users , containerized_app , containerized-apps , certificate , certificates , command_line , command-lines , control_graph , control-graphs , detection , detections , domain , domains , extracted_file , extracted-files , firmware , firmwares , mobile_fs_volume , mobile-fs-volumes , firewall , firewalls , firewall_rule_match , firewall_rule_matches , host_name , host-names , detection_index , detection-indices , idp_indicator , idp-indicators , idp_session , idp-sessions , incident , incidents , indicator , indicators , ipv4 , ipv6 , k8s_cluster , k8s_clusters , legacy_detection , legacy-detections , mobile_os_forensics_report , mobile_os_forensics_reports , mobile_indicator , mobile-indicators , module , modules , macro_script , macro_scripts , okta_application , okta-applications , okta_user , okta-users , process , processes , ping_fed_application , ping-fed-applications , quarantined_file , quarantined-files , script , scripts , shield , shields , sensor_self_diagnostic , sensor-self-diagnostics , kerberos_ticket , kerberos-tickets , user_id , users , user_session , user-sessions , wifi_access_point , wifi-access-points , xdr , any-vertex
|
||
ids | query | array (string) | Vertex ID to get details for | ||
scope | query | string | Scope of the request | ||
nano | query | boolean | Return nano-precision entity timestamps |
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_vertices_v1(scope="string", nano=boolean, ids=id_list, vertex_type="string")
print(response)
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_vertices_get(scope="string",
nano=boolean,
ids=id_list,
vertex_type="string"
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_vertices_get",
scope="string",
nano="string",
ids=id_list,
vertex_type="string"
)
print(response)
Back to Table of Contents
Retrieve metadata for a given vertex ID
get_vertices
Method | Route |
---|---|
/threatgraph/entities/{vertex-type}/v2 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
vertex_type | path | string | Type of vertex to get properties for. Available values : accessory , accessories , actor , ad_computer , ad-computers , adfs_application , adfs-applications , ad_group , ad-groups , aggregate_indicator , aggregate-indicators , sensor , devices , mobile_app , mobile-apps , azure_application , azure-applications , azure_ad_user , azure-ad-users , containerized_app , containerized-apps , certificate , certificates , command_line , command-lines , control_graph , control-graphs , detection , detections , domain , domains , extracted_file , extracted-files , firmware , firmwares , mobile_fs_volume , mobile-fs-volumes , firewall , firewalls , firewall_rule_match , firewall_rule_matches , host_name , host-names , detection_index , detection-indices , idp_indicator , idp-indicators , idp_session , idp-sessions , incident , incidents , indicator , indicators , ipv4 , ipv6 , k8s_cluster , k8s_clusters , legacy_detection , legacy-detections , mobile_os_forensics_report , mobile_os_forensics_reports , mobile_indicator , mobile-indicators , module , modules , macro_script , macro_scripts , okta_application , okta-applications , okta_user , okta-users , process , processes , ping_fed_application , ping-fed-applications , quarantined_file , quarantined-files , script , scripts , shield , shields , sensor_self_diagnostic , sensor-self-diagnostics , kerberos_ticket , kerberos-tickets , user_id , users , user_session , user-sessions , wifi_access_point , wifi-access-points , xdr , any-vertex
|
||
ids | query | array (string) | Vertex ID to get details for | ||
scope | query | string | Scope of the request | ||
nano | query | boolean | Return nano-precision entity timestamps |
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_vertices(scope="string", nano=boolean, ids=id_list, vertex_type="string")
print(response)
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_vertices_getv2(scope="string",
nano=boolean,
ids=id_list,
vertex_type="string"
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_vertices_getv2",
scope="string",
nano=boolean,
ids=id_list,
vertex_type="string"
)
print(response)
Back to Table of Contents
Show all available edge types
get_edge_types
Method | Route |
---|---|
/threatgraph/queries/edge-types/v1 |
- Produces: application/json
No keywords or arguments accepted
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_edge_types()
print(response)
from falconpy import ThreatGraph
falcon = ThreatGraph(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.queries_edgetypes_get()
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("queries_edgetypes_get")
print(response)
Back to Table of Contents