Skip to content

IOCs

Jump to bottom
Joshua Hiller edited this page Dec 13, 2021 · 18 revisions

CrowdStrike Falcon Twitter URL

Using the IOCs service collection

Uber class support Service class support Documentation Version Page Updated Deprecated

This class has been superseded by the new IOC service class.

Table of Contents

Operation ID Description
DevicesCount
PEP 8 devices_count
Number of hosts in your customer account that have observed a given custom IOC
GetIOC
PEP 8 get_ioc
Deprecated 		This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.
CreateIOC
PEP 8 create_ioc
Deprecated 		This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.
DeleteIOC
PEP 8 delete_ioc
Deprecated 		This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.
UpdateIOC
PEP 8 update_ioc
Deprecated 		This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.
DevicesRanOn
PEP 8 devices_ran_on
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
QueryIOCs
PEP 8 query_iocs
Deprecated 		This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.
ProcessesRanOn
PEP 8 processes_ran_on
Search for processes associated with a custom IOC
entities_processes
PEP 8 entities_processes
For the provided ProcessID retrieve the process details

DevicesCount

Number of hosts in your customer account that have observed a given custom IOC

PEP8 method name

devices_count

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support
Uber Class Support
 query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support
Uber Class Support
 query string The string representation of the indicator.
parameters
Service Class Support
Uber Class Support
 query string Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

falcon = Iocs(client_id="API_CLIENT_ID_HERE",
              client_secret="API_CLIENT_SECRET_HERE"
              )

response = falcon.devices_count(type="string", value="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import Iocs

falcon = Iocs(client_id="API_CLIENT_ID_HERE",
              client_secret="API_CLIENT_SECRET_HERE"
              )

response = falcon.DevicesCount(type="string", value="string")
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("DevicesCount", type="string", value="string")
print(response)

GetIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.

PEP8 method name

get_ioc

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

CreateIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.

PEP8 method name

create_ioc

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

DeleteIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.

PEP8 method name

delete_ioc

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

UpdateIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.

PEP8 method name

update_ioc

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

DevicesRanOn

Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1

PEP8 method name

devices_ran_on

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support
Uber Class Support
 query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support
Uber Class Support
 query string The string representation of the indicator.
limit
Service Class Support
Uber Class Support
 query integer Maximum number of results to return.
offset
Service Class Support
Uber Class Support
 query integer Starting offset to begin returning results.
parameters
Service Class Support
Uber Class Support
 query string Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

falcon = Iocs(client_id="API_CLIENT_ID_HERE",
              client_secret="API_CLIENT_SECRET_HERE"
              )

response = falcon.devices_ran_on(type="string",
                                 value="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import Iocs

falcon = Iocs(client_id="API_CLIENT_ID_HERE",
              client_secret="API_CLIENT_SECRET_HERE"
              )

response = falcon.DevicesRanOn(type="string",
                               value="string",
                               limit="string",
                               offset="string"
                               )
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("DevicesRanOn",
                          type="string",
                          value="string",
                          limit="string",
                          offset="string"
                          )
print(response)

QueryIOCs

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.

PEP8 method name

query_iocs

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

ProcessesRanOn

Search for processes associated with a custom IOC

PEP8 method name

processes_ran_on

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support
Uber Class Support
 query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support
Uber Class Support
 query string The string representation of the indicator.
device_id
Service Class Support
Uber Class Support
 query string Specify a Host AID to return only processes from that host.
limit
Service Class Support
Uber Class Support
 query integer Maximum number of results to return.
offset
Service Class Support
Uber Class Support
 query integer Starting offset to begin returning results.
parameters
Service Class Support
Uber Class Support
 query string Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

falcon = Iocs(client_id="API_CLIENT_ID_HERE",
              client_secret="API_CLIENT_SECRET_HERE"
              )

response = falcon.processes_ran_on(type="string",
                                   value="string",
                                   device_id="string",
                                   limit="string",
                                   offset="string"
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy import Iocs

falcon = Iocs(client_id="API_CLIENT_ID_HERE",
              client_secret="API_CLIENT_SECRET_HERE"
              )

response = falcon.ProcessesRanOn(type="string",
                                 value="string",
                                 device_id="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("ProcessesRanOn",
                          type="string",
                          value="string",
                          device_id="string",
                          limit="string",
                          offset="string"
                          )
print(response)

entities_processes

For the provided ProcessID retrieve the process details

PEP8 method name

entities_processes

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support
Uber Class Support
 query string or list of strings ProcessID for the running process you want to lookup.
parameters
Service Class Support
Uber Class Support
 query string Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

falcon = Iocs(client_id="API_CLIENT_ID_HERE",
              client_secret="API_CLIENT_SECRET_HERE"
              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Iocs

falcon = Iocs(client_id="API_CLIENT_ID_HERE",
              client_secret="API_CLIENT_SECRET_HERE"
              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_processes", ids=id_list)
print(response)

CrowdStrike Falcon

Clone this wiki locally