Tailored Intelligence
The Tailored Intelligence service collection provides operations for accessing events and rules data. Retrieve event body content, fetch event and rule entities by ID, and query events or rules using FQL-formatted filter criteria.
| Language | Last Update |
|---|---|
| Python | v1.4.6 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
GetEventsBodyget_event_body | Get event body for the provided event ID |
GetEventsEntitiesget_event_entities | Get events entities for specified ids. |
QueryEventsquery_events | Get events ids that match the provided filter criteria. |
GetRulesEntitiesget_rule_entities | Get rules entities for specified ids. |
QueryRulesquery_rules | Get rules ids that match the provided filter criteria. |
GetEventsBody
Section titled “GetEventsBody”Get event body for the provided event ID.
GET /ti/events/entities/events-full-body/v2
PEP 8
get_event_bodyParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| id | query | string or list of strings | Return the event body for event ID. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import TailoredIntelligence
falcon = TailoredIntelligence(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
with open("output_file", "wb") as save_file: response = falcon.get_event_body(id="string", stream=boolean) save_file.write(response)from falconpy import TailoredIntelligence
falcon = TailoredIntelligence(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
with open("output_file", "wb") as save_file: response = falcon.GetEventsBody(id="string", stream=boolean) save_file.write(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
with open("output_file", "wb") as save_file: response = falcon.command("GetEventsBody", id="string") save_file.write(response)Examples coming soon.
Examples coming soon.
import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.tailoredIntelligence.getEventsBody("string"); // id
console.log(response);use rusty_falcon::apis::tailored_intelligence_api::get_events_body;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = get_events_body( &falcon.cfg, // configuration "string", // id ).await.expect("API call failed");
println!("{:?}", response);}Examples coming soon.
GetEventsEntities
Section titled “GetEventsEntities”Get events entities for specified ids.
POST /ti/events/entities/events/GET/v2
PEP 8
get_event_entitiesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | body | string or list of strings | Return the event entities for specified ID. |
| body | body | dictionary | Full body payload in JSON format. Not required when using the ids keyword. |
Code Examples
Section titled “Code Examples”from falconpy import TailoredIntelligence
falcon = TailoredIntelligence(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_event_entities(ids=id_list)print(response)from falconpy import TailoredIntelligence
falcon = TailoredIntelligence(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetEventsEntities(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "ids": ["string"]}
response = falcon.command("GetEventsEntities", body=body_payload)print(response)Get-FalconTailoredEvent -Id @("ID1", "ID2")Examples coming soon.
import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.tailoredIntelligence.getEventsEntities( { ids: []} // body);
console.log(response);use rusty_falcon::apis::tailored_intelligence_api::get_events_entities;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaIdsRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MsaIdsRequest { ids: vec!["string".to_string()], ..Default::default() };
let response = get_events_entities( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}Examples coming soon.
QueryEvents
Section titled “QueryEvents”Get events ids that match the provided filter criteria.
GET /ti/events/queries/events/v2
PEP 8
query_eventsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. Wildcard character ’*’ means to not filter on anything. |
| limit | query | integer | The maximum number of IDs to return in this response. Use with the offset parameter to manage pagination of results. |
| offset | query | integer | Starting index of overall result set from which to return IDs. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
| q | query | string | Match phrase_prefix query criteria |
| sort | query | string | Sort results using a FQL formatted string. Available options: source_type, created_date, updated_date |
Code Examples
Section titled “Code Examples”from falconpy import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_events(after="string", filter="string", limit=integer, offset=integer, q="string", sort="string")print(response)from falconpy import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.QueryEvents(after="string", filter="string", limit=integer, offset=integer, q="string", sort="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("QueryEvents", sort="string", filter="string", q="string", offset="string", after="string", limit=integer)print(response)Get-FalconFirewallEvent -Filter "string" ` -Query "string" ` -Sort "string" ` -Limit integer ` -Offset integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/firewall_management")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
sort := "string" filter := "string" q := "string" offset := "string" after := "string" limit := int64(0)
response, err := client.FirewallManagement.QueryEvents( &firewall_management.QueryEventsParams{ Sort: &sort, Filter: &filter, Q: &q, Offset: &offset, After: &after, Limit: &limit, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.firewallManagement.queryEvents( "string", // sort "string", // filter "string", // q "string", // offset "string", // after integer // limit);
console.log(response);use rusty_falcon::apis::tailored_intelligence_api::query_events;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = query_events( &falcon.cfg, // configuration Some("string"), // offset Some(integer), // limit Some("string"), // sort Some("string"), // filter Some("string"), // q ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::FirewallManagement.new
response = api.query_events(sort: 'string', filter: 'string', q: 'string', offset: 'string', after: 'string', limit: integer)
puts responseGetRulesEntities
Section titled “GetRulesEntities”Get rules entities for specified ids.
