Skip to content
Joshua Hiller edited this page Jan 17, 2024 · 30 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the IOC service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
indicator_aggregate_v1
PEP8 indicator_aggregate
Get Indicators aggregates as specified via json in the request body.
indicator_combined_v1
PEP 8 indicator_combined
Get Combined for Indicators.
action_get_v1
PEP8 action_get
Get Actions by ids.
GetIndicatorsReport
PEP8 get_indicators_report
Launch an indicators report creation job
indicator_get_v1
PEP 8 indicator_get
Get Indicators by ids.
indicator_create_v1
PEP 8 indicator_create
Create Indicators.
indicator_delete_v1
PEP 8 indicator_delete
Delete Indicators by ids.
indicator_update_v1
PEP 8 indicator_update
Update Indicators.
action_query_v1
PEP8 action_query
Query Actions.
indicator_search_v1
PEP 8 indicator_search
Search for Indicators.
ioc_type_query_v1
PEP8 ioc_type_query
Query IOC Types.
platform_query_v1
PEP8 platform_query
Query Platforms.
severity_query_v1
PEP8 severity_query
Query Severities.
DevicesCount
PEP 8 devices_count_legacy
Number of hosts in your customer account that have observed a given custom IOC
indicator_get_device_count_v1
PEP 8 devices_count
Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn
PEP 8 devices_ran_on_legacy
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
indicator_get_devices_ran_on_v1
PEP 8 devices_ran_on
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
ProcessesRanOn
PEP 8 processes_ran_on_legacy
Search for processes associated with a custom IOC (Deprecated)
indicator_get_processes_ran_on_v1
PEP 8 processes_ran_on
Search for processes associated with a custom IOC
entities_processes
PEP 8 entities_processes
For the provided ProcessID retrieve the process details

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

indicator_aggregate_v1

Get Indicators aggregates as specified via json in the request body.

PEP8 method name

indicator_aggregate

Endpoint

Method Route
POST /iocs/aggregates/indicators/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body list of dictionaries Full body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
body string Elements to exclude.
field
Service Class Support

No Uber Class Support
body string The field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
body string FQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
body integer Starting position.
include
Service Class Support

No Uber Class Support
body string Elements to include.
interval
Service Class Support

No Uber Class Support
body string Time interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
body integer Only return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
body string Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
body string Name of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
body string Full text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
body list of dictionaries Applies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
body integer The max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
body list of dictionaries A nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
body string FQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
body string Time zone for bucket results.
type
Service Class Support

No Uber Class Support
body string Type of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

date_range = {
    "from": "string",
    "to": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.indicator_aggregate(date_ranges=[date_range],
                                      exclude="string",
                                      field="string",
                                      filter="string",
                                      from=integer,
                                      include="string",
                                      interval="string",
                                      max_doc_count=integer,
                                      min_doc_count=integer,
                                      missing="string",
                                      name="string",
                                      q="string",
                                      ranges=[search_range],
                                      size=integer,
                                      sort="string",
                                      time_zone="string",
                                      type="string"
                                      )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

date_range = {
    "from": "string",
    "to": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.indicator_aggregate_v1(date_ranges=[date_range],
                                         exclude="string",
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=[search_range],
                                         size=integer,
                                         sort="string",
                                         time_zone="string",
                                         type="string"
                                         )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "date_ranges": [
        {
            "from": "string",
            "to": "string"
        }
    ],
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": [
        {
            "From": integer,
            "To": integer
        }
    ],
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}

response = falcon.command("indicator_aggregate_v1",
                          filter="string",
                          from_parent=boolean,
                          body=BODY
                          )

print(response)

Back to Table of Contents

indicator_combined_v1

Get Combined for Indicators.

PEP8 method name

indicator_combined

Endpoint

Method Route
GET /iocs/combined/indicator/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results.

Available filters:
type value
action severity
platforms tags
expiration expired
applied_globally host_groups
created_on created_by
modified_on modified_by
source  
from_parent
Service Class Support

Uber Class Support
query boolean The filter for returning either only indicators for the request customer or its MSSP parents.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_combined(filter="string",
                                     offset=integer,
                                     limit=integer,
                                     sort="string",
                                     after="string",
                                     from_parent=boolean
                                     )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_combined_v1(filter="string",
                                        offset=integer,
                                        limit=integer,
                                        sort="string",
                                        after="string",
                                        from_parent=boolean
                                        )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_combined_v1",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          after="string",
                          from_parent=boolean
                          )

print(response)

Back to Table of Contents

action_get_v1

Get Actions by ids.

