Skip to content
CrowdStrike Developer Center

ThreatGraph

The ThreatGraph service collection provides operations for exploring threat intelligence relationships. Retrieve edges and vertex summaries for threat entities, look up indicators observed on devices in your environment, and explore available edge types.

LanguageLast Update
Pythonv1.4.6
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

Table of Contents

Section titled “Table of Contents”
OperationDescription
combined_edges_get
get_edges		Retrieve edges for a given vertex id. One edge type must be specified.
combined_ran_on_get
get_ran_on		Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.
combined_summary_get
get_summary		Retrieve summary for a given vertex ID.
entities_vertices_get
get_vertices_v1		Retrieve metadata for a given vertex ID.
entities_vertices_getv2
get_vertices		Retrieve metadata for a given vertex ID.
queries_edgetypes_get
get_edge_types		Show all available edge types.

combined_edges_get

Section titled “combined_edges_get”

Retrieve edges for a given vertex id. One edge type must be specified.

GET /threatgraph/combined/edges/v1
Scope ThreatGraph: READ Consumes · Produces application/json
PEP 8 get_edges

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystringVertex ID to get details for. Only one value is supported.
limitqueryintegerHow many edges to return in a single request [1-100].
offsetquerystringThe offset to use to retrieve the next page of results.
edge_typequerystringThe type of edges that you would like to retrieve.
directionquerystringThe direction of edges that you would like to retrieve.
scopequerystringScope of the request.
nanoquerybooleanReturn nano-precision entity timestamps.

Code Examples

Section titled “Code Examples”
from falconpy import ThreatGraph


falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_edges(direction="string",
                            edge_type="string",
                            ids=id_list,
                            limit=integer,
                            nano=boolean,
                            offset=integer,
                            scope="string")
print(response)

combined_ran_on_get

Section titled “combined_ran_on_get”

Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.

GET /threatgraph/combined/ran-on/v1
Scope ThreatGraph: READ Consumes · Produces application/json
PEP 8 get_ran_on

Parameters

Section titled “Parameters”
NameTypeData typeDescription
valuequerystringThe value of the indicator to search by.
typequerystringThe type of indicator that you would like to retrieve.
limitqueryintegerHow many edges to return in a single request [1-100].
offsetquerystringThe offset to use to retrieve the next page of results.
nanoquerybooleanReturn nano-precision entity timestamps.

Code Examples

Section titled “Code Examples”
from falconpy import ThreatGraph


falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.get_ran_on(limit=integer,
                             nano=boolean,
                             offset=integer,
                             type="string",
                             value="string")
print(response)

combined_summary_get

Section titled “combined_summary_get”

Retrieve summary for a given vertex ID.

GET /threatgraph/combined/{vertex-type}/summary/v1
Scope ThreatGraph: READ Consumes · Produces application/json
PEP 8 get_summary

Parameters

Section titled “Parameters”
NameTypeData typeDescription
vertex_typepathstringType of vertex to get properties for. Available values: accessory, accessories, actor, ad_computer, ad-computers, adfs_application, adfs-applications, ad_group, ad-groups, aggregate_indicator, aggregate-indicators, sensor, devices, mobile_app, mobile-apps, azure_application, azure-applications, azure_ad_user, azure-ad-users, containerized_app, containerized-apps, certificate, certificates, command_line, command-lines, control_graph, control-graphs, detection, detections, domain, domains, extracted_file, extracted-files, firmware, firmwares, mobile_fs_volume, mobile-fs-volumes, firewall, firewalls, firewall_rule_match, firewall_rule_matches, host_name, host-names, detection_index, detection-indices, idp_indicator, idp-indicators, idp_session, idp-sessions, incident, incidents, indicator, indicators, custom_ioa, custom_ioas, ipv4, ipv6, k8s_cluster, k8s_clusters, legacy_detection, legacy-detections, mobile_os_forensics_report, mobile_os_forensics_reports, mobile_indicator, mobile-indicators, module, modules, macro_script, macro_scripts, okta_application, okta-applications, okta_user, okta-users, process, processes, ping_fed_application, ping-fed-applications, quarantined_file, quarantined-files, script, scripts, shield, shields, sensor_self_diagnostic, sensor-self-diagnostics, kerberos_ticket, kerberos-tickets, user_id, users, user_session, user-sessions, wifi_access_point, wifi-access-points, xdr, any-vertex.
idsqueryarray (string)Vertex ID to get details for.
scopequerystringScope of the request.
nanoquerybooleanReturn nano-precision entity timestamps.

Code Examples

Section titled “Code Examples”
from falconpy import ThreatGraph


falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_summary(ids=id_list,
                              scope="string",
                              nano=boolean,
                              vertex_type="string")
print(response)

entities_vertices_get

Section titled “entities_vertices_get”

Retrieve metadata for a given vertex ID.

GET /threatgraph/entities/{vertex-type}/v1
Scope ThreatGraph: READ Consumes · Produces application/json
PEP 8 get_vertices_v1

Parameters

Section titled “Parameters”
NameTypeData typeDescription
vertex_typepathstringType of vertex to get properties for. Available values: accessory, accessories, actor, ad_computer, ad-computers, adfs_application, adfs-applications, ad_group, ad-groups, aggregate_indicator, aggregate-indicators, sensor, devices, mobile_app, mobile-apps, azure_application, azure-applications, azure_ad_user, azure-ad-users, containerized_app, containerized-apps, certificate, certificates, command_line, command-lines, control_graph, control-graphs, detection, detections, domain, domains, extracted_file, extracted-files, firmware, firmwares, mobile_fs_volume, mobile-fs-volumes, firewall, firewalls, firewall_rule_match, firewall_rule_matches, host_name, host-names, detection_index, detection-indices, idp_indicator, idp-indicators, idp_session, idp-sessions, incident, incidents, indicator, indicators, custom_ioa, custom_ioas, ipv4, ipv6, k8s_cluster, k8s_clusters, legacy_detection, legacy-detections, mobile_os_forensics_report, mobile_os_forensics_reports, mobile_indicator, mobile-indicators, module, modules, macro_script, macro_scripts, okta_application, okta-applications, okta_user, okta-users, process, processes, ping_fed_application, ping-fed-applications, quarantined_file, quarantined-files, script, scripts, shield, shields, sensor_self_diagnostic, sensor-self-diagnostics, kerberos_ticket, kerberos-tickets, user_id, users, user_session, user-sessions, wifi_access_point, wifi-access-points, xdr, any-vertex.
idsqueryarray (string)Vertex ID to get details for.
scopequerystringScope of the request.
nanoquerybooleanReturn nano-precision entity timestamps.

Code Examples

Section titled “Code Examples”
from falconpy import ThreatGraph


falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_vertices_v1(ids=id_list,
                                  scope="string",
                                  nano=boolean,
                                  vertex_type="string")
print(response)

entities_vertices_getv2

Section titled “entities_vertices_getv2”

Retrieve metadata for a given vertex ID.

GET /threatgraph/entities/{vertex-type}/v2
Scope ThreatGraph: READ Consumes · Produces application/json
PEP 8 get_vertices

Parameters

Section titled “Parameters”
NameTypeData typeDescription
vertex_typepathstringType of vertex to get properties for. Available values: accessory, accessories, actor, ad_computer, ad-computers, adfs_application, adfs-applications, ad_group, ad-groups, aggregate_indicator, aggregate-indicators, sensor, devices, mobile_app, mobile-apps, azure_application, azure-applications, azure_ad_user, azure-ad-users, containerized_app, containerized-apps, certificate, certificates, command_line, command-lines, control_graph, control-graphs, detection, detections, domain, domains, extracted_file, extracted-files, firmware, firmwares, mobile_fs_volume, mobile-fs-volumes, firewall, firewalls, firewall_rule_match, firewall_rule_matches, host_name, host-names, detection_index, detection-indices, idp_indicator, idp-indicators, idp_session, idp-sessions, incident, incidents, indicator, indicators, custom_ioa, custom_ioas, ipv4, ipv6, k8s_cluster, k8s_clusters, legacy_detection, legacy-detections, mobile_os_forensics_report, mobile_os_forensics_reports, mobile_indicator, mobile-indicators, module, modules, macro_script, macro_scripts, okta_application, okta-applications, okta_user, okta-users, process, processes, ping_fed_application, ping-fed-applications, quarantined_file, quarantined-files, script, scripts, shield, shields, sensor_self_diagnostic, sensor-self-diagnostics, kerberos_ticket, kerberos-tickets, user_id, users, user_session, user-sessions, wifi_access_point, wifi-access-points, xdr, any-vertex.
idsqueryarray (string)Vertex ID to get details for.
scopequerystringScope of the request.
nanoquerybooleanReturn nano-precision entity timestamps.

Code Examples

Section titled “Code Examples”
from falconpy import ThreatGraph


falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_vertices(ids=id_list,
                               scope="string",
                               nano=boolean,
                               vertex_type="string")
print(response)

queries_edgetypes_get

Section titled “queries_edgetypes_get”

Show all available edge types.

GET /threatgraph/queries/edge-types/v1
Scope ThreatGraph: READ Consumes · Produces application/json
PEP 8 get_edge_types

No keywords or arguments accepted.

Code Examples

Section titled “Code Examples”
from falconpy import ThreatGraph


falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )


response = falcon.get_edge_types()
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use