Intel

Using the Intel service collection

This service collection has code examples posted to the repository.

Table of Contents

Operation ID	Description
QueryIntelActorEntities PEP 8 query_actor_entities	Get info about actors that match provided FQL filters.
QueryIntelIndicatorEntities PEP 8 query_indicator_entities	Get info about indicators that match provided FQL filters.
QueryIntelReportEntities PEP 8 query_report_entities	Get info about reports that match provided FQL filters.
GetIntelActorEntities PEP 8 get_actor_entities	Retrieve specific actors using their actor IDs.
GetIntelIndicatorEntities PEP 8 get_indicator_entities	Retrieve specific indicators using their indicator IDs.
GetIntelReportPDF PEP 8 get_report_pdf	Return a Report PDF attachment
GetIntelReportEntities PEP 8 get_report_entities	Retrieve specific reports using their report IDs.
GetIntelRuleFile PEP 8 get_rule_file	Download earlier rule sets.
GetLatestIntelRuleFile PEP 8 get_latest_rule_file	Download the latest rule set.
GetIntelRuleEntities PEP 8 get_rule_entities	Retrieve details for rule sets for the specified ids.
QueryIntelActorIds PEP 8 query_actor_ids	Get actor IDs that match provided FQL filters.
QueryIntelIndicatorIds PEP 8 query_indicator_ids	Get indicators IDs that match provided FQL filters.
QueryIntelReportIds PEP 8 query_report_ids	Get report IDs that match provided FQL filters.
QueryIntelRuleIds PEP 8 query_rule_ids	Search for rule IDs that match provided filter criteria.

Passing credentials

WARNING

client_id and client_secret are input variables that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

QueryIntelActorEntities

Get info about actors that match provided FQL filters.

PEP8 method name

query_actor_entities

Endpoint

Method	Route
	/intel/combined/actors/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
fields			query	string	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: actors sub_type.name actors.id sub_type.slug actors.name tags actors.slug tags.id actors.url tags.slug created_date tags.value description target_countries id target_countries.id last_modified_date target_countries.slug motivations target_countries.value motivations.id target_industries motivations.slug target_industries.id motivations.value target_industries.slug name target_industries.value name.raw type short_description type.id slug type.name sub_type type.slug sub_type.id url
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actor_entities(offset=integer,
                                       limit=integer,
                                       sort="string",
                                       filter="string",
                                       q="string",
                                       fields=["string", "string"]
                                       )
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelActorEntities(offset=integer,
                                          limit=integer,
                                          sort="string",
                                          filter="string",
                                          q="string",
                                          fields=["string", "string"]
                                          )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryIntelActorEntities", 
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          fields=["string", "string"]
                          )
print(response)

QueryIntelIndicatorEntities

Get info about indicators that match provided FQL filters.

PEP8 method name

query_indicator_entities

Endpoint

Method	Route
	/intel/combined/indicators/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
fields			query	string	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: _marker labels.name actors last_updated deleted malicious_confidence domain_types malware_families id published_date indicator reports ip_address_types targets kill_chains threat_types labels type labels.created_on vulnerabilities labels.last_valid_on
include_deleted			query	boolean	Flag indicating if both published and deleted indicators should be returned.
include_relations			query	boolean	Flag indicating if related indicators should be returned.
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_indicator_entities(offset=integer,
                                           limit=integer,
                                           sort="string",
                                           filter="string",
                                           q="string",
                                           include_deleted=boolean
                                           )
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelIndicatorEntities(offset=integer,
                                              limit=integer,
                                              sort="string",
                                              filter="string",
                                              q="string",
                                              include_deleted=boolean
                                              )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryIntelIndicatorEntities",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          include_deleted=boolean
                          )
print(response)

QueryIntelReportEntities

Get info about reports that match provided FQL filters.

PEP8 method name

query_report_entities

Endpoint

Method	Route
	/intel/combined/reports/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
fields			query	string	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: actors sub_type.name actors.id sub_type.slug actors.name tags actors.slug tags.id actors.url tags.slug created_date tags.value description target_countries id target_countries.id last_modified_date target_countries.slug motivations target_countries.value motivations.id target_industries motivations.slug target_industries.id motivations.value target_industries.slug name target_industries.value name.raw type short_description type.id slug type.name sub_type type.slug sub_type.id url
include_deleted			query	boolean	Flag indicating if both published and deleted indicators should be returned.
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_report_entities(offset=integer,
                                        limit=integer,
                                        sort="string",
                                        filter="string",
                                        q="string",
                                        fields=["string", "string"]
                                        )
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelReportEntities(offset=integer,
                                           limit=integer,
                                           sort="string",
                                           filter="string",
                                           q="string",
                                           fields=["string", "string"]
                                           )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryIntelReportEntities",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          fields=["string", "string"]
                          )
print(response)

GetIntelActorEntities

Retrieve specific actors using their actor IDs.

