Skip to content
CrowdStrike Developer Center

Intel

The Intel service collection provides operations for querying and retrieving CrowdStrike threat intelligence. Search for actor, indicator, malware, and report entities using FQL filters. Download rule files, retrieve MITRE ATT&CK mappings, and access vulnerability intelligence.

LanguageLast Update
Pythonv1.5.4
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

This service collection has code examples posted to the repository.

Table of Contents

Section titled “Table of Contents”
OperationDescription
QueryIntelActorEntities
query_actor_entities		Get info about actors that match provided FQL filters.
QueryIntelIndicatorEntities
query_indicator_entities		Get info about indicators that match provided FQL filters.
QueryMalwareEntities
query_malware_entities		Get malware entities that match provided FQL filters.
QueryIntelReportEntities
query_report_entities		Get info about reports that match provided FQL filters.
GetMalwareMitreReport
get_malware_report		Export Mitre ATT&CK information for a given malware family.
GetIntelActorEntities
get_actor_entities		Retrieve specific actors using their actor IDs.
GetIntelIndicatorEntities
get_indicator_entities		Retrieve specific indicators using their indicator IDs.
GetMalwareEntities
get_malware_entities		Get malware entities for specified IDs.
GetMitreReport
get_mitre_report		Export Mitre ATT&CK information for a given actor.
PostMitreAttacks
mitre_attacks		Retrieves report and observable IDs associated with the given actor and attacks.
GetIntelReportPDF
get_report_pdf		Return a Report PDF attachment
GetIntelReportEntities
get_report_entities		Retrieve specific reports using their report IDs.
GetIntelRuleFile
get_rule_file		Download earlier rule sets.
GetLatestIntelRuleFile
get_latest_rule_file		Download the latest rule set.
GetIntelRuleEntities
get_rule_entities		Retrieve details for rule sets for the specified ids.
GetVulnerabilities
get_vulnerabilities		Get vulnerabilities
QueryIntelActorIds
query_actor_ids		Get actor IDs that match provided FQL filters.
QueryIntelIndicatorIds
query_indicator_ids		Get indicators IDs that match provided FQL filters.
QueryMalware
query_malware		Get malware family names that match provided FQL filters.
QueryMitreAttacksForMalware
query_mitre_attacks_for_malware		Gets MITRE tactics and techniques for the given malware.
QueryMitreAttacks
query_mitre_attacks		Gets MITRE tactics and techniques for the given actor.
QueryIntelReportIds
query_report_ids		Get report IDs that match provided FQL filters.
QueryIntelRuleIds
query_rule_ids		Search for rule IDs that match provided filter criteria.
QueryVulnerabilities
query_vulnerabilities		Get vulnerabilities IDs

QueryIntelActorEntities

Section titled “QueryIntelActorEntities”

Get info about actors that match provided FQL filters.

GET /intel/combined/actors/v1
Scope Actors (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_actor_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
fieldsquerystringThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: <collection>. Ex: slug full. Defaults to basic.
filterquerystringFQL query expression that should be used to limit the results. Filter parameters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url, animal_classifier
limitqueryintegerMaximum number of records to return. (Max: 5000)
offsetquerystringStarting index of overall result set from which to return ids.
qquerystringFree text search across all indexed fields.
sortquerystringThe property to sort by. (Ex: created_date|desc)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_actor_entities(fields="string",
                                       filter="string",
                                       limit=integer,
                                       offset=integer,
                                       q="string",
                                       sort="string")
print(response)

QueryMalwareEntities

Section titled “QueryMalwareEntities”

Get malware entities that match provided FQL filters.

GET /intel/combined/malware/v1
Scope Intel: READ Consumes · Produces application/json
PEP 8 query_malware_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
offsetqueryintegerSet the starting row number to return malware IDs from. Defaults to 0
limitqueryintegerSet the number of malware IDs to return. The value must be between 1 and 5000
sortquerystringOrder fields in ascending or descending order. Ex: created_date|asc
filterquerystringFilter your query by specifying FQL filter parameters
qquerystringPerform a generic substring search across all fields
fieldsquerystring/arrayThe fields to return
parametersquerydictionaryFull query string parameters payload in JSON format

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.query_malware_entities(offset=integer,
                                         limit=integer,
                                         sort="string",
                                         filter="string",
                                         q="string",
                                         fields=id_list)
print(response)

QueryIntelIndicatorEntities

Section titled “QueryIntelIndicatorEntities”

Get info about indicators that match provided FQL filters.

