Intel
| API Function | Description |
|---|---|
| QueryIntelActorEntities | Get info about actors that match provided FQL filters. |
| QueryIntelIndicatorEntities | Get info about indicators that match provided FQL filters. |
| QueryIntelReportEntities | Get info about reports that match provided FQL filters. |
| GetIntelActorEntities | Retrieve specific actors using their actor IDs. |
| GetIntelIndicatorEntities | Retrieve specific indicators using their indicator IDs. |
| GetIntelReportPDF | Return a Report PDF attachment |
| GetIntelReportEntities | Retrieve specific reports using their report IDs. |
| GetIntelRuleFile | Download earlier rule sets. |
| GetLatestIntelRuleFile | Download the latest rule set. |
| GetIntelRuleEntities | Retrieve details for rule sets for the specified ids. |
| QueryIntelActorIds | Get actor IDs that match provided FQL filters. |
| QueryIntelIndicatorIds | Get indicators IDs that match provided FQL filters. |
| QueryIntelReportIds | Get report IDs that match provided FQL filters. |
| QueryIntelRuleIds | Search for rule IDs that match provided filter criteria. |
Get info about actors that match provided FQL filters.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | integer | Set the starting row number to return actors from. Defaults to 0. | |
| limit | query | integer | Set the number of actors to return. The value must be between 1 and 5000. | |
| sort | query | string | Order fields in ascending or descending order. Ex: created_date | |
| filter | query | string | Filter your query by specifying FQL filter parameters. Filter parameters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url. | |
| q | query | string | Perform a generic substring search across all fields. | |
| fields | query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: . Ex: slug full. Defaults to basic. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string',
'fields': [
'string',
'string'
]
}
response = falcon.QueryIntelActorEntities(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string',
'fields': [
'string',
'string'
]
}
response = falcon.command('QueryIntelActorEntities', parameters=PARAMS)
print(response)
falcon.deauthenticate()Get info about indicators that match provided FQL filters.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | integer | Set the starting row number to return indicators from. Defaults to 0. | |
| limit | query | integer | Set the number of indicators to return. The number must be between 1 and 50000 | |
| sort | query | string | Order fields in ascending or descending order. Ex: published_date | |
| filter | query | string | Filter your query by specifying FQL filter parameters. Filter parameters include: _marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, published_date, reports, targets, threat_types, type, vulnerabilities. | |
| q | query | string | Perform a generic substring search across all fields. | |
| include_deleted | query | boolean | If true, include both published and deleted indicators in the response. Defaults to false. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string',
'include_deleted': boolean
}
response = falcon.QueryIntelIndicatorEntities(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string',
'include_deleted': boolean
}
response = falcon.command('QueryIntelIndicatorEntities', parameters=PARAMS)
print(response)
falcon.deauthenticate()Get info about reports that match provided FQL filters.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | integer | Set the starting row number to return reports from. Defaults to 0. | |
| limit | query | integer | Set the number of reports to return. The value must be between 1 and 5000. | |
| sort | query | string | Order fields in ascending or descending order. Ex: created_date | |
| filter | query | string | Filter your query by specifying FQL filter parameters. Filter parameters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url. | |
| q | query | string | Perform a generic substring search across all fields. | |
| fields | query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: . Ex: slug full. Defaults to basic. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string',
'fields': [
'string',
'string'
]
}
response = falcon.QueryIntelReportEntities(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string',
'fields': [
'string',
'string'
]
}
response = falcon.command('QueryIntelReportEntities', parameters=PARAMS)
print(response)
falcon.deauthenticate()Retrieve specific actors using their actor IDs.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The IDs of the actors you want to retrieve. |
| fields | query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: . Ex: slug full. Defaults to basic. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'fields': [
'string',
'string'
]
}
IDS = 'ID1,ID2,ID3'
response = falcon.GetIntelActorEntities(parameters=PARAMS, ids=IDS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'fields': [
'string',
'string'
]
}
IDS = 'ID1,ID2,ID3'
response = falcon.command('GetIntelActorEntities', parameters=PARAMS, ids=IDS)
print(response)
falcon.deauthenticate()Retrieve specific indicators using their indicator IDs.
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.GetIntelIndicatorEntities(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('GetIntelIndicatorEntities', body=BODY)
print(response)
falcon.deauthenticate()Return a Report PDF attachment
- Produces: application/octet-stream
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | id | query | string | The ID of the report you want to download as a PDF. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'id': 'string'
}
response = falcon.GetIntelReportPDF(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'id': 'string'
}
response = falcon.command('GetIntelReportPDF', parameters=PARAMS)
print(response)
falcon.deauthenticate()Retrieve specific reports using their report IDs.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The IDs of the reports you want to retrieve. |
| fields | query | array (string) | The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: . Ex: slug full. Defaults to basic. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'fields': [
'string',
'string'
]
}
IDS = 'ID1,ID2,ID3'
response = falcon.GetIntelReportEntities(parameters=PARAMS, ids=IDS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'fields': [
'string',
'string'
]
}
IDS = 'ID1,ID2,ID3'
response = falcon.command('GetIntelReportEntities', parameters=PARAMS, ids=IDS)
print(response)
falcon.deauthenticate()Download earlier rule sets.
