It appears that the following paths that are off so they are not returning data:
GET /intel/combined/indicators/v1?filter=_marker%3A%3E%221234567890%22&limit=10000&offset=0&sort=_marker.asc
GET /iocs/combined/indicator/v1?limit=10
We currently currently make requests like the following:
GET /intel/combined/indicators/v1?sort=_marker.asc&limit=xxx&offset=...&filter=_marker:>"xxx"
GET /iocs/combined/indicator/v1?sort=modified_on&limit=xxx&offset=...&filter=modified_on:>"xxx"
The ti_crowdstrike integration README says:
Both the endpoints are related to the threat intelligence.
Intel Indicators provide information about a hash, particularly related to malware and threat types, while
IOC provides information about the detection of an IPv4 address, including severity, platforms, and global application status.
Looking at the documentation for CrowdStrike's Falcon SDK for Python, https://github.com/CrowdStrike/falconpy, which is a Python library for accessing that API, I can see a few things:
The IOC-related paths differ from ours (/iocs/combined/indicator/v1), which matches neither the deprecated endpoint/indicators/queries/iocs/v1 nor its replacement/iocs/queries/indicators/v1.
There is an intel endpoint/intel/combined/indicators/v1 that does match what we're using. The Python SDK says it has a maximum limit value of 5k, whereas we use a default limit of 10k which does match CrowdStrike documentation.
We set the sort parameter as sort=_marker.asc, but the documentation says to use a pipe to join the sort field and direction: sort=_marker|asc.
Our use of Falcon Query Language for the filter parameter, e.g. _marker:>"1234567890", may be incorrect. Perhaps it should use single quote. More importantly, _marker may be a parameter of its own for pagination, not a field to filter on.
CrowdStrike documentation from 2024-04-04 for "Falcon Intelligence APIs" covers the following:
(note the absence of /iocs/ endpoints)
Section
API Paths
About CrowdStrike APIs
Using Intel APIs
Search for data about actors
GET /intel/queries/actors/v1 GET /intel/entities/actors/v1 GET /intel/combined/actors/v1
Query for various types of indicators (Relations, Filtering, Deep pagination)
GET /intel/queries/indicators/v1 POST /intel/entities/indicators/GET/v1 GET /intel/combined/indicators/v1
Query CrowdStrike intelligence publications
GET /intel/queries/reports/v1 GET /intel/entities/reports/v1 GET /intel/combined/reports/v1
Download rules to use in other tools
GET /intel/entities/rules-latest-files/v1 GET /intel/queries/rules/v1 GET /intel/entities/rules/v1 GET /intel/entities/rules-files/v1
Advanced: Conditional GET requests
It looks like the /queries/ endpoints are for listing, the /entities/ endpoints are for fetching, and the /combined/ endpoints do both together.
Questions:
[ ] Do GET /iocs/combined/indicator/v1 endpoints still exist? Is there separate documentation for them?
[ ] What are the errors in our request paths or other details of our API use?
It appears that the following paths that are off so they are not returning data:
We currently currently make requests like the following:
The
ti_crowdstrike
integration README says:API documentation is available to admins at https://developer.crowdstrike.com/.
Looking at the documentation for CrowdStrike's Falcon SDK for Python, https://github.com/CrowdStrike/falconpy, which is a Python library for accessing that API, I can see a few things:
/iocs/combined/indicator/v1
), which matches neither thedeprecated endpoint
/indicators/queries/iocs/v1
nor its replacement/iocs/queries/indicators/v1
./intel/combined/indicators/v1
that does match what we're using. The Python SDK says it has a maximum limit value of 5k, whereas we use a default limit of 10k which does match CrowdStrike documentation.sort=_marker.asc
, but the documentation says to use a pipe to join the sort field and direction:sort=_marker|asc
._marker:>"1234567890"
, may be incorrect. Perhaps it should use single quote. More importantly,_marker
may be a parameter of its own for pagination, not a field to filter on.CrowdStrike documentation from 2024-04-04 for "Falcon Intelligence APIs" covers the following:
(note the absence of
/iocs/
endpoints)GET /intel/entities/actors/v1
GET /intel/combined/actors/v1
(Relations, Filtering, Deep pagination)
POST /intel/entities/indicators/GET/v1
GET /intel/combined/indicators/v1
GET /intel/entities/reports/v1
GET /intel/combined/reports/v1
GET /intel/queries/rules/v1
GET /intel/entities/rules/v1
GET /intel/entities/rules-files/v1
It looks like the
/queries/
endpoints are for listing, the/entities/
endpoints are for fetching, and the/combined/
endpoints do both together.Questions:
GET /iocs/combined/indicator/v1
endpoints still exist? Is there separate documentation for them?