Skip to content

Tailored Intelligence

Joshua Hiller edited this page Sep 16, 2023 · 6 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Tailored Intelligence service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
GetEventsBody
PEP8 get_event_body
Get event body for the provided event ID
GetEventsEntities
PEP8 get_event_entities
Get events entities for specified ids.
QueryEvents
PEP8 query_events
Get events ids that match the provided filter criteria.
GetRulesEntities
PEP8 get_rule_entities
Get rules entities for specified ids.
QueryRules
PEP8 query_rules
Get rules ids that match the provided filter criteria.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

GetEventsBody

Get event body for the provided event ID.

PEP8 method name

get_event_body

Endpoint

Method Route
GET /ti/events/entities/events-full-body/v2

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

Name Service Uber Type Data type Description
id
Service Class Support

Uber Class Support
query string or list of strings Return the event body for event ID.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

save_file = "some_file.ext"

response = falcon.get_event_body(id="string")
open(save_file, 'wb').write(response)
Service class example (Operation ID syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

save_file = "some_file.ext"

response = falcon.GetEventsBody(id="string")
open(save_file, 'wb').write(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

save_file = "some_file.ext"

response = falcon.command("GetEventsBody", id="string")
open(save_file, 'wb').write(response)

Back to Table of Contents

GetEventsEntities

Get events entities for specified ids.

PEP8 method name

get_event_entities

Endpoint

Method Route
POST /ti/events/entities/events/GET/v2

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
body string or list of strings Return the event entities for specified ID.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format. Not required when using the ids keyword.

Usage

Service class example (PEP8 syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_event_entities(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetEventsEntities(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetEventsEntities", ids=id_list)
print(response)

Back to Table of Contents

QueryEvents

Get events ids that match the provided filter criteria.

PEP8 method name

query_events

Endpoint

Method Route
GET /ti/events/queries/events/v2

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query specifying the filter parameters. Wildcard character '*' means to not filter on anything.
limit
Service Class Support

Uber Class Support
query integer The maximum number of IDs to return in this response. Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return IDs.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
query string Match phrase_prefix query criteria
sort
Service Class Support

Uber Class Support
query string Sort results using a FQL formatted string.
    Available options:
  • source_type
  • created_date
  • updated_date

Usage

Service class example (PEP8 syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

response = falcon.query_events(offset="string",
                               limit=integer,
                               sort="string",
                               filter="string",
                               q="string"
                               )
print(response)
Service class example (Operation ID syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

response = falcon.QueryEvents(offset="string",
                              limit=integer,
                              sort="string",
                              filter="string",
                              q="string"
                              )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryEvents",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

Back to Table of Contents

GetRulesEntities

Get rules entities for specified ids.

PEP8 method name

get_rule_entities

Endpoint

Method Route
POST /ti/rules/entities/rules/GET/v2

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
body string or list of strings Return the rule entities for specified ID.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format. Not required when using the ids keyword.

Usage

Service class example (PEP8 syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_entities(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetRulesEntities(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetRulesEntities", ids=id_list)
print(response)

Back to Table of Contents

QueryRules

Get rules ids that match the provided filter criteria.

PEP8 method name

query_rules

Endpoint

Method Route
GET /ti/rules/queries/rules/v2

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL query specifying the filter parameters. Wildcard character '*' means to not filter on anything.
limit
Service Class Support

Uber Class Support
query integer The maximum number of IDs to return in this response. Use with the offset parameter to manage pagination of results.
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return IDs.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
q
Service Class Support

Uber Class Support
query string Match phrase_prefix query criteria
sort
Service Class Support

Uber Class Support
query string Sort results using a FQL formatted string.
    Available options:
  • name
  • value
  • rule_type
  • customer_id
  • created_date
  • updated_date

Usage

Service class example (PEP8 syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

response = falcon.query_rules(offset="string",
                              limit=integer,
                              sort="string",
                              filter="string",
                              q="string"
                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import TailoredIntelligence

falcon = TailoredIntelligence(client_id=CLIENT_ID,
                              client_secret=CLIENT_SECRET
                              )

response = falcon.QueryRules(offset="string",
                             limit=integer,
                             sort="string",
                             filter="string",
                             q="string"
                             )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryRules",
                          offset="string",
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

Back to Table of Contents

CrowdStrike Falcon

Clone this wiki locally