- Produces: application/zip
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| Accept | header | string | Choose the format you want the rule set in. | |
| ✅ | id | query | integer | The ID of the rule set. |
| format | query | string | Choose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'id': integer,
'format': 'string'
}
HEADERS = {
'Accept': 'string'
}
response = falcon.GetIntelRuleFile(parameters=PARAMS, headers=HEADERS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'id': integer,
'format': 'string'
}
HEADERS = {
'Accept': 'string'
}
response = falcon.command('GetIntelRuleFile', parameters=PARAMS, headers=HEADERS)
print(response)
falcon.deauthenticate()Download the latest rule set.
- Produces: application/zip
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| Accept | header | string | Choose the format you want the rule set in. | |
| ✅ | type | query | string | The rule news report type. Accepted values: snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness |
| format | query | string | Choose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'type': 'string',
'format': 'string'
}
HEADERS = {
'Accept': 'string'
}
response = falcon.GetLatestIntelRuleFile(parameters=PARAMS, headers=HEADERS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'type': 'string',
'format': 'string'
}
HEADERS = {
'Accept': 'string'
}
response = falcon.command('GetLatestIntelRuleFile', parameters=PARAMS, headers=HEADERS)
print(response)
falcon.deauthenticate()Retrieve details for rule sets for the specified ids.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | The ids of rules to return. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
IDS = 'ID1,ID2,ID3'
response = falcon.GetIntelRuleEntities(ids=IDS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
IDS = 'ID1,ID2,ID3'
response = falcon.command('GetIntelRuleEntities', ids=IDS)
print(response)
falcon.deauthenticate()Get actor IDs that match provided FQL filters.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | integer | Set the starting row number to return actors IDs from. Defaults to 0. | |
| limit | query | integer | Set the number of actor IDs to return. The value must be between 1 and 5000. | |
| sort | query | string | Order fields in ascending or descending order. Ex: created_date | |
| filter | query | string | Filter your query by specifying FQL filter parameters. Filter parameters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url. | |
| q | query | string | Perform a generic substring search across all fields. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string'
}
response = falcon.QueryIntelActorIds(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string'
}
response = falcon.command('QueryIntelActorIds', parameters=PARAMS)
print(response)
falcon.deauthenticate()Get indicators IDs that match provided FQL filters.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | integer | Set the starting row number to return indicator IDs from. Defaults to 0. | |
| limit | query | integer | Set the number of indicator IDs to return. The number must be between 1 and 50000 | |
| sort | query | string | Order fields in ascending or descending order. Ex: published_date | |
| filter | query | string | Filter your query by specifying FQL filter parameters. Filter parameters include: _marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, published_date, reports, targets, threat_types, type, vulnerabilities. | |
| q | query | string | Perform a generic substring search across all fields. | |
| include_deleted | query | boolean | If true, include both published and deleted indicators in the response. Defaults to false. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string',
'include_deleted': boolean
}
response = falcon.QueryIntelIndicatorIds(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string',
'include_deleted': boolean
}
response = falcon.command('QueryIntelIndicatorIds', parameters=PARAMS)
print(response)
falcon.deauthenticate()Get report IDs that match provided FQL filters.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | integer | Set the starting row number to return report IDs from. Defaults to 0. | |
| limit | query | integer | Set the number of report IDs to return. The value must be between 1 and 5000. | |
| sort | query | string | Order fields in ascending or descending order. Ex: created_date | |
| filter | query | string | Filter your query by specifying FQL filter parameters. Filter parameters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url. | |
| q | query | string | Perform a generic substring search across all fields. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string'
}
response = falcon.QueryIntelReportIds(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'filter': 'string',
'q': 'string'
}
response = falcon.command('QueryIntelReportIds', parameters=PARAMS)
print(response)
falcon.deauthenticate()Search for rule IDs that match provided filter criteria.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | integer | Set the starting row number to return reports from. Defaults to 0. | |
| limit | query | integer | The number of rule IDs to return. Defaults to 10. | |
| sort | query | string | Order fields in ascending or descending order. Ex: created_date | |
| name | query | array (string) | Search by rule title. | |
| ✅ | type | query | string | The rule news report type. Accepted values: snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness |
| description | query | array (string) | Substring match on description field. | |
| tags | query | array (string) | Search for rule tags. | |
| min_created_date | query | integer | Filter results to those created on or after a certain date. | |
| max_created_date | query | string | Filter results to those created on or before a certain date. | |
| q | query | string | Perform a generic substring search across all fields. |
from falconpy import intel as FalconIntel
falcon = FalconIntel.Intel(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'name': [
'string',
'string'
],
'type': 'string',
'description': [
'string',
'string'
],
'tags': [
'string',
'string'
],
'min_created_date': integer,
'max_created_date': 'string',
'q': 'string'
}
response = falcon.QueryIntelRuleIds(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'offset': integer,
'limit': integer,
'sort': 'string',
'name': [
'string',
'string'
],
'type': 'string',
'description': [
'string',
'string'
],
'tags': [
'string',
'string'
],
'min_created_date': integer,
'max_created_date': 'string',
'q': 'string'
}
response = falcon.command('QueryIntelRuleIds', parameters=PARAMS)
print(response)
falcon.deauthenticate()
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
