intel

CrowdStrike FalconPy CrowdStrike FalconPy CrowdStrike Subreddit

Intel examples

The examples within this folder focus on leveraging CrowdStrike Falcon Intel service collection.

Get MITRE ATT&CK Reports

Retrieves MITRE ATT&CK reports for specified adversaries.

Running the program

In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:

Service Collection
Scope

Intel

READ

Execution syntax

This sample leverages simple command-line arguments to implement functionality.

Basic usage

Retrieve all available MITRE ATT&CK reports.

python3 get_mitre_reports.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET

Execute the routine for GovCloud customers.

Only retrieve available kitten reports.

Retrieve all available reports for bears, jackals, spiders and also grab Stardust Chollima.

Command-line help

Command-line help is available via the -h argument.

Example source code

The source code for this example can be found here.

Intel Search

Quickly search CrowdStrike Falcon Intelligence data for string matches. Displays lists of matches and extended details for individual records when only one result is returned. When a value for output prefix (-o) is provided, results will also be written to individual files in CSV format.

Running the program

In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:

Service Collection
Scope

Actors (Falcon Intelligence)

READ

Indicators (Falcon Intelligence)

READ

Reports (Falcon Intelligence)

READ

Required Python libraries

In addition to FalconPy (crowdstrike-falconpy), this application requires the following Python packages:

  • pyfiglet

  • tabulate

  • termcolor

Execution syntax

This sample leverages simple command-line arguments to implement functionality.

Basic usage

Search for all actors, indicators and reports containing the string spider.

Providing a file prefix with the -o argument will also output the results in CSV format to individual files.

Result

Search for a specific actor. (Any time only one result is returned, the application defaults to a detailed display.)

Result

Search for all CrowdStrike annual reports.

Result

Review the details for a single CrowdStrike report.

Note: you do not have to limit results to the reports category for this example.

Result

Search for a specific indicator.

Note: you do not have to limit results to the indicators category for this example.

Result

Show the debug output.

Result

Command-line help

Command-line help is available via the -h argument.

Example source code

The source code for this example can be found here.

Previousinstallation_tokensNextioa_exclusions

Last updated

Was this helpful?