CAO Hunting
The CAO Hunting service collection provides operations for accessing intelligence queries and hunting guides. Aggregate intelligence queries or hunting guides, create archive exports, retrieve entities by ID, and search for matching records using FQL filters.
| Language | Last Update |
|---|---|
| Python | v1.5.5 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
AggregateHuntingGuidesaggregate_guides | Aggregate Hunting Guides |
AggregateIntelligenceQueriesaggregate_queries | Aggregate intelligence queries. |
GetArchiveExportcreate_export_archive | Creates an Archive Export. |
GetHuntingGuidesget_guides | Retrieves a list of Hunting Guides |
GetIntelligenceQueriesget_queries | Retrieves a list of Intelligence queries. |
SearchHuntingGuidessearch_guides | Search for Hunting Guides that match the provided conditions |
SearchIntelligenceQueriessearch_queries | Search intelligence queries that match the provided conditions. |
AggregateIntelligenceQueries
Section titled “AggregateIntelligenceQueries”Aggregate intelligence queries.
POST /hunting/aggregates/intelligence-queries/v1
PEP 8
aggregate_queriesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload as a dictionary. Not required when using other keywords. |
| date_ranges | body | list of dictionaries | Applies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”,“to”: “2016-05-30T09:00:31Z”},{“from”: “2016-06-01T09:00:31Z”,“to”: “2016-06-10T09:00:31Z”}] |
| exclude | body | string | Elements to exclude. |
| extended_bounds | body | dictionary | Extended aggregate boundaries. Contains max and min values as strings. Example: {“max”: “string”,“min”: “string”} |
| field | body | string | The field on which to compute the aggregation. |
| filter | body | string | FQL syntax formatted string to use to filter the results. |
| from | body | integer | Starting position. |
| include | body | string | Elements to include. |
| interval | body | string | Time interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute |
| max_doc_count | body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | body | string | Full text search across all metadata fields. |
| ranges | body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0,“To”: 70},{“From”: 70,“To”: 100}] |
| size | body | integer | The max number of term buckets to be returned. |
| sub_aggregates | body | list of dictionaries | A nested aggregation, such as: [{“name”: “max_first_behavior”,“type”: “max”,“field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request. |
| sort | body | string | FQL syntax string to sort bucket results. _count - sort by document count, _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc |
| time_zone | body | string | Time zone for bucket results. |
| type | body | string | Type of aggregation. Valid values include: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles |
Code Examples
Section titled “Code Examples”from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.aggregate_queries(date_ranges="string", exclude="string", extended_bounds={}, field="string", filter="string", from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", q="string", ranges=[{"key": "value"}], size=integer, sort="string", sub_aggregates=["string"], time_zone="string", type="string")print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.AggregateIntelligenceQueries(date_ranges="string", exclude="string", extended_bounds={}, field="string", filter="string", from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", q="string", ranges=[{"key": "value"}], size=integer, sort="string", sub_aggregates=["string"], time_zone="string", type="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = [ { "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "extended_bounds": { "max": "string", "min": "string" }, "field": "string", "filter": "string", "filters_spec": { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string" }, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": [ { "from": integer, "to": integer } ], "size": integer, "sort": "string", "sub_aggregates": [ { "date_ranges": ["string"], "exclude": "string", "extended_bounds": {}, "field": "string", "filter": "string", "filters_spec": {}, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": ["string"], "size": integer, "sort": "string", "sub_aggregates": ["string"], "time_zone": "string", "type": "string" } ], "time_zone": "string", "type": "string" }]
response = falcon.command("AggregateIntelligenceQueries", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cao_hunting" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
from := "string" to := "string" exclude := "string" field := "string" filter := "string" from := integer include := "string" interval := "string" max_doc_count := integer min_doc_count := integer missing := "string" name := "string" q := "string" From := integer To := integer size := integer sort := "string" time_zone := "string" type := "string"
response, err := client.CaoHunting.AggregateIntelligenceQueries( &cao_hunting.AggregateIntelligenceQueriesParams{ Body: []*models.MsaAggregateQueryRequest{ { DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{}, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{}, Size: &size, Sort: &sort, SubAggregates: []interface{}{}, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.caoHunting.aggregateIntelligenceQueries( [{ dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [], exclude: "string", extendedBounds: {}, field: "string", filter: "string", filtersSpec: {}, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [], size: integer, sort: "string", subAggregates: [], timeZone: "string", type: "string" }], timeZone: "string", type: "string" }], timeZone: "string", type: "string"}] // body);
console.log(response);use rusty_falcon::apis::cao_hunting_api::aggregate_intelligence_queries;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaAggregateQueryRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = vec![MsaAggregateQueryRequest { date_ranges: vec![DateRangeSpec { from: Some("string".to_string()), to: Some("string".to_string()), ..Default::default() }], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![RangeSpec { from: Some(integer), to: Some(integer), ..Default::default() }], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![AggregateQueryRequest { date_ranges: vec![DateRangeSpec { from: Some("string".to_string()), to: Some("string".to_string()), ..Default::default() }], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![RangeSpec { from: Some(integer), to: Some(integer), ..Default::default() }], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![AggregateQueryRequest { date_ranges: vec![], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }];
let response = aggregate_intelligence_queries( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CaoHunting.new
body = [Falcon::MsaAggregateQueryRequest.new( date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [], exclude: 'string', extended_bounds: {}, field: 'string', filter: 'string', filters_spec: {}, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [], size: integer, sort: 'string', sub_aggregates: [], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string')]
response = api.aggregate_intelligence_queries(body)
puts responseGetArchiveExport
Section titled “GetArchiveExport”Creates an Archive Export.
