Skip to content

Intelligence Indicator Graph

Jump to bottom
Joshua Hiller edited this page Mar 21, 2026 · 5 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Intelligence Indicator Graph service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
LookupIndicators
PEP 8 lookup_indicators
Get indicators based on their value.
SearchIndicators
PEP 8 search
Search indicators based on FQL filter.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

LookupIndicators

Get indicators based on their value.

PEP8 method name

lookup

Endpoint

Method Route
POST /intelligence/combined/indicators/v1

Required Scope

indicator-graph:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload as a dictionary. Not required when using other keywords.
values Service Class Support Uber Class Support body list of strings List of indicator values to look up.

Usage

Service class example (PEP8 syntax)
from falconpy import IntelligenceIndicatorGraph

# Do not hardcode API credentials!
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                   )

response = falcon.lookup_indicators(values=["string"])
print(response)
Service class example (Operation ID syntax)
from falconpy import IntelligenceIndicatorGraph

# Do not hardcode API credentials!
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                   )

response = falcon.LookupIndicators(values=["string"])
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "values": ["string"]
}

response = falcon.command("LookupIndicators", body=body_payload)
print(response)

Back to Table of Contents

SearchIndicators

Search indicators based on FQL filter.

PEP8 method name

search

Endpoint

Method Route
POST /intelligence/combined/indicators/v1

Required Scope

indicator-graph:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload as JSON formatted dictionary.
filter Service Class Support Uber Class Support body string FQL formatted filter.

Filter parameters include: Type, LastUpdated, KillChain, MaliciousConfidence, MaliciousConfidenceValidatedTime, FirstSeen, LastSeen, Adversaries.Name, Adversaries.Slug, Reports.Title, Reports.Slug, Threats.FamilyName, Vulnerabilities.CVE, Sectors.Name, FileDetails.SHA256, FileDetails.SHA1, FileDetails.MD5, DomainDetails.Detail, IPv4Details.IPv4, IPv6Details.IPv6, URLDetails.URL and others.
limit Service Class Support Uber Class Support query integer Limit
offset Service Class Support Uber Class Support query string Offset
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.
sort Service Class Support Uber Class Support body dictionary or list of dictionaries List of sort operations to perform on the resultset.

Usage

Service class example (PEP8 syntax)
from falconpy import IntelligenceIndicatorGraph

# Do not hardcode API credentials!
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

sort_order = {
    "field": "string",
    "order": "string"
}

response = falcon.search(limit=integer, offset="string", filter="string", sort=sort_order)

print(response)
Service class example (Operation ID syntax)
from falconpy import IntelligenceIndicatorGraph

# Do not hardcode API credentials!
falcon = IntelligenceIndicatorGraph(client_id=CLIENT_ID,
                                    client_secret=CLIENT_SECRET
                                    )

sort_order = {
    "field": "string",
    "order": "string"
}

response = falcon.SearchIndicators(limit=integer,
                                   offset="string",
                                   filter="string",
                                   sort=sort_order
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "filter": "string",
  "sort": [
    {
      "field": "string",
      "order": "string"
    }
  ]
}

response = falcon.command("SearchIndicators", limit="string", offset="string", body=body_payload)

print(response)

Back to Table of Contents

CrowdStrike Falcon

Clone this wiki locally