-
Notifications
You must be signed in to change notification settings - Fork 122
IOC
Joshua Hiller edited this page May 3, 2022
·
30 revisions
This service collection has code examples posted to the repository.
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Get Combined for Indicators. | ||||
|
Get Indicators by ids. | ||||
|
Create Indicators. | ||||
|
Delete Indicators by ids. | ||||
|
Update Indicators. | ||||
|
Search for Indicators. | ||||
|
Number of hosts in your customer account that have observed a given custom IOC | ||||
|
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1 | ||||
|
Search for processes associated with a custom IOC | ||||
|
For the provided ProcessID retrieve the process details |
Get Combined for Indicators.
indicator_combined
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset . |
||||||||||||||||
filter |
|
|
query | string |
FQL Syntax formatted filter that should be used to limit the results. Available filters:
|
||||||||||||||||
from_parent |
|
|
query | boolean | The filter for returning either only indicators for the request customer or its MSSP parents. | ||||||||||||||||
limit |
|
|
query | integer | Maximum number of results to return. | ||||||||||||||||
offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset . |
||||||||||||||||
parameters |
|
|
query | string | Full query string parameters payload in JSON format. | ||||||||||||||||
sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.indicator_combined(filter="string",
offset=integer,
limit=integer,
sort="string",
after="string",
from_parent=boolean
)
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.indicator_combined_v1(filter="string",
offset=integer,
limit=integer,
sort="string",
after="string",
from_parent=boolean
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("indicator_combined_v1",
filter="string",
offset=integer,
limit=integer,
sort="string",
after="string",
from_parent=boolean
)
print(response)
Get Indicators by ids.
indicator_get
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | The ids of the Indicators to retrieve. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_get(ids=id_list)
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_get_v1(ids=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("indicator_get_v1", ids=id_list)
print(response)
Create Indicators.
indicator_create
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
action |
|
|
body | string | Default action for IOC. |
applied_globally |
|
|
body | boolean | Flag indicating this IOC is applied globally. |
body |
|
|
body | string | Full body payload in JSON format. |
comment |
|
|
body | string | IOC comment. |
description |
|
|
body | string | IOC description. |
expiration |
|
|
body | string | UTC formatted date string. |
filename |
|
|
body | string | Filename to use for the metadata dictionary. |
host_groups |
|
|
body | string or list of strings | List of host groups this IOC applies to. |
ignore_warnings |
|
|
query | boolean | Flag to indicate that warnings are ignored. |
indicators |
|
|
body | list of dictionaries | List of indicators to create. Overrides other keywords excluding body . Allows for the creation of multiple indicators at once. |
metadata |
|
|
body | dictionary | Dictionary containing the filename for the IOC. Not required if the filename keyword is used. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
platforms |
|
|
body | string or list of strings | Platforms this IOC impacts. |
retrodetects |
|
|
query | boolean | Flag to indicate whether to submit retrodetects. |
severity |
|
|
body | string | IOC severity. |
source |
|
|
body | string | IOC source. |
tags |
|
|
body | string or list of strings | IOC tags. |
type |
|
|
body | string | IOC type. |
value |
|
|
body | string | String representation of the IOC. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_create(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
host_groups=host_group_list,
ignore_warnings=boolean,
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_create_v1(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
host_groups=host_group_list,
ignore_warnings=boolean,
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
host_group_list = ['HG1', 'HG2', 'HG3']
platform_list = ['OS1', 'OS2', 'OS3']
tag_list = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"comment": "string",
"indicators": [
{
"action": "string",
"applied_globally": true,
"description": "string",
"expiration": "2021-10-22T10:40:39.372Z",
"host_groups": host_group_list,
"metadata": {
"filename": "string"
},
"mobile_action": "string",
"platforms": platform_list,
"severity": "string",
"source": "string",
"tags": tag_list,
"type": "string",
"value": "string"
}
]
}
response = falcon.command("indicator_create_v1",
retrodetects=boolean,
ignore_warnings=boolean,
body=BODY
)
print(response)
Delete Indicators by ids or a filter.
indicator_delete
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string |
FQL Syntax formatted filter that should be used to delete indicators in bulk. If both filter and ids are provided, then filter takes precedence and ids is ignored. |
ids |
|
|
query | string or list of strings | The ids of the Indicators to delete. If both filter and ids are provided, then filter takes precedence and ids is ignored. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_delete(filter="string", comment="string", ids=id_list)
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_delete_v1(filter="string", comment="string", ids=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("indicator_delete_v1",
filter="string",
comment="string",
ids=id_list
)
print(response)
Update Indicators.