GET /hunting/entities/archive-exports/v1
PEP 8
create_export_archiveParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| archive_type | query | string | The Archive Type can be one of ‘zip’ and ‘gzip’. Defaults to ‘zip’. |
| filter | query | string | The FQL Filter. |
| language | query | string | The Query Language. Accepted Values: cql, snort, suricata, yara, SPL AI translated (Beta), all returns a single archive with queries in all the languages |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
with open("output_file", "wb") as save_file: response = falcon.create_export_archive(archive_type="string", filter="string", language="string", stream=boolean) save_file.write(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
with open("output_file", "wb") as save_file: response = falcon.GetArchiveExport(archive_type="string", filter="string", language="string", stream=boolean) save_file.write(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
with open("output_file", "wb") as save_file: response = falcon.command("GetArchiveExport", language="string", filter="string", archive_type="string") save_file.write(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cao_hunting")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" archiveType := "string"
response, err := client.CaoHunting.GetArchiveExport( &cao_hunting.GetArchiveExportParams{ Language: "string", Filter: &filter, ArchiveType: &archiveType, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.caoHunting.getArchiveExport( "string", // language "string", // filter "string" // archiveType);
console.log(response);use rusty_falcon::apis::cao_hunting_api::get_archive_export;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = get_archive_export( &falcon.cfg, // configuration "string", // language Some("string"), // filter Some("string"), // archive_type ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CaoHunting.new
response = api.get_archive_export('string')
puts responseGetIntelligenceQueries
Section titled “GetIntelligenceQueries”Retrieves a list of Intelligence queries.
GET /hunting/entities/intelligence-queries/v1
PEP 8
get_queriesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | Intelligence queries IDs. |
| include_translated_content | query | string or list of strings | The AI translated language that should be returned if it exists. Accepted values are: SPL, all. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_queries(ids=id_list, include_translated_content="string")print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIntelligenceQueries(ids=id_list, include_translated_content="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetIntelligenceQueries", ids=id_list, include_translated_content=id_list)print(response)Get-FalconCaoQuery -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cao_hunting")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CaoHunting.GetIntelligenceQueries( &cao_hunting.GetIntelligenceQueriesParams{ Ids: []string{"ID1", "ID2", "ID3"}, IncludeTranslatedContent: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.caoHunting.getIntelligenceQueries( ["ID1", "ID2", "ID3"], // ids ["ID1", "ID2", "ID3"] // includeTranslatedContent);
console.log(response);use rusty_falcon::apis::cao_hunting_api::get_intelligence_queries;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = get_intelligence_queries( &falcon.cfg, // configuration vec!["string".to_string()], // ids Some(vec!["string".to_string()]), // include_translated_content ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CaoHunting.new
response = api.get_intelligence_queries(['ID1', 'ID2', 'ID3'])
puts responseSearchIntelligenceQueries
Section titled “SearchIntelligenceQueries”Search intelligence queries that match the provided conditions.