GET /intel/combined/indicators/v1
Scope Indicators (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_indicator_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
fieldsquerystringThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: <collection>. Ex: slug full. Defaults to basic.
filterquerystringFQL query expression that should be used to limit the results. Filter parameters include: _marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, published_date, reports, reports.slug, targets, threat_types, type, vulnerabilities
include_deletedquerybooleanFlag indicating if both published and deleted indicators should be returned.
include_relationsquerybooleanFlag indicating if related indicators should be returned.
limitqueryintegerMaximum number of records to return. (Max: 5000)
offsetquerystringStarting index of overall result set from which to return ids.
qquerystringFree text search across all indexed fields.
sortquerystringThe property to sort by. (Ex: created_date|desc)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_indicator_entities(fields="string",
                                           filter="string",
                                           include_deleted="string",
                                           include_relations=boolean,
                                           limit=integer,
                                           offset=integer,
                                           q="string",
                                           sort="string")
print(response)

QueryIntelReportEntities

Section titled “QueryIntelReportEntities”

Get info about reports that match provided FQL filters.

GET /intel/combined/reports/v1
Scope Reports (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_report_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
fieldsquerystringThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: <collection>. Ex: slug full. Defaults to basic.
filterquerystringFQL query expression that should be used to limit the results. Filter parameters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url, actors.animal_classifier, malware, malware.community_identifiers, malware.family_name, malware.slug, summary
include_deletedquerybooleanFlag indicating if both published and deleted indicators should be returned.
limitqueryintegerMaximum number of records to return. (Max: 5000)
offsetquerystringStarting index of overall result set from which to return ids.
qquerystringFree text search across all indexed fields.
sortquerystringThe property to sort by. (Ex: created_date|desc)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_report_entities(fields="string",
                                        filter="string",
                                        limit=integer,
                                        offset=integer,
                                        q="string",
                                        sort="string")
print(response)

GetMalwareMitreReport

Section titled “GetMalwareMitreReport”

Export Mitre ATT&CK information for a given malware family.

GET /intel/entities/malware-mitre-reports/v1
Scope Malware Families (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_malware_report

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idquerystringMalware family name in lower case with spaces replaced with dashes
formatquerystringSupported report formats: CSV, JSON or JSON_NAVIGATOR
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.get_malware_report(id="string", format="string")
print(response)

GetIntelActorEntities

Section titled “GetIntelActorEntities”

Retrieve specific actors using their actor IDs.

GET /intel/entities/actors/v1
Scope Actors (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_actor_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsActor IDs to retrieve.
fieldsqueryarray (string)The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: <collection>. Ex: slug full. Defaults to basic.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_actor_entities(fields="string", ids=id_list)
print(response)

GetIntelIndicatorEntities

Section titled “GetIntelIndicatorEntities”

Retrieve specific indicators using their indicator IDs.

POST /intel/entities/indicators/GET/v1
Scope Indicators (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_indicator_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsbodystring or list of stringsIndicator IDs to retrieve.
bodybodydictionaryFull body payload in JSON format.

You must use either the body or the ids keywords in order to use this method.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_indicator_entities(ids=id_list)
print(response)

GetMalwareEntities

Section titled “GetMalwareEntities”

Get malware entities for specified IDs.

GET /intel/entities/malware/v1
Scope Malware Families (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_malware_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsMalware family name in lower case with spaces replaced with dashes.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_malware_entities(ids=id_list)
print(response)

GetMitreReport

Section titled “GetMitreReport”

Export Mitre ATT&CK information for a given actor.

GET /intel/entities/mitre-reports/v1
Scope Actors (Falcon Intelligence): READ Consumes · Produces application/octet-stream
PEP 8 get_mitre_report

Parameters

Section titled “Parameters”
NameTypeData typeDescription
actor_idquerystringActor IDs (derived from actor name).
formatquerystringReport format (json or csv).
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


with open("output_file", "wb") as save_file:
    response = falcon.get_mitre_report(actor_id="string",
                                       format="string",
                                       stream=boolean)
    save_file.write(response)

PostMitreAttacks

Section titled “PostMitreAttacks”

Retrieves report and observable IDs associated with the given actor and attacks.