indicator_update
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
action |
|
|
body | string | Default action for IOC. |
applied_globally |
|
|
body | boolean | Flag indicating this IOC is applied globally. |
body |
|
|
body | string | Full body payload in JSON format. |
bulk_update |
|
|
body | dictionary | Dictionary containing the indicator update in JSON format. Not necessary when using other keywords. |
comment |
|
|
body | string | IOC comment. |
description |
|
|
body | string | IOC description. |
expiration |
|
|
body | string | UTC formatted date string. |
filename |
|
|
body | string | Filename to use for the metadata dictionary. |
host_groups |
|
|
body | string or list of strings | List of host groups this IOC applies to. |
id |
|
|
body | string | The Indicator ID to be updated. At least one ID must be specified using this keyword, or as part of the indicators list using the indicators keyword. |
ignore_warnings |
|
|
query | boolean | Flag to indicate that warnings are ignored. |
indicators |
|
|
body | list of dictionaries | List of indicators to create. Overrides other keywords excluding body . Allows for the creation of multiple indicators at once. |
metadata |
|
|
body | dictionary | Dictionary containing the filename for the IOC. Not required if the filename keyword is used. |
mobile_action |
|
|
body | string | Mobile action to perform. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
platforms |
|
|
body | string or list of strings | Platforms this IOC impacts. |
retrodetects |
|
|
query | boolean | Flag to indicate whether to submit retrodetects. |
severity |
|
|
body | string | IOC severity. |
source |
|
|
body | string | IOC source. |
tags |
|
|
body | string or list of strings | IOC tags. |
type |
|
|
body | string | IOC type. |
value |
|
|
body | string | String representation of the IOC. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_update(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
host_groups=host_group_list,
ignore_warnings=boolean,
mobile_action="string",
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_update_v1(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
host_groups=host_group_list,
ignore_warnings=boolean,
mobile_action="string",
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
host_group_list = ['HG1', 'HG2', 'HG3']
platform_list = ['OS1', 'OS2', 'OS3']
tag_list = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"bulk_update": {
"action": "string",
"applied_globally": true,
"description": "string",
"expiration": "2021-10-22T11:03:16.123Z",
"filter": "string",
"host_groups": host_group_list,
"mobile_action": "string",
"platforms": platform_list,
"severity": "string",
"source": "string",
"tags": tag_list
},
"comment": "string",
"indicators": [
{
"action": "string",
"applied_globally": true,
"description": "string",
"expiration": "2021-10-22T11:03:16.123Z",
"host_groups": host_group_list,
"id": "string",
"metadata": {
"filename": "string"
},
"mobile_action": "string",
"platforms": platform_list,
"severity": "string",
"source": "string",
"tags": tag_list
}
]
}
response = falcon.command("indicator_update_v1",
ignore_warnings=boolean,
retrodetects=boolean,
body=BODY
)
print(response)
Search for Indicators.
indicator_search
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset . |
||||||||||||||||
filter |
|
|
query | string |
FQL Syntax formatted filter that should be used to limit the results. Available filters:
|
||||||||||||||||
limit |
|
|
query | integer | Maximum number of results to return. | ||||||||||||||||
offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset . |
||||||||||||||||
parameters |
|
|
query | string | Full query string parameters payload in JSON format. | ||||||||||||||||
sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.indicator_search(filter="string",
offset=integer,
limit=integer,
sort="string",
after="string"
)
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.indicator_search_v1(filter="string",
offset=integer,
limit=integer,
sort="string",
after="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("indicator_search_v1",
filter="string",
offset=integer,
limit=integer,
sort="string",
after="string"
)
print(response)
Number of hosts in your customer account that have observed a given custom IOC
devices_count
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
type |
|
|
query | string | The type of the indicator. Valid types include:
|
value |
|
|
query | string | The string representation of the indicator. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.devices_count(type="string", value="string")
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.DevicesCount(type="string", value="string")
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("DevicesCount", type="string", value="string")
print(response)
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
devices_ran_on
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
type |
|
|
query | string | The type of the indicator. Valid types include:
|
value |
|
|
query | string | The string representation of the indicator. |
limit |
|
|
query | integer | Maximum number of results to return. |
offset |
|
|
query | integer | Starting offset to begin returning results. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.devices_ran_on(type="string",
value="string",
limit="string",
offset="string"
)
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.DevicesRanOn(type="string",
value="string",
limit="string",
offset="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("DevicesRanOn",
type="string",
value="string",
limit="string",
offset="string"
)
print(response)
Search for processes associated with a custom IOC
processes_ran_on
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
type |
|
|
query | string | The type of the indicator. Valid types include:
|
value |
|
|
query | string | The string representation of the indicator. |
device_id |
|
|
query | string | Specify a Host AID to return only processes from that host. |
limit |
|
|
query | integer | Maximum number of results to return. |
offset |
|
|
query | integer | Starting offset to begin returning results. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.processes_ran_on(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.ProcessesRanOn(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("ProcessesRanOn",
type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)
For the provided ProcessID retrieve the process details
entities_processes
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | ProcessID for the running process you want to lookup. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_processes(ids=id_list)
print(response)
from falconpy import IOC
falcon = IOC(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_processes(ids=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_processes", ids=id_list)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust