CrowdStrike Falcon CrowdStrike Subreddit

Using the Intelligence Indicator Graph service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
GetIndicatorAggregates
PEP8aggregate_indicators
Get indicator aggregates as specified via json in request body.
SearchIndicators
PEP8search
Search indicators based on FQL filter.

GetIndicatorAggregates

Get indicator aggregates as specified via json in request body.

PEP8 method name

aggregate_indicators

Endpoint

MethodRoute
POST/intelligence/aggregates/indicators/v1

Required Scope

indicator-graph:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
bodyService Class SupportUber Class SupportbodydictionaryFull body payload as a dictionary. Not required when using other keywords.
date_rangesService Class SupportNo Uber Class Supportbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
excludeService Class SupportNo Uber Class SupportbodystringElements to exclude.
extended_boundsService Class SupportNo Uber Class SupportbodydictionaryExtended aggregate boundaries. Contains max and min values as strings.

Example:
  {
    "max": "string",
    "min": "string"
  }
fieldService Class SupportNo Uber Class SupportbodystringThe field on which to compute the aggregation.
filterService Class SupportNo Uber Class SupportbodystringFQL syntax formatted string to use to filter the results.
fromService Class SupportNo Uber Class SupportbodyintegerStarting position.
includeService Class SupportNo Uber Class SupportbodystringElements to include.
intervalService Class SupportNo Uber Class SupportbodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_countService Class SupportNo Uber Class SupportbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countService Class SupportNo Uber Class SupportbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingService Class SupportNo Uber Class SupportbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
nameService Class SupportNo Uber Class SupportbodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qService Class SupportNo Uber Class SupportbodystringFull text search across all metadata fields.
rangesService Class SupportNo Uber Class Supportbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
sizeService Class SupportNo Uber Class SupportbodyintegerThe max number of term buckets to be returned.
sub_aggregatesService Class SupportNo Uber Class Supportbodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sortService Class SupportNo Uber Class SupportbodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zoneService Class SupportNo Uber Class SupportbodystringTime zone for bucket results.
typeService Class SupportNo Uber Class SupportbodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy import IntelligenceIndicatorGraph

falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

date_range = {
    "from": "string",
    "to": "string"
}
bounds = {
    "max": "string",
    "min": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.aggregate_indicators(date_ranges=[date_range],
                                       exclude="string",
                                       extended_bounds=bounds,
                                       field="string",
                                       filter="string",
                                       from=integer,
                                       include="string",
                                       interval="string",
                                       max_doc_count=integer,
                                       min_doc_count=integer,
                                       missing="string",
                                       name="string",
                                       q="string",
                                       ranges=[search_range],
                                       size=integer,
                                       sort="string",
                                       time_zone="string",
                                       type="string"
                                       )
print(response)
Service class example (Operation ID syntax)
from falconpy import IntelligenceIndicatorGraph

falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

date_range = {
    "from": "string",
    "to": "string"
}
bounds = {
    "max": "string",
    "min": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.GetIndicatorAggregates(date_ranges=[date_range],
                                         exclude="string",
                                         extended_bounds=bounds,
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=[search_range],
                                         size=integer,
                                         sort="string",
                                         time_zone="string",
                                         type="string"
                                         )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = [
    {
        "date_ranges": [
            {
                "from": "string",
                "to": "string"
            }
        ],
        "exclude": "string",
        "extended_bounds": {
            "max": "string",
            "min": "string"
        }
        "field": "string",
        "filter": "string",
        "from": integer,
        "include": "string",
        "interval": "string",
        "max_doc_count": integer,
        "min_doc_count": integer,
        "missing": "string",
        "name": "string",
        "q": "string",
        "ranges": [
            {
                "From": integer,
                "To": integer
            }
        ],
        "size": integer,
        "sort": "string",
        "sub_aggregates": [
            null
        ],
        "time_zone": "string",
        "type": "string"
    }
]

response = falcon.command("GetIndicatorAggregates", body=body_payload)

print(response)

SearchIndicators

Search indicators based on FQL filter.

PEP8 method name

search

Endpoint

MethodRoute
POST/intelligence/combined/indicators/v1

Required Scope

indicator-graph:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
bodyService Class SupportUber Class SupportbodydictionaryFull body payload as JSON formatted dictionary.
filterService Class SupportUber Class SupportbodystringFQL formatted filter.
limitService Class SupportUber Class SupportqueryintegerLimit
offsetService Class SupportUber Class SupportquerystringOffset
parametersService Class SupportUber Class SupportquerydictionaryFull query parameters payload as a dictionary, not required when using other keywords.
sortService Class SupportUber Class Supportbodydictionary or list of dictionariesList of sort operations to perform on the resultset.

Usage

Service class example (PEP8 syntax)
from falconpy import IntelligenceIndicatorGraph

falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

sort_order = {
    "field": "string",
    "order": "string"
}

response = falcon.search(limit=integer, offset="string", filter="string", sort=sort_order)

print(response)
Service class example (Operation ID syntax)
from falconpy import IntelligenceIndicatorGraph

falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

sort_order = {
    "field": "string",
    "order": "string"
}

response = falcon.SearchIndicators(limit=integer,
                                   offset="string",
                                   filter="string",
                                   sort=sort_order
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "filter": "string",
  "sort": [
    {
      "field": "string",
      "order": "string"
    }
  ]
}

response = falcon.command("SearchIndicators", limit="string", offset="string", body=body_payload)

print(response)