POST /intel/entities/mitre/v1
Scope Actors (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 mitre_attacks

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsThe actor / attack IDs to retrieve.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.mitre_attacks(ids=id_list)
print(response)

GetIntelReportPDF

Section titled “GetIntelReportPDF”

Return a Report PDF attachment

GET /intel/entities/report-files/v1
Scope Reports (Falcon Intelligence): READ Consumes · Produces application/octet-stream
PEP 8 get_report_pdf

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idquerystringReport ID to download as a PDF.
parametersquerydictionaryFull query string parameters payload in JSON format.

The id parameter must be passed to the Uber class as part of the parameters dictionary.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


with open("output_file", "wb") as save_file:
    response = falcon.get_report_pdf(id=id_list, ids=id_list, stream=boolean)
    save_file.write(response)

GetIntelReportEntities

Section titled “GetIntelReportEntities”

Retrieve specific reports using their report IDs.

GET /intel/entities/reports/v1
Scope Reports (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_report_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsReport IDs to retrieve.
fieldsqueryarray (string)The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: <collection>. Ex: slug full. Defaults to basic.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_report_entities(fields="string", ids=id_list)
print(response)

GetIntelRuleFile

Section titled “GetIntelRuleFile”

Download earlier rule sets.

GET /intel/entities/rules-files/v1
Scope Rules (Falcon Intelligence): READ Consumes · Produces application/zip
PEP 8 get_rule_file

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idquerystringRule set ID to retrieve.
formatquerystringChoose the format you want the ruleset in. Valid formats are zip and gzip. Defaults to zip.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


with open("output_file", "wb") as save_file:
    response = falcon.get_rule_file(format="string", id=id_list, stream=boolean)
    save_file.write(response)

GetLatestIntelRuleFile

Section titled “GetLatestIntelRuleFile”

Download the latest rule set.

GET /intel/entities/rules-latest-files/v1
Scope Rules (Falcon Intelligence): READ Consumes · Produces application/zip
PEP 8 get_latest_rule_file

Parameters

Section titled “Parameters”
NameTypeData typeDescription
typequerystringThe rule news report type. Accepted values: snort-suricata-master, snort-suricata-update, snort-suricata-changelog, yara-master, yara-update, yara-changelog, common-event-format, netwitness, cql-master, cql-update, cql-changelog
formatquerystringChoose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


with open("output_file", "wb") as save_file:
    response = falcon.get_latest_rule_file(if_none_match="string",
                                           if_modified_since="string",
                                           format="string",
                                           type="string",
                                           stream=boolean)
    save_file.write(response)

GetIntelRuleEntities

Section titled “GetIntelRuleEntities”

Retrieve details for rule sets for the specified ids.

GET /intel/entities/rules/v1
Scope Rules (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_rule_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsRule IDs to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_rule_entities(ids=id_list)
print(response)

GetVulnerabilities

Section titled “GetVulnerabilities”

Get vulnerabilities by ID(s).

POST /intel/entities/vulnerabilities/GET/v1
Scope Vulnerabilities (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_vulnerabilities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsVulnerability IDs to retrieve.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_vulnerabilities(ids=id_list)
print(response)

QueryIntelActorIds

Section titled “QueryIntelActorIds”

Get actor IDs that match provided FQL filters.

GET /intel/queries/actors/v1
Scope Actors (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_actor_ids

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query expression that should be used to limit the results. Filter parameters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url, animal_classifier
limitqueryintegerMaximum number of records to return. (Max: 5000)
offsetquerystringStarting index of overall result set from which to return ids.
qquerystringFree text search across all indexed fields.
sortquerystringThe property to sort by. (Ex: created_date|desc)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_actor_ids(filter="string",
                                  limit=integer,
                                  offset=integer,
                                  q="string",
                                  sort="string")
print(response)

QueryIntelIndicatorIds

Section titled “QueryIntelIndicatorIds”

Get indicators IDs that match provided FQL filters.

GET /intel/queries/indicators/v1
Scope Indicators (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_indicator_ids

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query expression that should be used to limit the results. Filter parameters include: _marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, published_date, reports, reports.slug, targets, threat_types, type, vulnerabilities
include_deletedquerybooleanFlag indicating if both published and deleted indicators should be returned.
include_relationsquerybooleanFlag indicating if related indicators should be returned.
limitqueryintegerMaximum number of records to return. (Max: 5000)
offsetquerystringStarting index of overall result set from which to return ids.
qquerystringFree text search across all indexed fields.
sortquerystringThe property to sort by. (Ex: created_date|desc)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_indicator_ids(filter="string",
                                      include_deleted="string",
                                      include_relations=boolean,
                                      limit=integer,
                                      offset=integer,
                                      q="string",
                                      sort="string")
print(response)

QueryMalware

Section titled “QueryMalware”

Get malware family names that match provided FQL filters.