GET /hunting/queries/intelligence-queries/v1
PEP 8
search_queriesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. |
| limit | query | integer | Number of IDs to return. |
| offset | query | string | Starting index of result set from which to return IDs. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
| q | query | string | Match phrase_prefix query criteria; included fields: _all (all filter string fields indexed). |
| sort | query | string | Order by fields. |
Code Examples
Section titled “Code Examples”from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.search_queries(filter="string", limit=integer, sort="string", offset="string", q="string")print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.SearchIntelligenceQueries(filter="string", limit=integer, sort="string", offset="string", q="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("SearchIntelligenceQueries", offset="string", limit=integer, sort="string", filter="string", q="string")print(response)Get-FalconCaoQuery -Filter "string" ` -Query "string" ` -Sort "string" ` -Limit integer ` -Offset "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cao_hunting")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
offset := "string" limit := int64(0) sort := "string" filter := "string" q := "string"
response, err := client.CaoHunting.SearchIntelligenceQueries( &cao_hunting.SearchIntelligenceQueriesParams{ Offset: &offset, Limit: &limit, Sort: &sort, Filter: &filter, Q: &q, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.caoHunting.searchIntelligenceQueries( "string", // offset integer, // limit "string", // sort "string", // filter "string" // q);
console.log(response);use rusty_falcon::apis::cao_hunting_api::search_intelligence_queries;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = search_intelligence_queries( &falcon.cfg, // configuration Some("string"), // offset Some(integer), // limit Some("string"), // sort Some("string"), // filter Some("string"), // q ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CaoHunting.new
response = api.search_intelligence_queries(offset: 'string', limit: integer, sort: 'string', filter: 'string', q: 'string')
puts responseAggregateHuntingGuides
Section titled “AggregateHuntingGuides”Aggregate Hunting Guides
POST /hunting/aggregates/hunting-guides/v1
PEP 8
aggregate_guidesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | list of dictionaries | Full body payload as a list of dictionaries. Not required when using other keywords. |
| date_ranges | body | list of dictionaries | Applies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”,“to”: “2016-05-30T09:00:31Z”},{“from”: “2016-06-01T09:00:31Z”,“to”: “2016-06-10T09:00:31Z”}] |
| exclude | body | string | Elements to exclude. |
| extended_bounds | body | dictionary | Extended aggregate boundaries. Contains max and min values as strings. Example: {“max”: “string”,“min”: “string”} |
| field | body | string | The field on which to compute the aggregation. |
| filter | body | string | FQL syntax formatted string to use to filter the results. |
| filters_spec | body | dictionary | Filters specification containing filters, other_bucket, and other_bucket_key. Example: {“filters”: {“additionalProp1”: “string”,“additionalProp2”: “string”},“other_bucket”: boolean,“other_bucket_key”: “string”} |
| from | body | integer | Starting position. |
| include | body | string | Elements to include. |
| interval | body | string | Time interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute |
| max_doc_count | body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| percents | body | list of integers | Percentile values for percentile aggregations. |
| q | body | string | Full text search across all metadata fields. |
| ranges | body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0,“To”: 70},{“From”: 70,“To”: 100}] |
| size | body | integer | The max number of term buckets to be returned. |
| sort | body | string | FQL syntax string to sort bucket results. _count - sort by document count, _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc |
| sub_aggregates | body | list of dictionaries | A nested aggregation, such as: [{“name”: “max_first_behavior”,“type”: “max”,“field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request. |
| time_zone | body | string | Time zone for bucket results. |
| type | body | string | Type of aggregation. Valid values include: date_histogram, date_range, terms, cardinality, max, min, avg, sum, percentiles |
Code Examples
Section titled “Code Examples”from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
date_ranges = [ { "from": "string", "to": "string" }]
extended_bounds = { "max": "string", "min": "string"}
filters_spec = { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string"}
ranges = [ { "from": integer, "to": integer }]
sub_aggregates = [ { "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "extended_bounds": { "max": "string", "min": "string" }, "field": "string", "filter": "string", "filters_spec": { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string" }, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": [ { "from": integer, "to": integer } ], "size": integer, "sort": "string", "sub_aggregates": [ { "date_ranges": ["string"], "exclude": "string", "extended_bounds": {}, "field": "string", "filter": "string", "filters_spec": {}, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": ["string"], "size": integer, "sort": "string", "sub_aggregates": ["string"], "time_zone": "string", "type": "string" } ], "time_zone": "string", "type": "string" }]
response = falcon.aggregate_guides(date_ranges=date_ranges, exclude="string", extended_bounds=extended_bounds, field="string", filter="string", filters_spec=filters_spec, from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", percents=["string"], q="string", ranges=ranges, size=integer, sort="string", sub_aggregates=sub_aggregates, time_zone="string", type="string")print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
date_ranges = [ { "from": "string", "to": "string" }]
extended_bounds = { "max": "string", "min": "string"}
filters_spec = { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string"}
ranges = [ { "from": integer, "to": integer }]
