Intel

Using the Intel service collection

This service collection has code examples posted to the repository.

Table of Contents

Operation ID	Description
QueryIntelActorEntities PEP 8 query_actor_entities	Get info about actors that match provided FQL filters.
QueryIntelIndicatorEntities PEP 8 query_indicator_entities	Get info about indicators that match provided FQL filters.
QueryIntelReportEntities PEP 8 query_report_entities	Get info about reports that match provided FQL filters.
GetIntelActorEntities PEP 8 get_actor_entities	Retrieve specific actors using their actor IDs.
GetIntelIndicatorEntities PEP 8 get_indicator_entities	Retrieve specific indicators using their indicator IDs.
GetMalwareEntities PEP 8 get_malware_entities	Get malware entities for specified IDs.
GetMitreReport PEP 8 get_mitre_report	Export Mitre ATT&CK information for a given actor.
PostMitreAttacks PEP 8 mitre_attacks	Retrieve report and observable IDs associated with the given actor and attacks.
GetIntelReportPDF PEP 8 get_report_pdf	Return a Report PDF attachment
GetIntelReportEntities PEP 8 get_report_entities	Retrieve specific reports using their report IDs.
GetIntelRuleFile PEP 8 get_rule_file	Download earlier rule sets.
GetLatestIntelRuleFile PEP 8 get_latest_rule_file	Download the latest rule set.
GetIntelRuleEntities PEP 8 get_rule_entities	Retrieve details for rule sets for the specified ids.
GetVulnerabilities PEP8 get_vulnerabilities	Get vulnerabilities
QueryIntelActorIds PEP 8 query_actor_ids	Get actor IDs that match provided FQL filters.
QueryIntelIndicatorIds PEP 8 query_indicator_ids	Get indicators IDs that match provided FQL filters.
QueryMalware PEP 8 query_malware	Get malware family names that match provided FQL filters.
QueryMitreAttacksForMalware PEP 8 query_mitre_attacks_for_malware	Gets MITRE tactics and techniques for the given malware.
QueryMitreAttacks PEP 8 query_mitre_attacks	Gets MITRE tactics and techniques for the given actor.
QueryIntelReportIds PEP 8 query_report_ids	Get report IDs that match provided FQL filters.
QueryIntelRuleIds PEP 8 query_rule_ids	Search for rule IDs that match provided filter criteria.
QueryVulnerabilities PEP8 query_vulnerabilities	Get vulnerabilities IDs

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

QueryIntelActorEntities

Get info about actors that match provided FQL filters.

PEP8 method name

query_actor_entities

Endpoint

Method	Route
	/intel/combined/actors/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
fields			query	string	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: actors sub_type.name actors.id sub_type.slug actors.name tags actors.slug tags.id actors.url tags.slug created_date tags.value description target_countries id target_countries.id last_modified_date target_countries.slug motivations target_countries.value motivations.id target_industries motivations.slug target_industries.id motivations.value target_industries.slug name target_industries.value name.raw type short_description type.id slug type.name sub_type type.slug sub_type.id url
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actor_entities(offset=integer,
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string",
                                       fields=["string", "string"]
                                       )

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelActorEntities(offset=integer,
                                          limit=integer,
                                          sort="string",
                                          filter="string",
                                          q="string",
                                          fields=["string", "string"]
                                          )

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelActorEntities", 
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          fields=["string", "string"]
                          )

print(response)

Back to Table of Contents

QueryIntelIndicatorEntities

Get info about indicators that match provided FQL filters.

PEP8 method name

query_indicator_entities

Endpoint

Method	Route
	/intel/combined/indicators/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
fields			query	string	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: _marker labels.name actors last_updated deleted malicious_confidence domain_types malware_families id published_date indicator reports ip_address_types targets kill_chains threat_types labels type labels.created_on vulnerabilities labels.last_valid_on
include_deleted			query	boolean	Flag indicating if both published and deleted indicators should be returned.
include_relations			query	boolean	Flag indicating if related indicators should be returned.
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_indicator_entities(offset=integer,
                                           limit=integer,
                                           sort="string",
                                           filter="string",
                                           q="string",
                                           include_deleted=boolean
                                           )

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelIndicatorEntities(offset=integer,
                                              limit=integer,
                                              sort="string",
                                              filter="string",
                                              q="string",
                                              include_deleted=boolean
                                              )

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelIndicatorEntities",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          include_deleted=boolean
                          )

print(response)

Back to Table of Contents

QueryIntelReportEntities

Get info about reports that match provided FQL filters.