GET /intel/queries/malware/v1
Scope Malware Families (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_malware

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query expression that should be used to limit the results.
limitqueryintegerSet the number of malware IDs to return. (Max: 5000)
offsetquerystringSet the starting row number to return malware IDs from. Defaults to 0.
qquerystringFree text search across all indexed fields.
sortquerystringThe property to sort by. (Ex: created_date|desc)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_malware(filter="string",
                                limit=integer,
                                offset=integer,
                                q="string",
                                sort="string")
print(response)

QueryMitreAttacksForMalware

Section titled “QueryMitreAttacksForMalware”

Gets MITRE tactics and techniques for the given malware.

GET /intel/queries/mitre-malware/v1
Scope Malware Families (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_mitre_attacks_for_malware

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsMalware family name in lower case with spaces replaced with dashes.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.query_mitre_attacks_for_malware(ids=id_list)
print(response)

QueryMitreAttacks

Section titled “QueryMitreAttacks”

Gets MITRE tactics and techniques for the given actor.

GET /intel/queries/mitre/v1
Scope Actors (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_mitre_attacks

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idquerystringActor ID for which to retrieve a list of attacks.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.query_mitre_attacks(id="string", ids=id_list)
print(response)

QueryIntelReportIds

Section titled “QueryIntelReportIds”

Get report IDs that match provided FQL filters.

GET /intel/queries/reports/v1
Scope Reports (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_report_ids

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query expression that should be used to limit the results. Filter parameters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url, actors.animal_classifier, malware, malware.community_identifiers, malware.family_name, malware.slug, summary
include_deletedquerybooleanFlag indicating if both published and deleted indicators should be returned.
limitqueryintegerMaximum number of records to return. (Max: 5000)
offsetquerystringStarting index of overall result set from which to return ids.
qquerystringFree text search across all indexed fields.
sortquerystringThe property to sort by. (Ex: created_date|desc)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_report_ids(filter="string",
                                   limit=integer,
                                   offset=integer,
                                   q="string",
                                   sort="string")
print(response)

QueryIntelRuleIds

Section titled “QueryIntelRuleIds”

Search for rule IDs that match provided filter criteria.

GET /intel/queries/rules/v1
Scope Rules (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_rule_ids

Parameters

Section titled “Parameters”
NameTypeData typeDescription
limitqueryintegerMaximum number of records to return. (Max: 5000)
namequerystring or list of stringsSearch by rule title.
descriptionquerystring or list of stringsSubstring match on description field.
offsetquerystringStarting index of overall result set from which to return ids.
qquerystringFree text search across all indexed fields.
sortquerystringThe property to sort by. (Ex: created_date|desc)
typequerystringThe rule news report type. Accept values: snort-suricata-master, snort-suricata-update, snort-suricata-changelog, yara-master, yara-update, yara-changelog, common-event-format, netwitness, cql-master, cql-update, cql-changelog
tagsquerystring or list of stringsSearch for rules by tag.
min_created_datequerystringFilter results to those created on or after a certain date.
max_created_datequerystringFilter results to those created on or before a certain date.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_rule_ids(description=["string"],
                                 limit=integer,
                                 max_created_date="string",
                                 min_created_date="string",
                                 name=["string"],
                                 offset=integer,
                                 q="string",
                                 sort="string",
                                 tags=["string"],
                                 type="string")
print(response)

QueryVulnerabilities

Section titled “QueryVulnerabilities”

Query for vulnerabilities IDs.

GET /intel/queries/vulnerabilities/v1
Scope Vulnerabilities (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_vulnerabilities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query expression that should be used to limit the results.
limitqueryintegerMaximum number of records to return. (Max: 5000)
offsetquerystringStarting index of overall result set from which to return ids.
qquerystringFree text search across all indexed fields.
sortquerystringThe property to sort by. (Ex: created_date|desc)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Intel


falcon = Intel(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_vulnerabilities(filter="string",
                                        limit=integer,
                                        offset=integer,
                                        q="string",
                                        sort="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use