PEP8 method name

action_get

Endpoint

Method Route
GET /iocs/entities/actions/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ids of the actions to retrieve.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.action_get(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.action_get_v1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("action_get_v1", ids=id_list)

print(response)

Back to Table of Contents

GetIndicatorsReport

Launch an indicators report creation job

PEP8 method name

get_indicators_report

Endpoint

Method Route
POST /iocs/entities/indicators-reports/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
filter
Service Class Support

Uber Class Support
body string FQL formatted string specifying the search filter. Overridden if search keyword is provided.
from_parent
Service Class Support

Uber Class Support
body boolean Return results for the parent only.
query
Service Class Support

Uber Class Support
body string FQL formatted string specifying the search query. Overridden if search keyword is provided.
report_format
Service Class Support

Uber Class Support
body string Format of the report.
search
Service Class Support

Uber Class Support
body dictionary Search parameters provided as a dictionary. Overrides values provided in the filter, query and sort keywords.
sort
Service Class Support

Uber Class Support
body string FQL formatted string specifying the sort. Overridden if search keyword is provided.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.get_indicators_report(filter="string",
                                        query="string",
                                        from_parent=boolean,
                                        report_format="string",
                                        sort="string"
                                        )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.GetIndicatorsReport(filter="string",
                                      query="string",
                                      from_parent=boolean,
                                      report_format="string",
                                      sort="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
  "from_parent": boolean,
  "report_format": "string",
  "search": {
    "filter": "string",
    "query": "string",
    "sort": "string"
  }
}

response = falcon.command("GetIndicatorsReport", body=BODY)

print(response)

Back to Table of Contents

indicator_get_v1

Get Indicators by ids.

PEP8 method name

indicator_get

Endpoint

Method Route
GET /iocs/entities/indicators/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ids of the Indicators to retrieve.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get_v1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_get_v1", ids=id_list)

print(response)

Back to Table of Contents

indicator_create_v1

Create Indicators.

PEP8 method name

indicator_create

Endpoint

Method Route
POST /iocs/entities/indicators/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action
Service Class Support

Uber Class Support
body string Default action for IOC.
applied_globally
Service Class Support

Uber Class Support
body boolean Flag indicating this IOC is applied globally.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
comment
Service Class Support

Uber Class Support
body string IOC comment.
description
Service Class Support

Uber Class Support
body string IOC description.
expiration
Service Class Support

Uber Class Support
body string UTC formatted date string.
filename
Service Class Support

Uber Class Support
body string Filename to use for the metadata dictionary.
host_groups
Service Class Support

Uber Class Support
body string or list of strings List of host groups this IOC applies to.
ignore_warnings
Service Class Support

Uber Class Support
query boolean Flag to indicate that warnings are ignored.
indicators
Service Class Support

Uber Class Support
body list of dictionaries List of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadata
Service Class Support

Uber Class Support
body dictionary Dictionary containing the filename for the IOC. Not required if the filename keyword is used.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
platforms
Service Class Support

Uber Class Support
body string or list of strings Platforms this IOC impacts.
retrodetects
Service Class Support

Uber Class Support
query boolean Flag to indicate whether to submit retrodetects.
severity
Service Class Support

Uber Class Support
body string IOC severity.
source
Service Class Support

Uber Class Support
body string IOC source.
tags
Service Class Support

Uber Class Support
body string or list of strings IOC tags.
type
Service Class Support

Uber Class Support
body string IOC type.
value
Service Class Support

Uber Class Support
body string String representation of the IOC.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_create(action="string",
                                   applied_globally=boolean,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename="string",
                                   host_groups=host_group_list,
                                   ignore_warnings=boolean,
                                   platforms=platform_list,
                                   retrodetects="string",
                                   severity="string",
                                   source="string",
                                   tags=tag_list,
                                   type="string"
                                   value="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_create_v1(action="string",
                                      applied_globally=boolean,
                                      comment="string",
                                      description="string",
                                      expiration="string",
                                      filename="string",
                                      host_groups=host_group_list,
                                      ignore_warnings=boolean,
                                      platforms=platform_list,
                                      retrodetects="string",
                                      severity="string",
                                      source="string",
                                      tags=tag_list,
                                      type="string"
                                      value="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

host_group_list = ['HG1', 'HG2', 'HG3']

platform_list = ['OS1', 'OS2', 'OS3']

tag_list = ['TAG1', 'TAG2', 'TAG3']