POST /ti/rules/entities/rules/GET/v2
PEP 8
get_rule_entitiesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | body | string or list of strings | Return the rule entities for specified ID. |
| body | body | dictionary | Full body payload in JSON format. Not required when using the ids keyword. |
Code Examples
Section titled “Code Examples”from falconpy import TailoredIntelligence
falcon = TailoredIntelligence(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_entities(ids=id_list)print(response)from falconpy import TailoredIntelligence
falcon = TailoredIntelligence(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetRulesEntities(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "ids": ["string"]}
response = falcon.command("GetRulesEntities", body=body_payload)print(response)Get-FalconTailoredRule -Id @("ID1", "ID2")Examples coming soon.
import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.tailoredIntelligence.getRulesEntities( { ids: []} // body);
console.log(response);use rusty_falcon::apis::tailored_intelligence_api::get_rules_entities;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaIdsRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MsaIdsRequest { ids: vec!["string".to_string()], ..Default::default() };
let response = get_rules_entities( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}Examples coming soon.
QueryRules
Section titled “QueryRules”Get rules ids that match the provided filter criteria.
GET /ti/rules/queries/rules/v2
PEP 8
query_rulesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. Wildcard character ’*’ means to not filter on anything. |
| limit | query | integer | The maximum number of IDs to return in this response. Use with the offset parameter to manage pagination of results. |
| offset | query | integer | Starting index of overall result set from which to return IDs. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
| q | query | string | Match phrase_prefix query criteria |
| sort | query | string | Sort results using a FQL formatted string. Available options: name, value, rule_type, customer_id, created_date, updated_date |
Code Examples
Section titled “Code Examples”from falconpy import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_rules(after="string", filter="string", limit=integer, offset=integer, q="string", sort="string")print(response)from falconpy import FirewallManagement
falcon = FirewallManagement(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.QueryRules(after="string", filter="string", limit=integer, offset=integer, q="string", sort="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("QueryRules", sort="string", filter="string", q="string", offset="string", after="string", limit=integer)print(response)Get-FalconFirewallRule -Filter "string" ` -Query "string" ` -Sort "string" ` -Limit integer ` -Offset integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/firewall_management")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
sort := "string" filter := "string" q := "string" offset := "string" after := "string" limit := int64(0)
response, err := client.FirewallManagement.QueryRules( &firewall_management.QueryRulesParams{ Sort: &sort, Filter: &filter, Q: &q, Offset: &offset, After: &after, Limit: &limit, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.firewallManagement.queryRules( "string", // sort "string", // filter "string", // q "string", // offset "string", // after integer // limit);
console.log(response);use rusty_falcon::apis::tailored_intelligence_api::query_rules;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = query_rules( &falcon.cfg, // configuration Some("string"), // offset Some(integer), // limit Some("string"), // sort Some("string"), // filter Some("string"), // q ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::FirewallManagement.new
response = api.query_rules(sort: 'string', filter: 'string', q: 'string', offset: 'string', after: 'string', limit: integer)
puts response