crowdstrike.falcon.intel_rule_info module – Get information about CrowdStrike Falcon Intel rules
Note
This module is part of the crowdstrike.falcon collection (version 4.8.0).
To install it, use: ansible-galaxy collection install crowdstrike.falcon.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: crowdstrike.falcon.intel_rule_info.
Synopsis
Search for and retrieve details about Intel rules in the CrowdStrike Falcon platform.
Requirements
The below requirements are needed on the host that executes this module.
Rules (Falcon Intelligence) [READ] API scope
crowdstrike-falconpy >= 1.3.0
python >= 3.6
Parameters
Parameter |
Comments |
|---|---|
The registered result of the crowdstrike.falcon.auth module, or a dictionary containing the access_token and cloud keys. If provided, the client_id, client_secret, member_cid, and cloud options are ignored. Useful when needing to make multiple API calls to avoid rate limiting issues. |
|
The OAuth2 access token to use for authentication. |
|
The CrowdStrike cloud region to use. This can differ from the module’s cloud argument due to autodiscovery. |
|
The CrowdStrike API client ID to use. See the Falcon documentation for more information about API clients. The |
|
The CrowdStrike API secret that corresponds to the client ID. See the Falcon documentation for more information about API clients. The |
|
The CrowdStrike cloud region to use. All clouds are automatically discovered if not specified, except for the The Choices:
|
|
Substring match on the description field. |
|
Extended headers that are prepended to the default headers dictionary. |
|
The maximum number of rule IDs to return. [integer, 1-5000] |
|
The CrowdStrike member CID for MSSP authentication. See the Falcon documentation for more information about API clients. The |
|
Search by rule title. |
|
Perform a generic substring search across all fields. |
|
The property to sort by in FQL (Falcon Query Language) syntax (e.g. created_date|asc). See the FalconPy documentation for more information about sorting with FQL. |
|
Search for rule tags. |
|
The rule news report type. Choices:
|
|
Custom User-Agent string to use for requests to the API. The user agent string is prepended to the default user agent string ( See RFC 7231 for more information. The |
Notes
Note
For large sets of Rule IDs (if not using limits) there may be a delay in processing as the current API endpoint for retrieving details can only process 10 at a time.
Examples
- name: Get details on the latest 50 YARA rules
crowdstrike.falcon.intel_rule_info:
type: "yara-master"
limit: 50
sort: "created_date|desc"
- name: Get Snort/Suricata rules with a specific description pattern
crowdstrike.falcon.intel_rule_info:
type: "snort-suricata-master"
description:
- "FANCY BEAR"
- name: Search for rules with specific tags
crowdstrike.falcon.intel_rule_info:
type: "yara-master"
tags:
- "intel_feed"
- "yara"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
List of intel rules and their details Returned: always |
|
Unix timestamp when the rule was created Returned: always Sample: |
|
Full description of the rule Returned: always |
|
The ID of the rule Returned: always Sample: |
|
Unix timestamp when the rule was last modified Returned: always Sample: |
|
The name of the rule Returned: always Sample: |
|
HTML-formatted description of the rule Returned: when available |
|
Abbreviated description of the rule Returned: always |
|
List of tags associated with the rule Returned: when available Sample: |
|
Type of rule (yara-master, snort-suricata-master, etc.) Returned: always Sample: |