BODY = {
  "comment": "string",
  "indicators": [
    {
      "action": "string",
      "applied_globally": true,
      "description": "string",
      "expiration": "2021-10-22T10:40:39.372Z",
      "host_groups": host_group_list,
      "metadata": {
        "filename": "string"
      },
      "mobile_action": "string",
      "platforms": platform_list,
      "severity": "string",
      "source": "string",
      "tags": tag_list,
      "type": "string",
      "value": "string"
    }
  ]
}

response = falcon.command("indicator_create_v1",
                          retrodetects=boolean,
                          ignore_warnings=boolean,
                          body=BODY
                          )

print(response)

Back to Table of Contents

indicator_delete_v1

Delete Indicators by ids or a filter.

PEP8 method name

indicator_delete

Endpoint

Method Route
DELETE /iocs/entities/indicators/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to delete indicators in bulk. If both filter and ids are provided, then filter takes precedence and ids is ignored.
from_parent
Service Class Support

Uber Class Support
query boolean Limit action to IOCs originating from the MSSP parent.
ids
Service Class Support

Uber Class Support
query string or list of strings The ids of the Indicators to delete. If both filter and ids are provided, then filter takes precedence and ids is ignored.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete(filter="string",
                                   from_parent=boolean,
                                   comment="string",
                                   ids=id_list
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete_v1(filter="string",
                                      from_parent=boolean,
                                      comment="string",
                                      ids=id_list
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_delete_v1",
                          filter="string",
                          from_parent=boolean,
                          comment="string",
                          ids=id_list
                          )

print(response)

Back to Table of Contents

indicator_update_v1

Update Indicators.

PEP8 method name

indicator_update

Endpoint

Method Route
PATCH /iocs/entities/indicators/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action
Service Class Support

Uber Class Support
body string Default action for IOC.
applied_globally
Service Class Support

Uber Class Support
body boolean Flag indicating this IOC is applied globally.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
bulk_update
Service Class Support

Uber Class Support
body dictionary Dictionary containing the indicator update in JSON format. Not necessary when using other keywords.
comment
Service Class Support

Uber Class Support
body string IOC comment.
description
Service Class Support

Uber Class Support
body string IOC description.
expiration
Service Class Support

Uber Class Support
body string UTC formatted date string.
filename
Service Class Support

Uber Class Support
body string Filename to use for the metadata dictionary.
from_parent
Service Class Support

Uber Class Support
body boolean Return results for the parent only.
host_groups
Service Class Support

Uber Class Support
body string or list of strings List of host groups this IOC applies to.
id
Service Class Support

Uber Class Support
body string The Indicator ID to be updated. At least one ID must be specified using this keyword, or as part of the indicators list using the indicators keyword.
ignore_warnings
Service Class Support

Uber Class Support
query boolean Flag to indicate that warnings are ignored.
indicators
Service Class Support

Uber Class Support
body list of dictionaries List of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadata
Service Class Support

Uber Class Support
body dictionary Dictionary containing the filename for the IOC. Not required if the filename keyword is used.
mobile_action
Service Class Support

Uber Class Support
body string Mobile action to perform.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
platforms
Service Class Support

Uber Class Support
body string or list of strings Platforms this IOC impacts.
retrodetects
Service Class Support

Uber Class Support
query boolean Flag to indicate whether to submit retrodetects.
severity
Service Class Support

Uber Class Support
body string IOC severity.
source
Service Class Support

Uber Class Support
body string IOC source.
tags
Service Class Support

Uber Class Support
body string or list of strings IOC tags.
type
Service Class Support