PEP8 method name

query_report_entities

Endpoint

Method	Route
	/intel/combined/reports/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
fields			query	string	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: actors sub_type.name actors.id sub_type.slug actors.name tags actors.slug tags.id actors.url tags.slug created_date tags.value description target_countries id target_countries.id last_modified_date target_countries.slug motivations target_countries.value motivations.id target_industries motivations.slug target_industries.id motivations.value target_industries.slug name target_industries.value name.raw type short_description type.id slug type.name sub_type type.slug sub_type.id url
include_deleted			query	boolean	Flag indicating if both published and deleted indicators should be returned.
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_report_entities(offset=integer,
                                        limit=integer,
                                        sort="string",
                                        filter="string",
                                        q="string",
                                        fields=["string", "string"]
                                        )

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelReportEntities(offset=integer,
                                           limit=integer,
                                           sort="string",
                                           filter="string",
                                           q="string",
                                           fields=["string", "string"]
                                           )

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelReportEntities",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          fields=["string", "string"]
                          )

print(response)

Back to Table of Contents

GetIntelActorEntities

Retrieve specific actors using their actor IDs.

PEP8 method name

get_actor_entities

Endpoint

Method	Route
	/intel/entities/actors/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Actor IDs to retrieve.
fields			query	array (string)	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_actor_entities(fields=["string", "string"], ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelActorEntities(fields=["string", "string"], ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelActorEntities", fields=["string", "string"], ids=id_list)

print(response)

Back to Table of Contents

GetIntelIndicatorEntities

Retrieve specific indicators using their indicator IDs.

PEP8 method name

get_indicator_entities

Endpoint

Method	Route
	/intel/entities/indicators/GET/v1

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			body	string or list of strings	Indicator IDs to retrieve.
body			body	dictionary	Full body payload in JSON format.

Usage

You must use either the body or the ids keywords in order to use this method.

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_indicator_entities(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelIndicatorEntities(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
  "ids": id_list
}

response = falcon.command("GetIntelIndicatorEntities", body=BODY)

print(response)

Back to Table of Contents

GetMalwareEntities

Get malware entities for specified IDs.

PEP8 method name

get_malware_entities

Endpoint

Method	Route
	/intel/entities/malware/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Malware family name in lower case with spaces replaced with dashes.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.get_malware_entities(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.GetMalwareEntities(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.command("GetMalwareEntities", ids=id_list)

print(response)

Back to Table of Contents

GetMitreReport

Export Mitre ATT&CK information for a given actor.

PEP8 method name

get_mitre_report

Endpoint

Method	Route
	/intel/entities/mitre-reports/v1

Content-Type

• Produces: application/octet-stream

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
actor_id			query	string	Actor IDs (derived from actor name).
format			query	string	Report format (json or csv).
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

with open("filename.ext", "wb") as output_file:
    output_file.write(falcon.get_mitre_report(actor_id="string", format="string"))

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

with open("filename.ext", "wb") as output_file:
    output_file.write(falcon.GetMitreReport(actor_id="string", format="string"))

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("filename.ext", "wb") as output_file:
    output_file.write(falcon.command("GetMitreReport", actor_id="string", format="string"))

print(response)

Back to Table of Contents

PostMitreAttacks

Retrieves report and observable IDs associated with the given actor and attacks.

PEP8 method name

mitre_attacks

Endpoint

Method	Route
	/intel/entities/mitre/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
ids			body	string or list of strings	The actor / attack IDs to retrieve.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.mitre_attacks(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.PostMitreAttacks(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("PostMitreAttacks", ids=id_list)

print(response)

Back to Table of Contents

GetIntelReportPDF

Return a Report PDF attachment

PEP8 method name

get_report_pdf

Endpoint

Method	Route
	/intel/entities/report-files/v1

Content-Type

• Produces: application/octet-stream

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
id			query	string	Report ID to download as a PDF.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

The id parameter must be passed to the Uber class as part of the parameters dictionary.

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.get_report_pdf(id="string")
open(save_file, 'wb').write(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.GetIntelReportPDF(id="string")
open(save_file, 'wb').write(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.ext"

response = falcon.command("GetIntelReportPDF", id="string")
open(save_file, 'wb').write(response)

Back to Table of Contents

GetIntelReportEntities

Retrieve specific reports using their report IDs.

