Skip to content

IOC

Jump to bottom
Joshua Hiller edited this page Aug 30, 2021 · 30 revisions

CrowdStrike Falcon Twitter URL

Using the IOC service collection

Uber class support Service class support

Table of Contents

Operation ID Description
indicator_combined_v1
PEP8 indicator_combined
Get Combined for Indicators.
indicator_get_v1
PEP8 indicator_get
Get Indicators by ids.
indicator_create_v1
PEP8 indicator_create
Create Indicators.
indicator_delete_v1
PEP8 indicator_delete
Delete Indicators by ids.
indicator_update_v1
PEP8 indicator_update
Update Indicators.
indicator_search_v1
PEP8 indicator_search
Search for Indicators.
DevicesCount
PEP8 devices_count
Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn
PEP8 devices_ran_on
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
ProcessesRanOn
PEP8 processes_ran_on
Search for processes associated with a custom IOC
entities_processes
PEP8 entities_processes
For the provided ProcessID retrieve the process details

indicator_combined_v1

Get Combined for Indicators.

PEP8 method name

indicator_combined

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
filter query string The filter expression that should be used to limit the results.
offset query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the 'after' parameter instead of 'offset'.
limit query integer The maximum records to return.
sort query string The sort expression that should be used to sort the results.
after query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' token from the previous response to continue from that place in the results. To access more than 10k indicators, use the 'after' parameter instead of 'offset'.
from_parent query boolean The filter for returning either only indicators for the request customer or its MSSP parents

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.indicator_combined(filter="string",
                                     offset=integer,
                                     limit=integer,
                                     sort="string",
                                     after="string",
                                     from_parent=boolean
                                     )
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.indicator_combined_v1(filter="string",
                                        offset=integer,
                                        limit=integer,
                                        sort="string",
                                        after="string",
                                        from_parent=boolean
                                        )
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "filter": "string",
    "offset": integer,
    "limit": integer,
    "sort": "string",
    "after": "string",
    "from_parent": boolean
}

response = falcon.command("indicator_combined_v1", parameters=PARAMS)
print(response)

indicator_get_v1

Get Indicators by ids.

PEP8 method name

indicator_get

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
ids query array (string) The ids of the Indicators to retrieve

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get_v1(ids=id_list)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_get_v1", ids=id_list)
print(response)

indicator_create_v1

Create Indicators.

PEP8 method name

indicator_create

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
retrodetects query bool Whether to submit to retrodetects
ignore_warnings query bool Set to true to ignore warnings and add all IOCs
body body string

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.indicator_create(retrodetects="string", ignore_warnings="string", body=BODY)
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.indicator_create_v1(retrodetects="string", ignore_warnings="string", body=BODY)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "retrodetects": ,
    "ignore_warnings": 
}

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.command("indicator_create_v1", parameters=PARAMS, body=BODY)
print(response)

indicator_delete_v1

Delete Indicators by ids.

PEP8 method name

indicator_delete

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
filter query string The FQL expression to delete Indicators in bulk. If both 'filter' and 'ids' are provided, then filter takes precedence and ignores ids.
ids query array (string) The ids of the Indicators to delete. If both 'filter' and 'ids' are provided, then filter takes precedence and ignores ids
comment query string The comment why these indicators were deleted

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete(filter="string", comment="string", ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete_v1(filter="string", comment="string", ids=id_list)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "filter": "string",
    "comment": "string"
}

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_delete_v1", parameters=PARAMS, ids=id_list)
print(response)

indicator_update_v1

Update Indicators.

PEP8 method name

indicator_update

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
retrodetects query bool Whether to submit to retrodetects
ignore_warnings query bool Set to true to ignore warnings and add all IOCs
body body string

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.indicator_update(retrodetects="string", ignore_warnings="string", body=BODY)
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.indicator_update_v1(retrodetects="string", ignore_warnings="string", body=BODY)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "retrodetects": ,
    "ignore_warnings": 
}

BODY = {
    "Body Payload": "See body description above"
}

response = falcon.command("indicator_update_v1", parameters=PARAMS, body=BODY)
print(response)

indicator_search_v1

Search for Indicators.

PEP8 method name

indicator_search

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
filter query string The filter expression that should be used to limit the results.
offset query integer The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the 'after' parameter instead of 'offset'.
limit query integer The maximum records to return.
sort query string The sort expression that should be used to sort the results.
after query string A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' token from the previous response to continue from that place in the results. To access more than 10k indicators, use the 'after' parameter instead of 'offset'.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.indicator_search(filter="string",
                                   offset=integer,
                                   limit=integer,
                                   sort="string",
                                   after="string"
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.indicator_search_v1(filter="string",
                                      offset=integer,
                                      limit=integer,
                                      sort="string",
                                      after="string"
                                      )
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "filter": "string",
    "offset": integer,
    "limit": integer,
    "sort": "string",
    "after": "string"
}

response = falcon.command("indicator_search_v1", parameters=PARAMS)
print(response)

DevicesCount

Number of hosts in your customer account that have observed a given custom IOC

PEP8 method name

devices_count

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
type query string The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address.
value query string The string representation of the indicator

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.devices_count(type="string", value="string")
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.DevicesCount(type="string", value="string")
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "type": "string",
    "value": "string"
}

response = falcon.command("DevicesCount", parameters=PARAMS)
print(response)

DevicesRanOn

Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1

PEP8 method name

devices_ran_on

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
type query string The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address.
value query string The string representation of the indicator
limit query string The first process to return, where 0 is the latest offset. Use with the offset parameter to manage pagination of results.
offset query string The first process to return, where 0 is the latest offset. Use with the limit parameter to manage pagination of results.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.devices_ran_on(type="string",
                                 value="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.DevicesRanOn(type="string",
                               value="string",
                               limit="string",
                               offset="string"
                               )
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "type": "string",
    "value": "string",
    "limit": "string",
    "offset": "string"
}

response = falcon.command("DevicesRanOn", parameters=PARAMS)
print(response)

ProcessesRanOn

Search for processes associated with a custom IOC

PEP8 method name

processes_ran_on

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
type query string The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address.
value query string The string representation of the indicator
device_id query string Specify a host's ID to return only processes from that host. Get a host's ID from GET /devices/queries/devices/v1, the Falcon console, or the Streaming API.
limit query string The first process to return, where 0 is the latest offset. Use with the offset parameter to manage pagination of results.
offset query string The first process to return, where 0 is the latest offset. Use with the limit parameter to manage pagination of results.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.processes_ran_on(type="string",
                                   value="string",
                                   device_id="string",
                                   limit="string",
                                   offset="string"
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

response = falcon.ProcessesRanOn(type="string",
                                 value="string",
                                 device_id="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

PARAMS = {
    "type": "string",
    "value": "string",
    "device_id": "string",
    "limit": "string",
    "offset": "string"
}

response = falcon.command("ProcessesRanOn", parameters=PARAMS)
print(response)

entities_processes

For the provided ProcessID retrieve the process details

PEP8 method name

entities_processes

Content-Type

  • Produces: application/json

Parameters

Required Name Type Datatype Description
ids query array (string) ProcessID for the running process you want to lookup

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id="API_CLIENT_ID_HERE",
             client_secret="API_CLIENT_SECRET_HERE"
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)
Uber class example
from falconpy.api_complete import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_processes", ids=id_list)
print(response)

CrowdStrike Falcon

Clone this wiki locally