CrowdStrike Falcon CrowdStrike Subreddit

Using the Intel service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation IDDescription
QueryIntelActorEntities
PEP 8query_actor_entities
Get info about actors that match provided FQL filters.
QueryIntelIndicatorEntities
PEP 8query_indicator_entities
Get info about indicators that match provided FQL filters.
QueryIntelReportEntities
PEP 8query_report_entities
Get info about reports that match provided FQL filters.
GetIntelActorEntities
PEP 8get_actor_entities
Retrieve specific actors using their actor IDs.
GetIntelIndicatorEntities
PEP 8get_indicator_entities
Retrieve specific indicators using their indicator IDs.
GetMalwareEntities
PEP 8get_malware_entities
Get malware entities for specified IDs.
GetMitreReport
PEP 8get_mitre_report
Export Mitre ATT&CK information for a given actor.
PostMitreAttacks
PEP 8mitre_attacks
Retrieve report and observable IDs associated with the given actor and attacks.
GetIntelReportPDF
PEP 8get_report_pdf
Return a Report PDF attachment
GetIntelReportEntities
PEP 8get_report_entities
Retrieve specific reports using their report IDs.
GetIntelRuleFile
PEP 8get_rule_file
Download earlier rule sets.
GetLatestIntelRuleFile
PEP 8get_latest_rule_file
Download the latest rule set.
GetIntelRuleEntities
PEP 8get_rule_entities
Retrieve details for rule sets for the specified ids.
GetVulnerabilities
PEP8get_vulnerabilities
Get vulnerabilities
QueryIntelActorIds
PEP 8query_actor_ids
Get actor IDs that match provided FQL filters.
QueryIntelIndicatorIds
PEP 8query_indicator_ids
Get indicators IDs that match provided FQL filters.
QueryMalware
PEP 8query_malware
Get malware family names that match provided FQL filters.
QueryMitreAttacksForMalware
PEP 8query_mitre_attacks_for_malware
Gets MITRE tactics and techniques for the given malware.
QueryMitreAttacks
PEP 8query_mitre_attacks
Gets MITRE tactics and techniques for the given actor.
QueryIntelReportIds
PEP 8query_report_ids
Get report IDs that match provided FQL filters.
QueryIntelRuleIds
PEP 8query_rule_ids
Search for rule IDs that match provided filter criteria.
QueryVulnerabilities
PEP8query_vulnerabilities
Get vulnerabilities IDs

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

QueryIntelActorEntities

Get info about actors that match provided FQL filters.

PEP8 method name

query_actor_entities

Endpoint

MethodRoute
GET/intel/combined/actors/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
fields
Service Class Support

Uber Class Support
querystringThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.

Filter parameters include:
actorssub_type.name
actors.idsub_type.slug
actors.nametags
actors.slugtags.id
actors.urltags.slug
created_datetags.value
descriptiontarget_countries
idtarget_countries.id
last_modified_datetarget_countries.slug
motivationstarget_countries.value
motivations.idtarget_industries
motivations.slugtarget_industries.id
motivations.valuetarget_industries.slug
nametarget_industries.value
name.rawtype
short_descriptiontype.id
slugtype.name
sub_typetype.slug
sub_type.idurl
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actor_entities(offset=integer,
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string",
                                       fields=["string", "string"]
                                       )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelActorEntities(offset=integer,
                                          limit=integer,
                                          sort="string",
                                          filter="string",
                                          q="string",
                                          fields=["string", "string"]
                                          )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelActorEntities", 
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          fields=["string", "string"]
                          )

print(response)

Back to Table of Contents

QueryIntelIndicatorEntities

Get info about indicators that match provided FQL filters.

PEP8 method name

query_indicator_entities

Endpoint

MethodRoute
GET/intel/combined/indicators/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
fields
Service Class Support

Uber Class Support
querystringThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.

Filter parameters include:
_markerlabels.name
actorslast_updated
deletedmalicious_confidence
domain_typesmalware_families
idpublished_date
indicatorreports
ip_address_typestargets
kill_chainsthreat_types
labelstype
labels.created_onvulnerabilities
labels.last_valid_on 
include_deleted
Service Class Support

Uber Class Support
querybooleanFlag indicating if both published and deleted indicators should be returned.
include_relations
Service Class Support

Uber Class Support
querybooleanFlag indicating if related indicators should be returned.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_indicator_entities(offset=integer,
                                           limit=integer,
                                           sort="string",
                                           filter="string",
                                           q="string",
                                           include_deleted=boolean
                                           )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelIndicatorEntities(offset=integer,
                                              limit=integer,
                                              sort="string",
                                              filter="string",
                                              q="string",
                                              include_deleted=boolean
                                              )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelIndicatorEntities",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          include_deleted=boolean
                          )

print(response)

Back to Table of Contents

QueryIntelReportEntities

Get info about reports that match provided FQL filters.