Uber Class Support
body string IOC type.
value
Service Class Support

Uber Class Support
body string String representation of the IOC.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_update(action="string",
                                   applied_globally=boolean,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename="string",
                                   from_parent=boolean,
                                   host_groups=host_group_list,
                                   ignore_warnings=boolean,
                                   mobile_action="string",
                                   platforms=platform_list,
                                   retrodetects="string",
                                   severity="string",
                                   source="string",
                                   tags=tag_list,
                                   type="string"
                                   value="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_update_v1(action="string",
                                      applied_globally=boolean,
                                      comment="string",
                                      description="string",
                                      expiration="string",
                                      filename="string",
                                      from_parent=boolean,
                                      host_groups=host_group_list,
                                      ignore_warnings=boolean,
                                      mobile_action="string",
                                      platforms=platform_list,
                                      retrodetects="string",
                                      severity="string",
                                      source="string",
                                      tags=tag_list,
                                      type="string"
                                      value="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

host_group_list = ['HG1', 'HG2', 'HG3']

platform_list = ['OS1', 'OS2', 'OS3']

tag_list = ['TAG1', 'TAG2', 'TAG3']

BODY = {
    "bulk_update": {
        "action": "string",
        "applied_globally": boolean,
        "description": "string",
        "expiration": "2021-10-22T11:03:16.123Z",
        "filter": "string",
        "from_parent": boolean,
        "host_groups": host_group_list,
        "mobile_action": "string",
        "platforms": platform_list,
        "severity": "string",
        "source": "string",
        "tags": tag_list
    },
    "comment": "string",
    "indicators": [
        {
            "action": "string",
            "applied_globally": boolean,
            "description": "string",
            "expiration": "2021-10-22T11:03:16.123Z",
            "host_groups": host_group_list,
            "id": "string",
            "metadata": {
                "filename": "string"
            },
            "mobile_action": "string",
            "platforms": platform_list,
            "severity": "string",
            "source": "string",
            "tags": tag_list
        }
    ]
}

response = falcon.command("indicator_update_v1",
                          ignore_warnings=boolean,
                          retrodetects=boolean,
                          body=BODY
                          )

print(response)

Back to Table of Contents

action_query_v1

Query Actions.

PEP8 method name

action_query

Endpoint

Method Route
GET /iocs/queries/actions/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query string The offset to start retrieving records from.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.action_query(offset="string", limit=integer)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.action_query_v1(offset="string", limit=integer)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("action_query_v1", offset="string", limit=integer)

print(response)

Back to Table of Contents

indicator_search_v1

Search for Indicators.

PEP8 method name

indicator_search

Endpoint

Method Route
GET /iocs/queries/indicators/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
after
Service Class Support

Uber Class Support
query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted filter that should be used to limit the results.

Available filters:
type value
action severity
platforms tags
expiration expired
applied_globally host_groups
created_on created_by
modified_on modified_by
source  
from_parent
Service Class Support

Uber Class Support
query boolean Return results for the parent only.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string FQL Syntax formatted sort filter.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_search(filter="string",
                                   from_parent=boolean,
                                   offset=integer,
                                   limit=integer,
                                   sort="string",
                                   after="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_search_v1(filter="string",
                                      from_parent=boolean,
                                      offset=integer,
                                      limit=integer,
                                      sort="string",
                                      after="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_search_v1",
                          filter="string",
                          from_parent=boolean,
                          offset=integer,
                          limit=integer,
                          sort="string",
                          after="string"
                          )

print(response)

Back to Table of Contents

ioc_type_query_v1

Query IOC Types.

PEP8 method name

ioc_type_query

Endpoint

Method Route
GET /iocs/queries/ioc-types/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query string The offset to start retrieving records from.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.ioc_type_query(offset="string", limit=integer)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.ioc_type_query_v1(offset="string", limit=integer)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ioc_type_query_v1", offset="string", limit=integer)

print(response)

Back to Table of Contents

platform_query_v1

Query Platforms.

PEP8 method name

platform_query

Endpoint

Method Route
GET /iocs/queries/platforms/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query string The offset to start retrieving records from.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.platform_query(offset="string", limit=integer)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.platform_query_v1(offset="string", limit=integer)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("platform_query_v1", offset="string", limit=integer)

print(response)

Back to Table of Contents

severity_query_v1

Query Severities.

PEP8 method name

severity_query

Endpoint

Method Route
GET /iocs/queries/severities/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query string The offset to start retrieving records from.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.severity_query(offset="string", limit=integer)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.severity_query_v1(offset="string", limit=integer)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("severity_query_v1", offset="string", limit=integer)

print(response)

Back to Table of Contents

DevicesCountLegacy

Number of hosts in your customer account that have observed a given custom IOC

Deprecated operation

This operation has been superseded by the indicator_get_device_count_v1 operation.

