Intelligence Feeds

The Intelligence Feeds service collection provides operations for downloading and querying intelligence feed archives. Download feed file contents as a zip archive, list accessible feeds for a customer, and query feeds by name, interval, and time range.

Language	Last Update
Python	v1.5.0
PowerShell	v2.2.9
Go	v0.20.0
TypeScript	v0.6.0
Rust	v0.7.0
Ruby	v1.2.0

Operation	Description
DownloadFeedArchive `download_feed`	Download feed file contents as a zip archive.
ListFeedTypes `list_feeds`	List the accessible feeds for a given customer.
QueryFeedArchives `query_feeds`	Query the accessible feeds for a customer.

DownloadFeedArchive

Download feed file contents as a zip archive.

GET /indicator-feed/entities/feed-download/v1

Scope Falcon Indicator Graph: READ Consumes · Produces application/json

PEP 8 download_feed

Parameters

Name	Type	Data type	Description
feed_item_id	query	string	Feed object reference ID.
stream	query	boolean	Enable streaming download of the returned file.
parameters	query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Code Examples

from falconpy import IntelligenceFeeds

falcon = IntelligenceFeeds(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.download_feed(feed_item_id="string", stream=boolean)
print(response)

from falconpy import IntelligenceFeeds

falcon = IntelligenceFeeds(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.DownloadFeedArchive(feed_item_id="string", stream=boolean)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DownloadFeedArchive",
                          feed_item_id="string")
print(response)

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/intelligence_feeds"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.IntelligenceFeeds.DownloadFeedArchive(
    &intelligence_feeds.DownloadFeedArchiveParams{
      FeedItemID: "string",
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.intelligenceFeeds.downloadFeedArchive("string");  // feedItemId

console.log(response);

use rusty_falcon::apis::intelligence_feeds_api::download_feed_archive;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = download_feed_archive(
        &falcon.cfg,  // configuration
        "string",  // feed_item_id
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::IntelligenceFeeds.new

response = api.download_feed_archive('string')

puts response

ListFeedTypes

List the accessible feeds for a given customer.

GET /indicator-feed/entities/feed/v1

Scope Falcon Indicator Graph: READ Consumes · Produces application/json

PEP 8 list_feeds

No keywords or arguments accepted.

Code Examples

from falconpy import IntelligenceFeeds

falcon = IntelligenceFeeds(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.list_feeds()
print(response)

from falconpy import IntelligenceFeeds

falcon = IntelligenceFeeds(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.ListFeedTypes()
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ListFeedTypes")
print(response)

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/intelligence_feeds"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.IntelligenceFeeds.ListFeedTypes(
    &intelligence_feeds.ListFeedTypesParams{
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.intelligenceFeeds.listFeedTypes();

console.log(response);

use rusty_falcon::apis::intelligence_feeds_api::list_feed_types;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = list_feed_types(&falcon.cfg).await.expect("API call failed");  // configuration

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::IntelligenceFeeds.new

response = api.list_feed_types

puts response

QueryFeedArchives

Query the accessible feeds for a customer.

GET /indicator-feed/queries/feed/v1

Scope Falcon Indicator Graph: READ Consumes · Produces application/json

PEP 8 query_feeds

Parameters

Name	Type	Data type	Description
feed_name	query	string	Feed name.
feed_interval	query	string	Feed interval. Allowed values: `dump`, `daily`, `hourly`, `minutely`.
since	query	string	Valid timestamp in RFC3399 format. Restrictions: Minutely: `now()-2h`; Hourly: `now()-2d`; Daily: `now()-5d`; Dump: `now()-7d`.
parameters	query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Code Examples

from falconpy import IntelligenceFeeds

falcon = IntelligenceFeeds(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.query_feeds(feed_name="string",
                              feed_interval="string",
                              since="string")
print(response)

from falconpy import IntelligenceFeeds

falcon = IntelligenceFeeds(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET
                           )

response = falcon.QueryFeedArchives(feed_name="string",
                                    feed_interval="string",
                                    since="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryFeedArchives",
                          feed_name="string",
                          feed_interval="string",
                          since="string")
print(response)

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/intelligence_feeds"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  feedInterval := "string"
  since := "string"

  response, err := client.IntelligenceFeeds.QueryFeedArchives(
    &intelligence_feeds.QueryFeedArchivesParams{
      FeedName: "string",
      FeedInterval: &feedInterval,
      Since: &since,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.intelligenceFeeds.queryFeedArchives(
  "string",  // feedName
  "string",  // feedInterval
  "string"  // since
);

console.log(response);

use rusty_falcon::apis::intelligence_feeds_api::query_feed_archives;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = query_feed_archives(
        &falcon.cfg,  // configuration
        "string",  // feed_name
        Some("string"),  // feed_interval
        Some("string"),  // since
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::IntelligenceFeeds.new

response = api.query_feed_archives('string')

puts response

Intelligence Feeds

Table of Contents

DownloadFeedArchive

Parameters

Code Examples

ListFeedTypes

Code Examples

QueryFeedArchives

Parameters

Code Examples