PEP8 method name

query_report_entities

Endpoint

MethodRoute
GET/intel/combined/reports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
fields
Service Class Support

Uber Class Support
querystringThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.

Filter parameters include:
actorssub_type.name
actors.idsub_type.slug
actors.nametags
actors.slugtags.id
actors.urltags.slug
created_datetags.value
descriptiontarget_countries
idtarget_countries.id
last_modified_datetarget_countries.slug
motivationstarget_countries.value
motivations.idtarget_industries
motivations.slugtarget_industries.id
motivations.valuetarget_industries.slug
nametarget_industries.value
name.rawtype
short_descriptiontype.id
slugtype.name
sub_typetype.slug
sub_type.idurl
include_deleted
Service Class Support

Uber Class Support
querybooleanFlag indicating if both published and deleted indicators should be returned.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_report_entities(offset=integer,
                                        limit=integer,
                                        sort="string",
                                        filter="string",
                                        q="string",
                                        fields=["string", "string"]
                                        )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelReportEntities(offset=integer,
                                           limit=integer,
                                           sort="string",
                                           filter="string",
                                           q="string",
                                           fields=["string", "string"]
                                           )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelReportEntities",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          fields=["string", "string"]
                          )

print(response)

Back to Table of Contents

GetIntelActorEntities

Retrieve specific actors using their actor IDs.

PEP8 method name

get_actor_entities

Endpoint

MethodRoute
GET/intel/entities/actors/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsActor IDs to retrieve.
fields
Service Class Support

Uber Class Support
queryarray (string)The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_actor_entities(fields=["string", "string"], ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelActorEntities(fields=["string", "string"], ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelActorEntities", fields=["string", "string"], ids=id_list)

print(response)

Back to Table of Contents

GetIntelIndicatorEntities

Retrieve specific indicators using their indicator IDs.

PEP8 method name

get_indicator_entities

Endpoint

MethodRoute
POST/intel/entities/indicators/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
bodystring or list of stringsIndicator IDs to retrieve.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.

Usage

You must use either the body or the ids keywords in order to use this method.

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_indicator_entities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelIndicatorEntities(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
  "ids": id_list
}

response = falcon.command("GetIntelIndicatorEntities", body=BODY)

print(response)

Back to Table of Contents

GetMalwareEntities

Get malware entities for specified IDs.

PEP8 method name

get_malware_entities

Endpoint

MethodRoute
GET/intel/entities/malware/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsMalware family name in lower case with spaces replaced with dashes.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.get_malware_entities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.GetMalwareEntities(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.command("GetMalwareEntities", ids=id_list)

print(response)

Back to Table of Contents

GetMitreReport

Export Mitre ATT&CK information for a given actor.

PEP8 method name

get_mitre_report

Endpoint

MethodRoute
GET/intel/entities/mitre-reports/v1

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

NameServiceUberTypeData typeDescription
actor_id
Service Class Support

Uber Class Support
querystringActor IDs (derived from actor name).
format
Service Class Support

Uber Class Support
querystringReport format (json or csv).
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

with open("filename.ext", "wb") as output_file:
    output_file.write(falcon.get_mitre_report(actor_id="string", format="string"))
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

with open("filename.ext", "wb") as output_file:
    output_file.write(falcon.GetMitreReport(actor_id="string", format="string"))

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("filename.ext", "wb") as output_file:
    output_file.write(falcon.command("GetMitreReport", actor_id="string", format="string"))

print(response)

Back to Table of Contents

PostMitreAttacks

Retrieves report and observable IDs associated with the given actor and attacks.

PEP8 method name

mitre_attacks

Endpoint

MethodRoute
POST/intel/entities/mitre/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
ids
Service Class Support

Uber Class Support
bodystring or list of stringsThe actor / attack IDs to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.mitre_attacks(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.PostMitreAttacks(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("PostMitreAttacks", ids=id_list)

print(response)

Back to Table of Contents

GetIntelReportPDF

Return a Report PDF attachment

PEP8 method name

get_report_pdf

Endpoint

MethodRoute
GET/intel/entities/report-files/v1

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

NameServiceUberTypeData typeDescription
id
Service Class Support

Uber Class Support
querystringReport ID to download as a PDF.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

The id parameter must be passed to the Uber class as part of the parameters dictionary.

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.get_report_pdf(id="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.GetIntelReportPDF(id="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.ext"

response = falcon.command("GetIntelReportPDF", id="string")
open(save_file, 'wb').write(response)

Back to Table of Contents

GetIntelReportEntities

Retrieve specific reports using their report IDs.

PEP8 method name

get_report_entities

Endpoint

MethodRoute
GET/intel/entities/reports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsReport IDs to retrieve.
fields
Service Class Support

Uber Class Support
queryarray (string)The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__.