PEP8 method name

get_report_entities

Endpoint

Method	Route
	/intel/entities/reports/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Report IDs to retrieve.
fields			query	array (string)	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_report_entities(fields=["string", "string"], ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelReportEntities(fields=["string", "string"], ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelReportEntities", fields=["string", "string"], ids=id_list)

print(response)

Back to Table of Contents

GetIntelRuleFile

Download earlier rule sets.

PEP8 method name

get_rule_file

Endpoint

Method	Route
	/intel/entities/rules-files/v1

Content-Type

• Produces: application/zip

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
id			query	string	Rule set ID to retrieve.
format			query	string	Choose the format you want the ruleset in. Valid formats are zip and gzip. Defaults to zip.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.get_rule_file(id=integer, format="string")
open(save_file, 'wb').write(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.GetIntelRuleFile(id=integer, format="string")
open(save_file, 'wb').write(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.zip"

response = falcon.command("GetIntelRuleFile", format="string", id=integer)
open(save_file, 'wb').write(response)

Back to Table of Contents

GetLatestIntelRuleFile

Download the latest rule set.

PEP8 method name

get_latest_rule_file

Endpoint

Method	Route
	/intel/entities/rules-latest-files/v1

Content-Type

• Produces: application/zip

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
type			query	string	The rule news report type. Accepted values: snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness cql-master cql-update cql-changelog
format			query	string	Choose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.get_latest_rule_file(type="string", format="string")
open(save_file, 'wb').write(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.GetLatestIntelRuleFile(type="string", format="string")
open(save_file, 'wb').write(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.zip"

response = falcon.command("GetLatestIntelRuleFile", type="string", format="string")
open(save_file, 'wb').write(response)

Back to Table of Contents

GetIntelRuleEntities

Retrieve details for rule sets for the specified ids.

PEP8 method name

get_rule_entities

Endpoint

Method	Route
	/intel/entities/rules/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Rule IDs to retrieve.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_entities(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelRuleEntities(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelRuleEntities", ids=id_list)

print(response)

Back to Table of Contents

GetVulnerabilities

Get vulnerabilities by ID(s).

PEP8 method name

get_vulnerabilities

Endpoint

Method	Route
	/intel/entities/vulnerabilities/GET/v1

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
ids			body	string or list of strings	Vulnerability IDs to retrieve.

Usage

Service class example (PEP8 syntax)

from falconpy.intel import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_vulnerabilities(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetVulnerabilities(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetVulnerabilities", ids=id_list)

print(response)

Back to Table of Contents

QueryIntelActorIds

Get actor IDs that match provided FQL filters.

PEP8 method name

query_actor_ids

Endpoint

Method	Route
	/intel/queries/actors/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: actors sub_type.name actors.id sub_type.slug actors.name tags actors.slug tags.id actors.url tags.slug created_date tags.value description target_countries id target_countries.id last_modified_date target_countries.slug motivations target_countries.value motivations.id target_industries motivations.slug target_industries.id motivations.value target_industries.slug name target_industries.value name.raw type short_description type.id slug type.name sub_type type.slug sub_type.id url
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actor_ids(offset=integer,
                                  limit=integer,
                                  sort="string",
                                  filter="string",
                                  q="string"
                                  )

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelActorIds(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string",
                                     q="string"
                                     )

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelActorIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryIntelIndicatorIds

Get indicators IDs that match provided FQL filters.

PEP8 method name

query_indicator_ids

Endpoint

Method	Route
	/intel/queries/indicators/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: _marker labels.name actors last_updated deleted malicious_confidence domain_types malware_families id published_date indicator reports ip_address_types targets kill_chains threat_types labels type labels.created_on vulnerabilities labels.last_valid_on
include_deleted			query	boolean	Flag indicating if both published and deleted indicators should be returned.
include_relations			query	boolean	Flag indicating if related indicators should be returned.
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_indicator_ids(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string",
                                      include_deleted=boolean
                                      )

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelIndicatorIds(offset=integer,
                                         limit=integer,
                                         sort="string",
                                         filter="string",
                                         q="string",
                                         include_deleted=boolean
                                         )

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelIndicatorIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          include_deleted=boolean
                          )

print(response)

Back to Table of Contents

QueryMalware

Get malware family names that match provided FQL filters.