PEP8 method name

devices_count_legacy

Endpoint

Method Route
GET /indicators/aggregates/devices-count/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
query string The string representation of the indicator.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_count_legacy(type="string", value="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.DevicesCount(type="string", value="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DevicesCount", type="string", value="string")

print(response)

Back to Table of Contents

indicator_get_device_count_v1

Number of hosts in your customer account that have observed a given custom IOC

PEP8 method name

devices_count (or indicator_get_device_count_v1)

Endpoint

Method Route
GET /iocs/aggregates/indicators/device-count/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
query string The string representation of the indicator.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_count(type="string", value="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_get_device_count_v1(type="string", value="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_get_device_count_v1", type="string", value="string")

print(response)

Back to Table of Contents

DevicesRanOnLegacy

Find hosts that have observed a given custom IOC.

Deprecated operation

This operation has been superseded by the indicator_get_devices_ran_on_v1 operation.

PEP8 method name

devices_ran_on_legacy

Endpoint

Method Route
GET /indicators/queries/devices/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
query string The string representation of the indicator.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer Starting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_ran_on_legacy(type="string",
                                        value="string",
                                        limit="string",
                                        offset="string"
                                        )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.DevicesRanOn(type="string",
                               value="string",
                               limit="string",
                               offset="string"
                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DevicesRanOn",
                          type="string",
                          value="string",
                          limit="string",
                          offset="string"
                          )

print(response)

Back to Table of Contents

indicator_get_devices_ran_on_v1

Find hosts that have observed a given custom IOC.

PEP8 method name

devices_ran_on (or indicator_get_devices_ran_on_v1)

Endpoint

Method Route
GET /iocs/queries/indicators/devices/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
query string The string representation of the indicator.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer Starting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_ran_on(type="string",
                                 value="string",
                                 limit="string",
                                 offset="string"
                                 )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_get_device_count_v1(type="string",
                                                value="string",
                                                limit="string",
                                                offset="string"
                                                )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_get_device_count_v1",
                          type="string",
                          value="string",
                          limit="string",
                          offset="string"
                          )

print(response)

Back to Table of Contents

ProcessesRanOnLegacy

Search for processes associated with a custom IOC

Deprecated operation

This operation has been superseded by the indicator_get_processes_ran_on_v1 operation.

PEP8 method name

processes_ran_on_legacy

Endpoint

Method Route
GET /indicators/queries/processes/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
query string The string representation of the indicator.
device_id
Service Class Support

Uber Class Support
query string Specify a Host AID to return only processes from that host.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer Starting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.processes_ran_on_legacy(type="string",
                                          value="string",
                                          device_id="string",
                                          limit="string",
                                          offset="string"
                                          )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.ProcessesRanOn(type="string",
                                 value="string",
                                 device_id="string",
                                 limit="string",
                                 offset="string"
                                 )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ProcessesRanOn",
                          type="string",
                          value="string",
                          device_id="string",
                          limit="string",
                          offset="string"
                          )

print(response)

Back to Table of Contents

indicator_get_processes_ran_on_v1

Search for processes associated with a custom IOC

PEP8 method name

processes_ran_on or (indicator_get_processes_ran_on_v1)

Endpoint

Method Route
GET /iocs/queries/indicators/processes/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support

Uber Class Support
query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
query string The string representation of the indicator.
device_id
Service Class Support

Uber Class Support
query string Specify a Host AID to return only processes from that host.
limit
Service Class Support

Uber Class Support
query integer Maximum number of results to return.
offset
Service Class Support

Uber Class Support
query integer Starting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.processes_ran_on(type="string",
                                   value="string",
                                   device_id="string",
                                   limit="string",
                                   offset="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_get_processes_ran_on_v1(type="string",
                                                    value="string",
                                                    device_id="string",
                                                    limit="string",
                                                    offset="string"
                                                    )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_get_processes_ran_on_v1",
                          type="string",
                          value="string",
                          device_id="string",
                          limit="string",
                          offset="string"
                          )

print(response)

Back to Table of Contents

entities_processes

For the provided ProcessID retrieve the process details

PEP8 method name

entities_processes

Endpoint

Method Route
GET /processes/entities/processes/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings ProcessID for the running process you want to lookup.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_processes", ids=id_list)

print(response)

Back to Table of Contents

CrowdStrike Falcon

Clone this wiki locally