PEP8 method name

get_actor_entities

Endpoint

Method	Route
	/intel/entities/actors/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Actor IDs to retrieve.
fields			query	array (string)	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_actor_entities(fields=["string", "string"], ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelActorEntities(fields=["string", "string"], ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelActorEntities", fields=["string", "string"], ids=id_list)
print(response)

GetIntelIndicatorEntities

Retrieve specific indicators using their indicator IDs.

PEP8 method name

get_indicator_entities

Endpoint

Method	Route
	/intel/entities/indicators/GET/v1

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			body	string or list of strings	Indicator IDs to retrieve.
body			body	dictionary	Full body payload in JSON format.

Usage

You must use either the body or the ids keywords in order to use this method.

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_indicator_entities(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelIndicatorEntities(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
  "ids": id_list
}

response = falcon.command("GetIntelIndicatorEntities", body=BODY)
print(response)

GetIntelReportPDF

Return a Report PDF attachment

PEP8 method name

get_report_pdf

Endpoint

Method	Route
	/intel/entities/report-files/v1

Content-Type

• Produces: application/octet-stream

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
id			query	string	Report ID to download as a PDF.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

The id parameter must be passed to the Uber class as part of the parameters dictionary.

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.get_report_pdf(id="string")
open(save_file, 'wb').write(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.ext"

response = falcon.GetIntelReportPDF(id="string")
open(save_file, 'wb').write(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

save_file = "some_file.ext"

response = falcon.command("GetIntelReportPDF", id="string")
open(save_file, 'wb').write(response)

GetIntelReportEntities

Retrieve specific reports using their report IDs.

PEP8 method name

get_report_entities

Endpoint

Method	Route
	/intel/entities/reports/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Report IDs to retrieve.
fields			query	array (string)	The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __<collection>__. Ex: slug __full__. Defaults to __basic__.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_report_entities(fields=["string", "string"], ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelReportEntities(fields=["string", "string"], ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelReportEntities", fields=["string", "string"], ids=id_list)
print(response)

GetIntelRuleFile

Download earlier rule sets.

PEP8 method name

get_rule_file

Endpoint

Method	Route
	/intel/entities/rules-files/v1

Content-Type

• Produces: application/zip

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
id			query	string	Rule set ID to retrieve.
format			query	string	Choose the format you want the ruleset in. Valid formats are zip and gzip. Defaults to zip.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.get_rule_file(id=integer, format="string")
open(save_file, 'wb').write(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.GetIntelRuleFile(id=integer, format="string")
open(save_file, 'wb').write(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

save_file = "some_file.zip"

response = falcon.command("GetIntelRuleFile", format="string", id=integer)
open(save_file, 'wb').write(response)

GetLatestIntelRuleFile

Download the latest rule set.

PEP8 method name

get_latest_rule_file

Endpoint

Method	Route
	/intel/entities/rules-latest-files/v1

Content-Type

• Produces: application/zip

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
type			query	string	The rule news report type. Accepted values: snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness
format			query	string	Choose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.get_latest_rule_file(type="string", format="string")
open(save_file, 'wb').write(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

save_file = "some_file.zip"

response = falcon.GetLatestIntelRuleFile(type="string", format="string")
open(save_file, 'wb').write(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

save_file = "some_file.zip"

response = falcon.command("GetLatestIntelRuleFile", type="string", format="string")
open(save_file, 'wb').write(response)

GetIntelRuleEntities

Retrieve details for rule sets for the specified ids.

PEP8 method name

get_rule_entities

Endpoint

Method	Route
	/intel/entities/rules/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	Rule IDs to retrieve.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_entities(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIntelRuleEntities(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetIntelRuleEntities", ids=id_list)
print(response)

QueryIntelActorIds

Get actor IDs that match provided FQL filters.

PEP8 method name

query_actor_ids

Endpoint

Method	Route
	/intel/queries/actors/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: actors sub_type.name actors.id sub_type.slug actors.name tags actors.slug tags.id actors.url tags.slug created_date tags.value description target_countries id target_countries.id last_modified_date target_countries.slug motivations target_countries.value motivations.id target_industries motivations.slug target_industries.id motivations.value target_industries.slug name target_industries.value name.raw type short_description type.id slug type.name sub_type type.slug sub_type.id url
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_actor_ids(offset=integer,
                                  limit=integer,
                                  sort="string",
                                  filter="string",
                                  q="string"
                                  )
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelActorIds(offset=integer,
                                     limit=integer,
                                     sort="string",
                                     filter="string",
                                     q="string"
                                     )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryIntelActorIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

QueryIntelIndicatorIds

Get indicators IDs that match provided FQL filters.

PEP8 method name

query_indicator_ids

Endpoint

Method	Route
	/intel/queries/indicators/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: _marker labels.name actors last_updated deleted malicious_confidence domain_types malware_families id published_date indicator reports ip_address_types targets kill_chains threat_types labels type labels.created_on vulnerabilities labels.last_valid_on
include_deleted			query	boolean	Flag indicating if both published and deleted indicators should be returned.
include_relations			query	boolean	Flag indicating if related indicators should be returned.
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_indicator_ids(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string",
                                      include_deleted=boolean
                                      )
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelIndicatorIds(offset=integer,
                                         limit=integer,
                                         sort="string",
                                         filter="string",
                                         q="string",
                                         include_deleted=boolean
                                         )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryIntelIndicatorIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string",
                          include_deleted=boolean
                          )
print(response)

QueryIntelReportIds

Get report IDs that match provided FQL filters.

PEP8 method name

query_report_ids

Endpoint

Method	Route
	/intel/queries/reports/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query expression that should be used to limit the results. Filter parameters include: actors sub_type.name actors.id sub_type.slug actors.name tags actors.slug tags.id actors.url tags.slug created_date tags.value description target_countries id target_countries.id last_modified_date target_countries.slug motivations target_countries.value motivations.id target_industries motivations.slug target_industries.id motivations.value target_industries.slug name target_industries.value name.raw type short_description type.id slug type.name sub_type type.slug sub_type.id url
include_deleted			query	boolean	Flag indicating if both published and deleted indicators should be returned.
limit			query	integer	Maximum number of records to return. (Max: 5000)
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_report_ids(offset=integer,
                                   limit=integer,
                                   sort="string",
                                   filter="string",
                                   q="string"
                                   )
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelReportIds(offset=integer,
                                      limit=integer,
                                      sort="string",
                                      filter="string",
                                      q="string"
                                      )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryIntelReportIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          filter="string",
                          q="string"
                          )
print(response)

QueryIntelRuleIds

Search for rule IDs that match provided filter criteria.

PEP8 method name

query_rule_ids

Endpoint

Method	Route
	/intel/queries/rules/v1

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
limit			query	integer	Maximum number of records to return. (Max: 5000)
name			query	string or list of strings	Search by rule title.
description			query	string or list of strings	Substring match on description field.
offset			query	string	Starting index of overall result set from which to return ids.
q			query	string	Free text search across all indexed fields.
sort			query	string	The property to sort by. (Ex: created_date|desc)
type			query	string	The rule news report type. Accept values: snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness
tags			query	string or list of strings	Search for rules by tag.
min_created_date			query	string	Filter results to those created on or after a certain date.
max_created_date			query	string	Filter results to those created on or before a certain date.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.query_rule_ids(offset=integer,
                                 limit=integer,
                                 sort="string",
                                 name=["string", "string"],
                                 type="string",
                                 description=["string", "string"],
                                 tags=["string", "string"],
                                 min_created_date=integer,
                                 max_created_date="string",
                                 q="string"
                                 )
print(response)

Service class example (Operation ID syntax)

from falconpy import Intel

# Do not hardcode API credentials!
falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

response = falcon.QueryIntelRuleIds(offset=integer,
                                    limit=integer,
                                    sort="string",
                                    name=["string", "string"],
                                    type="string",
                                    description=["string", "string"],
                                    tags=["string", "string"],
                                    min_created_date=integer,
                                    max_created_date="string",
                                    q="string"
                                    )
print(response)

Uber class example

from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("QueryIntelRuleIds",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          name=["string", "string"],
                          type="string",
                          description=["string", "string"],
                          tags=["string", "string"],
                          min_created_date=integer,
                          max_created_date="string",
                          q="string"
                          )
print(response)