PEP8 method name

query_malware

Endpoint

Method	Route
	/intel/queries/malware/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results.
limit			query	integer	Set the number of malware IDs to return. (Max: 5000)
offset			query	string	Set the starting row number to return malware IDs from. Defaults to 0.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_malware(offset=integer,
                                limit=integer,
                                sort="string",
                                filter="string",
                                q="string"
                                )
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryMalware(offset=integer,
                               limit=integer,
                               sort="string",
                               filter="string",
                               q="string"
                               )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryMalware", 
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

Back to Table of Contents

QueryMitreAttacksForMalware

Gets MITRE tactics and techniques for the given malware.

PEP8 method name

query_mitre_attacks_for_malware

Endpoint

Method	Route
	/intel/queries/mitre-malware/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Malware family name in lower case with spaces replaced with dashes.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.query_mitre_attacks_for_malware(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.QueryMitreAttacksForMalware(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

# Can also pass a list here: ['ID1', 'ID2', 'ID3']
id_list = 'name1-branch1,name2-branch2,name3-branch3'

response = falcon.command("QueryMitreAttacksForMalware", ids=id_list)

print(response)

Back to Table of Contents

QueryMitreAttacks

Gets MITRE tactics and techniques for the given actor.

PEP8 method name

query_mitre_attacks

Endpoint

Method	Route
	/intel/queries/mitre/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
id			query	string	Actor ID for which to retrieve a list of attacks.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_mitre_attacks(id="string")

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryMitreAttacks(id="string")

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryMitreAttacks", id="string")

print(response)

Back to Table of Contents

QueryIntelReportIds

Get report IDs that match provided FQL filters.

PEP8 method name

query_report_ids

Endpoint

Method	Route
	/intel/queries/reports/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: actors sub_type.name actors.id sub_type.slug actors.name tags actors.slug tags.id actors.url tags.slug created_date tags.value description target_countries id target_countries.id last_modified_date target_countries.slug motivations target_countries.value motivations.id target_industries motivations.slug target_industries.id motivations.value target_industries.slug name target_industries.value name.raw type short_description type.id slug type.name sub_type type.slug sub_type.id url
include_deleted			query	boolean	Flag indicating if both published and deleted indicators should be returned.
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_report_ids(offset=integer,
                                   limit=integer,
                                   sort="string",
                                   filter="string",
                                   q="string"
                                   )

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelReportIds(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string"
                                      )

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelReportIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryIntelRuleIds

Search for rule IDs that match provided filter criteria.

PEP8 method name

query_rule_ids

Endpoint

Method	Route
	/intel/queries/rules/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
limit			query	integer	Maximum number of records to return. (Max: 5000)
name			query	string or list of strings	Search by rule title.
description			query	string or list of strings	Substring match on description field.
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
type			query	string	The rule news report type. Accept values: snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness cql-master cql-update cql-changelog
tags			query	string or list of strings	Search for rules by tag.
min_created_date			query	string	Filter results to those created on or after a certain date.
max_created_date			query	string	Filter results to those created on or before a certain date.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_rule_ids(offset=integer,
                                 limit=integer,
                                 sort="string",
                                 name=["string", "string"],
                                 type="string",
                                 description=["string", "string"],
                                 tags=["string", "string"],
                                 min_created_date=integer,
                                 max_created_date="string",
                                 q="string"
                                 )

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelRuleIds(offset=integer,
                                    limit=integer,
                                    sort="string",
                                    name=["string", "string"],
                                    type="string",
                                    description=["string", "string"],
                                    tags=["string", "string"],
                                    min_created_date=integer,
                                    max_created_date="string",
                                    q="string"
                                    )

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIntelRuleIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          name=["string", "string"],
                          type="string",
                          description=["string", "string"],
                          tags=["string", "string"],
                          min_created_date=integer,
                          max_created_date="string",
                          q="string"
                          )

print(response)

Back to Table of Contents

QueryVulnerabilities

Query for vulnerabilities IDs.

PEP8 method name

query_vulnerabilities

Endpoint

Method	Route
	/intel/queries/vulnerabilities/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results.
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy.intel import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_vulnerabilities(offset="string",
                                        limit=integer,
                                        sort="string",
                                        filter="string",
                                        q="string"
                                        )

print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryVulnerabilities(offset="string",
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string"
                                       )

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryVulnerabilities",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )

print(response)

Back to Table of Contents