hunting_rule_download

Downloads CrowdStrike Falcon Hunting rule archives with advanced filtering capabilities. Supports downloading hunting rules for multiple languages including CQL, Snort, Suricata, and YARA. Provides FQL (Falcon Query Language) filtering for precise rule selection. Downloads rule collections as ZIP or GZIP archives.

Added in version 4.10.0

Parameters

Parameter	Type	Required	Default	Description
`archive_type`	str	No	zip	The compression format for the downloaded archive. zip gzip
`dest`	path	No		The directory path to save the hunting rule archive. If not specified, a temporary directory will be created using
`filter`	str	No		FQL (Falcon Query Language) filter to apply for precise rule selection. Allows filtering rules by adversary, reports, metadata, or other criteria. If not specified, all rules for the specified language will be downloaded.
`language`	str	Yes		The language of the hunting rules to download. Supported languages include CQL, Snort, Suricata, and YARA. cql snort suricata yara
`name`	str	No		The filename to save the hunting rule archive as. If not specified, it will generate a name based on language and timestamp.

Examples

- name: Download all YARA hunting rules
  crowdstrike.falcon.hunting_rule_download:
    language: "yara"
    dest: "/tmp/hunting_rules"

- name: Download CQL hunting rules with FQL filter
  crowdstrike.falcon.hunting_rule_download:
    language: "cql"
    filter: "adversaries:'FANCY BEAR'"
    dest: "/tmp/hunting_rules"
    name: "spider_cql_rules.zip"

- name: Download Snort rules in GZIP format
  crowdstrike.falcon.hunting_rule_download:
    language: "snort"
    archive_type: "gzip"
    dest: "/tmp/hunting_rules"

- name: Download Suricata rules filtered by report
  crowdstrike.falcon.hunting_rule_download:
    language: "suricata"
    filter: "reports:'APT1'"
    dest: "/tmp/hunting_rules"

Return Values

Key	Type	Description
`path`		T
`language`		T
`archive_type`		T
`filter`		T