CrowdStrike Falcon CrowdStrike Subreddit

Using the Intelligence Indicator Graph service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
LookupIndicators
PEP 8lookup_indicators
Get indicators based on their value.
SearchIndicators
PEP 8search
Search indicators based on FQL filter.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

LookupIndicators

Get indicators based on their value.

PEP8 method name

lookup

Endpoint

MethodRoute
POST/intelligence/combined/indicators/v1

Required Scope

indicator-graph:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
bodyService Class SupportUber Class SupportbodydictionaryFull body payload as a dictionary. Not required when using other keywords.
valuesService Class SupportUber Class Supportbodylist of stringsList of indicator values to look up.

Usage

Service class example (PEP8 syntax)
from falconpy import IntelligenceIndicatorGraph

# Do not hardcode API credentials!
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                   )

response = falcon.lookup_indicators(values=["string"])
print(response)
Service class example (Operation ID syntax)
from falconpy import IntelligenceIndicatorGraph

# Do not hardcode API credentials!
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                   )

response = falcon.LookupIndicators(values=["string"])
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "values": ["string"]
}

response = falcon.command("LookupIndicators", body=body_payload)
print(response)

Back to Table of Contents

SearchIndicators

Search indicators based on FQL filter.

PEP8 method name

search

Endpoint

MethodRoute
POST/intelligence/combined/indicators/v1

Required Scope

indicator-graph:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
bodyService Class SupportUber Class SupportbodydictionaryFull body payload as JSON formatted dictionary.
filterService Class SupportUber Class SupportbodystringFQL formatted filter.

Filter parameters include: Type, LastUpdated, KillChain, MaliciousConfidence, MaliciousConfidenceValidatedTime, FirstSeen, LastSeen, Adversaries.Name, Adversaries.Slug, Reports.Title, Reports.Slug, Threats.FamilyName, Vulnerabilities.CVE, Sectors.Name, FileDetails.SHA256, FileDetails.SHA1, FileDetails.MD5, DomainDetails.Detail, IPv4Details.IPv4, IPv6Details.IPv6, URLDetails.URL and others.
limitService Class SupportUber Class SupportqueryintegerLimit
offsetService Class SupportUber Class SupportquerystringOffset
parametersService Class SupportUber Class SupportquerydictionaryFull query parameters payload as a dictionary, not required when using other keywords.
sortService Class SupportUber Class Supportbodydictionary or list of dictionariesList of sort operations to perform on the resultset.

Usage

Service class example (PEP8 syntax)
from falconpy import IntelligenceIndicatorGraph

# Do not hardcode API credentials!
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

sort_order = {
    "field": "string",
    "order": "string"
}

response = falcon.search(limit=integer, offset="string", filter="string", sort=sort_order)

print(response)
Service class example (Operation ID syntax)
from falconpy import IntelligenceIndicatorGraph

# Do not hardcode API credentials!
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

sort_order = {
    "field": "string",
    "order": "string"
}

response = falcon.SearchIndicators(limit=integer,
                                   offset="string",
                                   filter="string",
                                   sort=sort_order
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "filter": "string",
  "sort": [
    {
      "field": "string",
      "order": "string"
    }
  ]
}

response = falcon.command("SearchIndicators", limit="string", offset="string", body=body_payload)

print(response)

Back to Table of Contents