Skip to content

IOC

Jump to bottom
Joshua Hiller edited this page Aug 20, 2021 · 30 revisions

CrowdStrike Falcon Twitter URL

Using the Ioc service collection

Uber class support Uber class support

Table of Contents

API Function Description
indicator_combined_v1 Get Combined for Indicators.
indicator_get_v1 Get Indicators by ids.
indicator_create_v1 Create Indicators.
indicator_delete_v1 Delete Indicators by ids.
indicator_update_v1 Update Indicators.
indicator_search_v1 Search for Indicators.

indicator_combined_v1

Get Combined for Indicators.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
filter query string The filter expression that should be used to limit the results.
offset query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default.
limit query integer The maximum records to return.
sort query string The sort expression that should be used to sort the results.

Usage

Service class example
from falconpy import ioc as FalconIOC

falcon = FalconIOC.IOC(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
})

PARAMS = {
    'filter': 'string',
    'offset': integer,
    'limit': integer,
    'sort': 'string'
}

response = falcon.indicator_combined_v1(parameters=PARAMS)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness('client_id': falcon_client_id,
                    'client_secret': falcon_client_secret
                    )

PARAMS = {
    'filter': 'string',
    'offset': integer,
    'limit': integer,
    'sort': 'string'
}

response = falcon.command('indicator.combined.v1', parameters=PARAMS)
print(response)
falcon.deauthenticate()

indicator_get_v1

Get Indicators by ids.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
ids query array (string) The ids of the Indicators to retrieve

Usage

Service class example
from falconpy import ioc as FalconIOC

falcon = FalconIOC.IOC(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
})

IDS = 'ID1,ID2,ID3'

response = falcon.indicator_get_v1(ids=IDS)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness('client_id': falcon_client_id,
                    'client_secret': falcon_client_secret
                    )

IDS = 'ID1,ID2,ID3'

response = falcon.command('indicator.get.v1', ids=IDS)
print(response)
falcon.deauthenticate()

indicator_create_v1

Create Indicators.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
X-CS-USERNAME header string The username
retrodetects query bool Whether to submit to retrodetects
ignore_warnings query bool Set to true to ignore warnings and add all IOCs
body body string

Usage

Service class example
from falconpy import ioc as FalconIOC

falcon = FalconIOC.IOC(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
})

PARAMS = {
    'retrodetects': ,
    'ignore_warnings': 
}

BODY = {
    'Body Payload': 'See body description above'
}

HEADERS = {
    'X-CS-USERNAME': 'string'
}

response = falcon.indicator_create_v1(parameters=PARAMS, body=BODY, headers=HEADERS)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness('client_id': falcon_client_id,
                    'client_secret': falcon_client_secret
                    )

PARAMS = {
    'retrodetects': ,
    'ignore_warnings': 
}

BODY = {
    'Body Payload': 'See body description above'
}

HEADERS = {
    'X-CS-USERNAME': 'string'
}

response = falcon.command('indicator.create.v1', parameters=PARAMS, body=BODY, headers=HEADERS)
print(response)
falcon.deauthenticate()

indicator_delete_v1

Delete Indicators by ids.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
filter query string The FQL expression to delete Indicators in bulk. If both 'filter' and 'ids' are provided, then filter takes precedence and ignores ids.
ids query array (string) The ids of the Indicators to delete. If both 'filter' and 'ids' are provided, then filter takes precedence and ignores ids
comment query string The comment why these indicators were deleted

Usage

Service class example
from falconpy import ioc as FalconIOC

falcon = FalconIOC.IOC(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
})

PARAMS = {
    'filter': 'string',
    'comment': 'string'
}

IDS = 'ID1,ID2,ID3'

response = falcon.indicator_delete_v1(parameters=PARAMS, ids=IDS)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness('client_id': falcon_client_id,
                    'client_secret': falcon_client_secret
                    )

PARAMS = {
    'filter': 'string',
    'comment': 'string'
}

IDS = 'ID1,ID2,ID3'

response = falcon.command('indicator.delete.v1', parameters=PARAMS, ids=IDS)
print(response)
falcon.deauthenticate()

indicator_update_v1

Update Indicators.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
X-CS-USERNAME header string The username
retrodetects query bool Whether to submit to retrodetects
ignore_warnings query bool Set to true to ignore warnings and add all IOCs
body body string

Usage

Service class example
from falconpy import ioc as FalconIOC

falcon = FalconIOC.IOC(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
})

PARAMS = {
    'retrodetects': ,
    'ignore_warnings': 
}

BODY = {
    'Body Payload': 'See body description above'
}

HEADERS = {
    'X-CS-USERNAME': 'string'
}

response = falcon.indicator_update_v1(parameters=PARAMS, body=BODY, headers=HEADERS)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness('client_id': falcon_client_id,
                    'client_secret': falcon_client_secret
                    )

PARAMS = {
    'retrodetects': ,
    'ignore_warnings': 
}

BODY = {
    'Body Payload': 'See body description above'
}

HEADERS = {
    'X-CS-USERNAME': 'string'
}

response = falcon.command('indicator.update.v1', parameters=PARAMS, body=BODY, headers=HEADERS)
print(response)
falcon.deauthenticate()

indicator_search_v1

Search for Indicators.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
filter query string The filter expression that should be used to limit the results.
offset query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default.
limit query integer The maximum records to return.
sort query string The sort expression that should be used to sort the results.

Usage

Service class example
from falconpy import ioc as FalconIOC

falcon = FalconIOC.IOC(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
})

PARAMS = {
    'filter': 'string',
    'offset': integer,
    'limit': integer,
    'sort': 'string'
}

response = falcon.indicator_search_v1(parameters=PARAMS)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness('client_id': falcon_client_id,
                    'client_secret': falcon_client_secret
                    )

PARAMS = {
    'filter': 'string',
    'offset': integer,
    'limit': integer,
    'sort': 'string'
}

response = falcon.command('indicator.search.v1', parameters=PARAMS)
print(response)
falcon.deauthenticate()

CrowdStrike Falcon

Clone this wiki locally