Using the Cao Hunting service collection
Table of Contents
| Operation ID | Description | ||||
|---|---|---|---|---|---|
| Aggregate intelligence queries. | ||||
| Creates an Archive Export. | ||||
| Retrieves a list of Intelligence queries. | ||||
| Search intelligence queries that match the provided conditions. | ||||
AggregateIntelligenceQueries
Aggregate intelligence queries.
PEP8 method name
aggregate_queries
Endpoint
| Method | Route |
|---|---|
 | /hunting/aggregates/intelligence-queries/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |  | | body | dictionary | Full body payload as a dictionary. Not required when using other keywords. |
| date_ranges | |  | body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude | | | body | string | Elements to exclude. |
| extended_bounds | | | body | dictionary | Extended aggregate boundaries. Contains max and min values as strings.Example: { "max": "string", "min": "string" } |
| field | | | body | string | The field on which to compute the aggregation. |
| filter | | | body | string | FQL syntax formatted string to use to filter the results. |
| from | | | body | integer | Starting position. |
| include | | | body | string | Elements to include. |
| interval | | | body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count | | | body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | | | body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | | | body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | | | body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | | | body | string | Full text search across all metadata fields. |
| ranges | | | body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size | | | body | integer | The max number of term buckets to be returned. |
| sub_aggregates | | | body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort | | | body | string | FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc |
| time_zone | | | body | string | Time zone for bucket results. |
| type | | | body | string | Type of aggregation. Valid values include:
|
Usage
Service class example (PEP8 syntax)
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.aggregate_queries(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
bounds = {
"max": "string",
"min": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.AggregateIntelligenceQueries(date_ranges=[date_range],
exclude="string",
extended_bounds=bounds,
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = [
{
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"exclude": "string",
"extended_bounds": {
"max": "string",
"min": "string"
}
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}
]
response = falcon.command("AggregateIntelligenceQueries", body=body_payload)
print(response)
GetArchiveExport
Creates an Archive Export.
PEP8 method name
create_export_archive
Endpoint
| Method | Route |
|---|---|
 | /hunting/entities/archive-exports/v1 |
Required Scope
Content-Type
- Produces: application/octet-stream
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| archive_type | | | query | string | The Archive Type can be one of 'zip' and 'gzip'. Defaults to 'zip'. |
| filter | | | query | string | The FQL Filter. |
| language | | | query | string | The Query Language. Accepted Values:
|
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
Usage
Service class example (PEP8 syntax)
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.create_export_archive(language="string",
filter="string",
archive_type="string"
))
Service class example (Operation ID syntax)
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.GetArchiveExport(language="string",
filter="string",
archive_type="string"
))
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
save_file = "some_file.ext"
with open(save_file, "wb") as file_output:
file_output.write(falcon.command("GetArchiveExport",
language="string",
filter="string",
archive_type="string"
))
GetIntelligenceQueries
Retrieves a list of Intelligence queries.
PEP8 method name
get_queries
Endpoint
| Method | Route |
|---|---|
| /hunting/entities/intelligence-queries/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | array (string) | Intelligence queries IDs. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
Usage
Service class example (PEP8 syntax)
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_queries(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelligenceQueries(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelligenceQueries", ids=id_list)
print(response)
SearchIntelligenceQueries
Search intelligence queries that match the provided conditions.
PEP8 method name
search_queries
Endpoint
| Method | Route |
|---|---|
| /hunting/queries/intelligence-queries/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | FQL query specifying the filter parameters. |
| limit | | | query | integer | Number of IDs to return. |
| offset | | | query | string | Starting index of result set from which to return IDs. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
| q | | | query | string | Match phrase_prefix query criteria; included fields: _all (all filter string fields indexed). |
| sort | | | query | string | Order by fields. |
Usage
Service class example (PEP8 syntax)
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.search_queries(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.SearchIntelligenceQueries(offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("SearchIntelligenceQueries",
offset="string",
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)