Ex: slug __full__.

Defaults to __basic__.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_report_entities(fields=["string", "string"], ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelReportEntities(fields=["string", "string"], ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelReportEntities", fields=["string", "string"], ids=id_list)

print(response)

Back to Table of Contents

GetIntelRuleFile

Download earlier rule sets.

PEP8 method name

get_rule_file

Endpoint

MethodRoute
GET/intel/entities/rules-files/v1

Content-Type

  • Produces: application/zip

Keyword Arguments

NameServiceUberTypeData typeDescription
id
Service Class Support

Uber Class Support
querystringRule set ID to retrieve.
format
Service Class Support

Uber Class Support
querystringChoose the format you want the ruleset in. Valid formats are zip and gzip. Defaults to zip.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.get_rule_file(id=integer, format="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.GetIntelRuleFile(id=integer, format="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.zip"

response = falcon.command("GetIntelRuleFile", format="string", id=integer)
open(save_file, 'wb').write(response)

Back to Table of Contents

GetLatestIntelRuleFile

Download the latest rule set.

PEP8 method name

get_latest_rule_file

Endpoint

MethodRoute
GET/intel/entities/rules-latest-files/v1

Content-Type

  • Produces: application/zip

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe rule news report type.

Accepted values:
  • snort-suricata-master
  • snort-suricata-update
  • snort-suricata-changelog
  • yara-master
  • yara-update
  • yara-changelog
  • common-event-format
  • netwitness
  • cql-master
  • cql-update
  • cql-changelog
format
Service Class Support

Uber Class Support
querystringChoose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.get_latest_rule_file(type="string", format="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.GetLatestIntelRuleFile(type="string", format="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.zip"

response = falcon.command("GetLatestIntelRuleFile", type="string", format="string")
open(save_file, 'wb').write(response)

Back to Table of Contents

GetIntelRuleEntities

Retrieve details for rule sets for the specified ids.

PEP8 method name

get_rule_entities

Endpoint

MethodRoute
GET/intel/entities/rules/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsRule IDs to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_entities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelRuleEntities(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelRuleEntities", ids=id_list)

print(response)

Back to Table of Contents

GetVulnerabilities

Get vulnerabilities by ID(s).

PEP8 method name

get_vulnerabilities

Endpoint

MethodRoute
POST/intel/entities/vulnerabilities/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
ids
Service Class Support

Uber Class Support
bodystring or list of stringsVulnerability IDs to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy.intel import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_vulnerabilities(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetVulnerabilities(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetVulnerabilities", ids=id_list)

print(response)

Back to Table of Contents

QueryIntelActorIds

Get actor IDs that match provided FQL filters.

PEP8 method name

query_actor_ids

Endpoint

MethodRoute
GET/intel/queries/actors/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.

Filter parameters include:
actorssub_type.name
actors.idsub_type.slug
actors.nametags
actors.slugtags.id
actors.urltags.slug
created_datetags.value
descriptiontarget_countries
idtarget_countries.id
last_modified_datetarget_countries.slug
motivationstarget_countries.value
motivations.idtarget_industries
motivations.slugtarget_industries.id
motivations.valuetarget_industries.slug
nametarget_industries.value
name.rawtype
short_descriptiontype.id
slugtype.name
sub_typetype.slug
sub_type.idurl
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actor_ids(offset=integer,
                                  limit=integer,
                                  sort="string",
                                  filter="string",
                                  q="string"
                                  )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelActorIds(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string",
                                     q="string"
                                     )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelActorIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryIntelIndicatorIds

Get indicators IDs that match provided FQL filters.

PEP8 method name

query_indicator_ids

Endpoint

MethodRoute
GET/intel/queries/indicators/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.

Filter parameters include:
_markerlabels.name
actorslast_updated
deletedmalicious_confidence
domain_typesmalware_families
idpublished_date
indicatorreports
ip_address_typestargets
kill_chainsthreat_types
labelstype
labels.created_onvulnerabilities
labels.last_valid_on 
include_deleted
Service Class Support

Uber Class Support
querybooleanFlag indicating if both published and deleted indicators should be returned.
include_relations
Service Class Support

Uber Class Support
querybooleanFlag indicating if related indicators should be returned.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_indicator_ids(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string",
                                      include_deleted=boolean
                                      )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelIndicatorIds(offset=integer,
                                         limit=integer,
                                         sort="string",
                                         filter="string",
                                         q="string",
                                         include_deleted=boolean
                                         )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelIndicatorIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          include_deleted=boolean
                          )

print(response)

Back to Table of Contents

QueryMalware

Get malware family names that match provided FQL filters.