sub_aggregates = [ { "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "extended_bounds": { "max": "string", "min": "string" }, "field": "string", "filter": "string", "filters_spec": { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string" }, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": [ { "from": integer, "to": integer } ], "size": integer, "sort": "string", "sub_aggregates": [ { "date_ranges": ["string"], "exclude": "string", "extended_bounds": {}, "field": "string", "filter": "string", "filters_spec": {}, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": ["string"], "size": integer, "sort": "string", "sub_aggregates": ["string"], "time_zone": "string", "type": "string" } ], "time_zone": "string", "type": "string" }]
response = falcon.AggregateHuntingGuides(date_ranges=date_ranges, exclude="string", extended_bounds=extended_bounds, field="string", filter="string", filters_spec=filters_spec, from=integer, include="string", interval="string", max_doc_count=integer, min_doc_count=integer, missing="string", name="string", percents=["string"], q="string", ranges=ranges, size=integer, sort="string", sub_aggregates=sub_aggregates, time_zone="string", type="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = [ { "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "extended_bounds": { "max": "string", "min": "string" }, "field": "string", "filter": "string", "filters_spec": { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string" }, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": [ { "from": integer, "to": integer } ], "size": integer, "sort": "string", "sub_aggregates": [ { "date_ranges": ["string"], "exclude": "string", "extended_bounds": {}, "field": "string", "filter": "string", "filters_spec": {}, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": ["string"], "size": integer, "sort": "string", "sub_aggregates": ["string"], "time_zone": "string", "type": "string" } ], "time_zone": "string", "type": "string" }]
response = falcon.command("AggregateHuntingGuides", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cao_hunting" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
from := "string" to := "string" exclude := "string" field := "string" filter := "string" from := integer include := "string" interval := "string" max_doc_count := integer min_doc_count := integer missing := "string" name := "string" q := "string" From := integer To := integer size := integer sort := "string" time_zone := "string" type := "string"
response, err := client.CaoHunting.AggregateHuntingGuides( &cao_hunting.AggregateHuntingGuidesParams{ Body: []*models.MsaAggregateQueryRequest{ { DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{}, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{}, Size: &size, Sort: &sort, SubAggregates: []interface{}{}, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.caoHunting.aggregateHuntingGuides( [{ dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [], exclude: "string", extendedBounds: {}, field: "string", filter: "string", filtersSpec: {}, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [], size: integer, sort: "string", subAggregates: [], timeZone: "string", type: "string" }], timeZone: "string", type: "string" }], timeZone: "string", type: "string"}] // body);
console.log(response);Examples coming soon.
require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CaoHunting.new
body = [Falcon::MsaAggregateQueryRequest.new( date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [], exclude: 'string', extended_bounds: {}, field: 'string', filter: 'string', filters_spec: {}, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [], size: integer, sort: 'string', sub_aggregates: [], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string')]
response = api.aggregate_hunting_guides(body)
puts responseGetHuntingGuides
Section titled “GetHuntingGuides”Retrieves a list of Hunting Guides
GET /hunting/entities/hunting-guides/v1
PEP 8
get_guidesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | Hunting Guides IDs. Required parameter. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_guides(ids=id_list)print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetHuntingGuides(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetHuntingGuides", ids=id_list)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cao_hunting")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CaoHunting.GetHuntingGuides( &cao_hunting.GetHuntingGuidesParams{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.caoHunting.getHuntingGuides(["ID1", "ID2", "ID3"]); // ids
console.log(response);Examples coming soon.
require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CaoHunting.new
response = api.get_hunting_guides(['ID1', 'ID2', 'ID3'])
puts responseSearchHuntingGuides
Section titled “SearchHuntingGuides”Search for Hunting Guides that match the provided conditions
GET /hunting/queries/hunting-guides/v1
PEP 8
search_guidesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. |
| limit | query | integer | Number of IDs to return. |
| offset | query | string | Starting index of result set from which to return IDs. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. Not required when using other keywords. |
| sort | query | string | Order by fields. |
| q | query | string | Match phrase_prefix query criteria; included fields: _all (all filter string fields indexed). |
Code Examples
Section titled “Code Examples”from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.search_guides(offset=integer, limit=integer, sort="string", filter="string", q="string")print(response)from falconpy import CAOHunting
falcon = CAOHunting(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.SearchHuntingGuides(offset=integer, limit=integer, sort="string", filter="string", q="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("SearchHuntingGuides", offset="string", limit=integer, sort="string", filter="string", q="string")print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/cao_hunting")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
offset := "string" limit := int64(0) sort := "string" filter := "string" q := "string"
response, err := client.CaoHunting.SearchHuntingGuides( &cao_hunting.SearchHuntingGuidesParams{ Offset: &offset, Limit: &limit, Sort: &sort, Filter: &filter, Q: &q, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.caoHunting.searchHuntingGuides( "string", // offset integer, // limit "string", // sort "string", // filter "string" // q);
console.log(response);Examples coming soon.
require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CaoHunting.new
response = api.search_hunting_guides(offset: 'string', limit: integer, sort: 'string', filter: 'string', q: 'string')
puts response