Intelligence Indicator Graph
The Intelligence Indicator Graph service collection provides operations for looking up and searching threat intelligence indicators. Retrieve indicators based on their value or search using FQL filters across a broad set of indicator properties.
| Language | Last Update |
|---|---|
| Python | v1.5.4 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
LookupIndicatorslookup_indicators | Get indicators based on their value. |
SearchIndicatorssearch | Search indicators based on FQL filter. |
LookupIndicators
Section titled “LookupIndicators”Get indicators based on their value.
POST /intelligence/combined/indicators/v1
PEP 8
lookup_indicatorsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload as a dictionary. Not required when using other keywords. |
| values | body | list of strings | List of indicator values to look up. |
Code Examples
Section titled “Code Examples”from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.lookup(values=id_list)print(response)from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.LookupIndicators(values=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "values": ["string"]}
response = falcon.command("LookupIndicators", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/intelligence_indicator_graph" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.IntelligenceIndicatorGraph.LookupIndicators( &intelligence_indicator_graph.LookupIndicatorsParams{ Body: &models.RestapiIndicatorsLookupRequest{ Values: []string{"string"}, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.intelligenceIndicatorGraph.lookupIndicators( { values: []} // body);
console.log(response);Examples coming soon.
require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::IntelligenceIndicatorGraph.new
body = Falcon::RestapiIndicatorsLookupRequest.new( values: [])
response = api.lookup_indicators(body)
puts responseSearchIndicators
Section titled “SearchIndicators”Search indicators based on FQL filter.
POST /intelligence/combined/indicators/v1
PEP 8
searchParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload as JSON formatted dictionary. |
| filter | body | string | FQL formatted filter. Filter parameters include: Type, LastUpdated, KillChain, MaliciousConfidence, MaliciousConfidenceValidatedTime, FirstSeen, LastSeen, Adversaries.Name, Adversaries.Slug, Reports.Title, Reports.Slug, Threats.FamilyName, Vulnerabilities.CVE, Sectors.Name, FileDetails.SHA256, FileDetails.SHA1, FileDetails.MD5, DomainDetails.Detail, IPv4Details.IPv4, IPv6Details.IPv6, URLDetails.URL and others. |
| limit | query | integer | Limit |
| offset | query | string | Offset |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
| sort | body | dictionary or list of dictionaries | List of sort operations to perform on the resultset. |
Code Examples
Section titled “Code Examples”from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.search(filter="string", limit=integer, offset=integer, sort=["string"])print(response)from falconpy import IntelligenceIndicatorGraph
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.SearchIndicators(filter="string", limit=integer, offset=integer, sort=["string"])print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "filter": "string", "sort": [ { "field": "string", "missing": {}, "order": "string" } ]}
response = falcon.command("SearchIndicators", sort="string", filter="string", limit=integer, offset="string", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/intelligence_indicator_graph" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" field := "string" order := "string" sort := "string" filter := "string" limit := int64(0) offset := "string"
response, err := client.IntelligenceIndicatorGraph.SearchIndicators( &intelligence_indicator_graph.SearchIndicatorsParams{ Body: &models.RestapiIndicatorsQueryRequest{ Filter: &filter, Sort: []interface{}{ { Field: &field, Missing: &struct{}{}, Order: &order, }, }, }, Sort: &sort, Filter: &filter, Limit: &limit, Offset: &offset, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.intelligenceIndicatorGraph.searchIndicators( { // body filter: "string", sort: [{ field: "string", missing: {}, order: "string" }] }, "string", // sort "string", // filter integer, // limit "string" // offset);
console.log(response);use rusty_falcon::apis::intelligence_indicator_graph_api::search_indicators;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::RestapiIndicatorsQueryRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = RestapiIndicatorsQueryRequest { filter: Some("string".to_string()), sort: vec![IndicatorsQuerySortRequest { field: Some("string".to_string()), missing: Default::default(), order: Some("string".to_string()), ..Default::default() }], ..Default::default() };
let response = search_indicators( &falcon.cfg, // configuration body, // body Some("string"), // sort Some("string"), // filter Some(integer), // limit Some("string"), // offset ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::IntelligenceIndicatorGraph.new
body = { filter: 'string', sort: [{ field: 'string', missing: {}, order: 'string' }]}
response = api.search_indicators(body)
puts response