PEP8 method name

query_malware

Endpoint

MethodRoute
GET/intel/queries/malware/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerSet the number of malware IDs to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
querystringSet the starting row number to return malware IDs from. Defaults to 0.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_malware(offset=integer,
                                limit=integer,
                                sort="string",
                                filter="string",
                                q="string"
                                )
print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryMalware(offset=integer,
                               limit=integer,
                               sort="string",
                               filter="string",
                               q="string"
                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryMalware", 
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

Back to Table of Contents

QueryMitreAttacksForMalware

Gets MITRE tactics and techniques for the given malware.

PEP8 method name

query_mitre_attacks_for_malware

Endpoint

MethodRoute
GET/intel/queries/mitre-malware/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsMalware family name in lower case with spaces replaced with dashes.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.query_mitre_attacks_for_malware(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.QueryMitreAttacksForMalware(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.command("QueryMitreAttacksForMalware", ids=id_list)

print(response)

Back to Table of Contents

QueryMitreAttacks

Gets MITRE tactics and techniques for the given actor.

PEP8 method name

query_mitre_attacks

Endpoint

MethodRoute
GET/intel/queries/mitre/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
id
Service Class Support

Uber Class Support
querystringActor ID for which to retrieve a list of attacks.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_mitre_attacks(id="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryMitreAttacks(id="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryMitreAttacks", id="string")

print(response)

Back to Table of Contents

QueryIntelReportIds

Get report IDs that match provided FQL filters.

PEP8 method name

query_report_ids

Endpoint

MethodRoute
GET/intel/queries/reports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.

Filter parameters include:
actorssub_type.name
actors.idsub_type.slug
actors.nametags
actors.slugtags.id
actors.urltags.slug
created_datetags.value
descriptiontarget_countries
idtarget_countries.id
last_modified_datetarget_countries.slug
motivationstarget_countries.value
motivations.idtarget_industries
motivations.slugtarget_industries.id
motivations.valuetarget_industries.slug
nametarget_industries.value
name.rawtype
short_descriptiontype.id
slugtype.name
sub_typetype.slug
sub_type.idurl
include_deleted
Service Class Support

Uber Class Support
querybooleanFlag indicating if both published and deleted indicators should be returned.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_report_ids(offset=integer,
                                   limit=integer,
                                   sort="string",
                                   filter="string",
                                   q="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelReportIds(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelReportIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryIntelRuleIds

Search for rule IDs that match provided filter criteria.

PEP8 method name

query_rule_ids

Endpoint

MethodRoute
GET/intel/queries/rules/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return. (Max: 5000)
name
Service Class Support

Uber Class Support
querystring or list of stringsSearch by rule title.
description
Service Class Support

Uber Class Support
querystring or list of stringsSubstring match on description field.
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_date|desc)
type
Service Class Support

Uber Class Support
querystringThe rule news report type.

Accept values:
  • snort-suricata-master
  • snort-suricata-update
  • snort-suricata-changelog
  • yara-master
  • yara-update
  • yara-changelog
  • common-event-format
  • netwitness
  • cql-master
  • cql-update
  • cql-changelog
tags
Service Class Support

Uber Class Support
querystring or list of stringsSearch for rules by tag.
min_created_date
Service Class Support

Uber Class Support
querystringFilter results to those created on or after a certain date.
max_created_date
Service Class Support

Uber Class Support
querystringFilter results to those created on or before a certain date.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_rule_ids(offset=integer,
                                 limit=integer,
                                 sort="string",
                                 name=["string", "string"],
                                 type="string",
                                 description=["string", "string"],
                                 tags=["string", "string"],
                                 min_created_date=integer,
                                 max_created_date="string",
                                 q="string"
                                 )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelRuleIds(offset=integer,
                                    limit=integer,
                                    sort="string",
                                    name=["string", "string"],
                                    type="string",
                                    description=["string", "string"],
                                    tags=["string", "string"],
                                    min_created_date=integer,
                                    max_created_date="string",
                                    q="string"
                                    )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelRuleIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          name=["string", "string"],
                          type="string",
                          description=["string", "string"],
                          tags=["string", "string"],
                          min_created_date=integer,
                          max_created_date="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryVulnerabilities

Query for vulnerabilities IDs.

PEP8 method name

query_vulnerabilities

Endpoint

MethodRoute
GET/intel/queries/vulnerabilities/v1

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL query expression that should be used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return. (Max: 5000)
offset
Service Class Support

Uber Class Support
querystringStarting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
querystringFree text search across all indexed fields.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: created_date|desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.intel import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_vulnerabilities(offset="string",
                                        limit=integer,
                                        sort="string",
                                        filter="string",
                                        q="string"
                                        )

print(response)
Service class example (Operation ID syntax)
from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryVulnerabilities(offset="string",
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string"
                                       )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryVulnerabilities",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents