Skip to content

ThreatGraph

Joshua Hiller edited this page Dec 10, 2024 · 3 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the ThreatGraph service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
combined_edges_get
PEP8 get_edges
Retrieve edges for a given vertex id. One edge type must be specified
combined_ran_on_get
PEP8 get_ran_on
Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.
combined_summary_get
PEP8 get_summary
Retrieve summary for a given vertex ID
entities_vertices_get
PEP8 get_vertices_v1
Retrieve metadata for a given vertex ID
entities_vertices_getv2
PEP8 get_vertices
Retrieve metadata for a given vertex ID
queries_edgetypes_get
PEP8 get_edge_types
Show all available edge types

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

combined_edges_get

Retrieve edges for a given vertex id. One edge type must be specified

PEP8 method name

get_edges

Endpoint

Method Route
GET /threatgraph/combined/edges/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids Service Class Support Uber Class Support query string Vertex ID to get details for. Only one value is supported
limit Service Class Support Uber Class Support query integer How many edges to return in a single request [1-100]
offset Service Class Support Uber Class Support query string The offset to use to retrieve the next page of results
edge_type Service Class Support Uber Class Support query string The type of edges that you would like to retrieve
direction Service Class Support Uber Class Support query string The direction of edges that you would like to retrieve.
scope Service Class Support Uber Class Support query string Scope of the request
nano Service Class Support Uber Class Support query boolean Return nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_edges(limit=integer,
                            offset="string",
                            edge_type="string",
                            direction="string",
                            scope="string",
                            nano=boolean,
                            ids=id_list
                            )
print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.combined_edges_get(limit=integer,
                                     offset="string",
                                     edge_type="string",
                                     direction="string",
                                     scope="string",
                                     nano=boolean,
                                     ids=id_list
                                     )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("combined_edges_get", 
                          limit=integer,
                          offset="string",
                          edge_type="string",
                          direction="string",
                          scope="string",
                          nano=boolean,
                          ids=id_list
                          )
print(response)

Back to Table of Contents

combined_ran_on_get

Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.

PEP8 method name

get_ran_on

Endpoint

Method Route
GET /threatgraph/combined/ran-on/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
value Service Class Support Uber Class Support query string The value of the indicator to search by.
type Service Class Support Uber Class Support query string The type of indicator that you would like to retrieve
limit Service Class Support Uber Class Support query integer How many edges to return in a single request [1-100]
offset Service Class Support Uber Class Support query string The offset to use to retrieve the next page of results
nano Service Class Support Uber Class Support query boolean Return nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

response = falcon.get_ran_on(value="string",
                             type="string",
                             limit=integer,
                             offset="string",
                             nano=boolean
                             )
print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

response = falcon.combined_ran_on_get(value="string",
                                      type="string",
                                      limit=integer,
                                      offset="string",
                                      nano=boolean
                                      )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_ran_on_get",
                          value="string",
                          type="string",
                          limit=integer,
                          offset="string",
                          nano=boolean
                          )
print(response)

Back to Table of Contents

combined_summary_get

Retrieve summary for a given vertex ID

PEP8 method name

get_summary

Endpoint

Method Route
GET /threatgraph/combined/{vertex-type}/summary/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
vertex_type Service Class Support Uber Class Support path string Type of vertex to get properties for. Available values: accessory, accessories, actor, ad_computer, ad-computers, adfs_application, adfs-applications, ad_group, ad-groups, aggregate_indicator, aggregate-indicators, sensor, devices, mobile_app, mobile-apps, azure_application, azure-applications, azure_ad_user, azure-ad-users, containerized_app, containerized-apps, certificate, certificates, command_line, command-lines, control_graph, control-graphs, detection, detections, domain, domains, extracted_file, extracted-files, firmware, firmwares, mobile_fs_volume, mobile-fs-volumes, firewall, firewalls, firewall_rule_match, firewall_rule_matches, host_name, host-names, detection_index, detection-indices, idp_indicator, idp-indicators, idp_session, idp-sessions, incident, incidents, indicator, indicators, ipv4, ipv6, k8s_cluster, k8s_clusters, legacy_detection, legacy-detections, mobile_os_forensics_report, mobile_os_forensics_reports, mobile_indicator, mobile-indicators, module, modules, macro_script, macro_scripts, okta_application, okta-applications, okta_user, okta-users, process, processes, ping_fed_application, ping-fed-applications, quarantined_file, quarantined-files, script, scripts, shield, shields, sensor_self_diagnostic, sensor-self-diagnostics, kerberos_ticket, kerberos-tickets, user_id, users, user_session, user-sessions, wifi_access_point, wifi-access-points, xdr, any-vertex
ids Service Class Support Uber Class Support query array (string) Vertex ID to get details for
scope Service Class Support Uber Class Support query string Scope of the request
nano Service Class Support Uber Class Support query boolean Return nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_summary(scope="string", nano=boolean, ids=id_list, vertex_type="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.combined_summary_get(scope="string",
                                       nano=boolean,
                                       ids=id_list,
                                       vertex_type="string"
                                       )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("combined_summary_get",
                          scope="string",
                          nano=boolean,
                          ids=id_list,
                          vertex_type="string"
                          )

print(response)

Back to Table of Contents

entities_vertices_get

Retrieve metadata for a given vertex ID

PEP8 method name

get_vertices_v1

Endpoint

Method Route
GET /threatgraph/entities/{vertex-type}/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
vertex_type Service Class Support Uber Class Support path string Type of vertex to get properties for. Available values : accessory, accessories, actor, ad_computer, ad-computers, adfs_application, adfs-applications, ad_group, ad-groups, aggregate_indicator, aggregate-indicators, sensor, devices, mobile_app, mobile-apps, azure_application, azure-applications, azure_ad_user, azure-ad-users, containerized_app, containerized-apps, certificate, certificates, command_line, command-lines, control_graph, control-graphs, detection, detections, domain, domains, extracted_file, extracted-files, firmware, firmwares, mobile_fs_volume, mobile-fs-volumes, firewall, firewalls, firewall_rule_match, firewall_rule_matches, host_name, host-names, detection_index, detection-indices, idp_indicator, idp-indicators, idp_session, idp-sessions, incident, incidents, indicator, indicators, ipv4, ipv6, k8s_cluster, k8s_clusters, legacy_detection, legacy-detections, mobile_os_forensics_report, mobile_os_forensics_reports, mobile_indicator, mobile-indicators, module, modules, macro_script, macro_scripts, okta_application, okta-applications, okta_user, okta-users, process, processes, ping_fed_application, ping-fed-applications, quarantined_file, quarantined-files, script, scripts, shield, shields, sensor_self_diagnostic, sensor-self-diagnostics, kerberos_ticket, kerberos-tickets, user_id, users, user_session, user-sessions, wifi_access_point, wifi-access-points, xdr, any-vertex
ids Service Class Support Uber Class Support query array (string) Vertex ID to get details for
scope Service Class Support Uber Class Support query string Scope of the request
nano Service Class Support Uber Class Support query boolean Return nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_vertices_v1(scope="string", nano=boolean, ids=id_list, vertex_type="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_vertices_get(scope="string",
                                        nano=boolean,
                                        ids=id_list,
                                        vertex_type="string"
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_vertices_get",
                          scope="string",
                          nano="string",
                          ids=id_list,
                          vertex_type="string"
                          )
print(response)

Back to Table of Contents

entities_vertices_getv2

Retrieve metadata for a given vertex ID

PEP8 method name

get_vertices

Endpoint

Method Route
GET /threatgraph/entities/{vertex-type}/v2

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
vertex_type Service Class Support Uber Class Support path string Type of vertex to get properties for. Available values : accessory, accessories, actor, ad_computer, ad-computers, adfs_application, adfs-applications, ad_group, ad-groups, aggregate_indicator, aggregate-indicators, sensor, devices, mobile_app, mobile-apps, azure_application, azure-applications, azure_ad_user, azure-ad-users, containerized_app, containerized-apps, certificate, certificates, command_line, command-lines, control_graph, control-graphs, detection, detections, domain, domains, extracted_file, extracted-files, firmware, firmwares, mobile_fs_volume, mobile-fs-volumes, firewall, firewalls, firewall_rule_match, firewall_rule_matches, host_name, host-names, detection_index, detection-indices, idp_indicator, idp-indicators, idp_session, idp-sessions, incident, incidents, indicator, indicators, ipv4, ipv6, k8s_cluster, k8s_clusters, legacy_detection, legacy-detections, mobile_os_forensics_report, mobile_os_forensics_reports, mobile_indicator, mobile-indicators, module, modules, macro_script, macro_scripts, okta_application, okta-applications, okta_user, okta-users, process, processes, ping_fed_application, ping-fed-applications, quarantined_file, quarantined-files, script, scripts, shield, shields, sensor_self_diagnostic, sensor-self-diagnostics, kerberos_ticket, kerberos-tickets, user_id, users, user_session, user-sessions, wifi_access_point, wifi-access-points, xdr, any-vertex
ids Service Class Support Uber Class Support query array (string) Vertex ID to get details for
scope Service Class Support Uber Class Support query string Scope of the request
nano Service Class Support Uber Class Support query boolean Return nano-precision entity timestamps

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_vertices(scope="string", nano=boolean, ids=id_list, vertex_type="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_vertices_getv2(scope="string",
                                          nano=boolean,
                                          ids=id_list,
                                          vertex_type="string"
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_vertices_getv2",
                          scope="string",
                          nano=boolean,
                          ids=id_list,
                          vertex_type="string"
                          )
print(response)

Back to Table of Contents

queries_edgetypes_get

Show all available edge types

PEP8 method name

get_edge_types

Endpoint

Method Route
GET /threatgraph/queries/edge-types/v1

Required Scope

threatgraph:read

Content-Type

  • Produces: application/json

Keyword Arguments

No keywords or arguments accepted

Usage

Service class example (PEP8 syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

response = falcon.get_edge_types()

print(response)
Service class example (Operation ID syntax)
from falconpy import ThreatGraph

falcon = ThreatGraph(client_id=CLIENT_ID,
                     client_secret=CLIENT_SECRET
                     )

response = falcon.queries_edgetypes_get()

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queries_edgetypes_get")

print(response)

Back to Table of Contents

CrowdStrike Falcon

Clone this wiki locally