IOCs
| API Function | Description |
|---|---|
| DevicesCount | Number of hosts in your customer account that have observed a given custom IOC |
| GetIOC | Get an IOC by providing a type and value |
| CreateIOC | Create a new IOC |
| DeleteIOC | Delete an IOC by providing a type and value |
| UpdateIOC | Update an IOC by providing a type and value |
| DevicesRanOn | Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1 |
| QueryIOCs | Search the custom IOCs in your customer account |
| ProcessesRanOn | Search for processes associated with a custom IOC |
| entities_processes | For the provided ProcessID retrieve the process details |
Number of hosts in your customer account that have observed a given custom IOC
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | type | query | string | The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. |
| ✅ | value | query | string | The string representation of the indicator |
from falconpy import iocs as FalconIOCs
falcon = FalconIOCs.Iocs(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'type': 'string',
'value': 'string'
}
response = falcon.DevicesCount(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'type': 'string',
'value': 'string'
}
response = falcon.command('DevicesCount', parameters=PARAMS)
print(response)
falcon.deauthenticate()Get an IOC by providing a type and value
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | type | query | string | The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. |
| ✅ | value | query | string | The string representation of the indicator |
from falconpy import iocs as FalconIOCs
falcon = FalconIOCs.Iocs(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'type': 'string',
'value': 'string'
}
response = falcon.GetIOC(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'type': 'string',
'value': 'string'
}
response = falcon.command('GetIOC', parameters=PARAMS)
print(response)
falcon.deauthenticate()Create a new IOC
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Create a new IOC by providing a JSON object that includes these key/value pairs: type (required): The type of the indicator. Valid values: - sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. - md5: A hex-encoded md5 hash string. Length - min 32, max: 32. - domain: A domain name. Length - min: 1, max: 200. - ipv4: An IPv4 address. Must be a valid IP address. - ipv6: An IPv6 address. Must be a valid IP address. value (required): The string representation of the indicator. policy (required): Action to take when a host observes the custom IOC. Values: - detect: Enable detections for this custom IOC - none: Disable detections for this custom IOC share_level (optional): Visibility of this custom IOC. All custom IOCs are visible only within your customer account, so only one value is valid: - red expiration_days (optional): Number of days this custom IOC is active. Only applies for the types domain, ipv4, and ipv6. source (optional): The source where this indicator originated. This can be used for tracking where this indicator was defined. Limit 200 characters. description (optional): Descriptive label for this custom IOC |
from falconpy import iocs as FalconIOCs
falcon = FalconIOCs.Iocs(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.CreateIOC(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('CreateIOC', body=BODY)
print(response)
falcon.deauthenticate()Delete an IOC by providing a type and value
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | type | query | string | The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. |
| ✅ | value | query | string | The string representation of the indicator |
from falconpy import iocs as FalconIOCs
falcon = FalconIOCs.Iocs(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'type': 'string',
'value': 'string'
}
response = falcon.DeleteIOC(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'type': 'string',
'value': 'string'
}
response = falcon.command('DeleteIOC', parameters=PARAMS)
print(response)
falcon.deauthenticate()Update an IOC by providing a type and value
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | |
| ✅ | type | query | string | The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. |
| ✅ | value | query | string | The string representation of the indicator |
from falconpy import iocs as FalconIOCs
falcon = FalconIOCs.Iocs(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'type': 'string',
'value': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.UpdateIOC(parameters=PARAMS, body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'type': 'string',
'value': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('UpdateIOC', parameters=PARAMS, body=BODY)
print(response)
falcon.deauthenticate()Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | type | query | string | The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. |
| ✅ | value | query | string | The string representation of the indicator |
| limit | query | string | The first process to return, where 0 is the latest offset. Use with the offset parameter to manage pagination of results. | |
| offset | query | string | The first process to return, where 0 is the latest offset. Use with the limit parameter to manage pagination of results. |
from falconpy import iocs as FalconIOCs
falcon = FalconIOCs.Iocs(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'type': 'string',
'value': 'string',
'limit': 'string',
'offset': 'string'
}
response = falcon.DevicesRanOn(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'type': 'string',
'value': 'string',
'limit': 'string',
'offset': 'string'
}
response = falcon.command('DevicesRanOn', parameters=PARAMS)
print(response)
falcon.deauthenticate()Search the custom IOCs in your customer account
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| types | query | string | The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. | |
| values | query | string | The string representation of the indicator | |
| from.expiration_timestamp | query | string | Find custom IOCs created after this time (RFC-3339 timestamp) | |
| to.expiration_timestamp | query | string | Find custom IOCs created before this time (RFC-3339 timestamp) | |
| policies | query | string | ndetect: Find custom IOCs that produce notificationsnnnone: Find custom IOCs the particular indicator has been detected on a host. This is equivalent to turning the indicator off. | |
| sources | query | string | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limit 200 characters. | |
| share_levels | query | string | The level at which the indicator will be shared. Currently only red share level (not shared) is supported, indicating that the IOC isn't shared with other FH customers. | |
| created_by | query | string | created_by | |
| deleted_by | query | string | The user or API client who deleted the custom IOC | |
| include_deleted | query | string | true: Include deleted IOCs false: Don't include deleted IOCs (default) |
from falconpy import iocs as FalconIOCs
falcon = FalconIOCs.Iocs(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'types': 'string',
'values': 'string',
'from.expiration_timestamp': 'string',
'to.expiration_timestamp': 'string',
'policies': 'string',
'sources': 'string',
'share_levels': 'string',
'created_by': 'string',
'deleted_by': 'string',
'include_deleted': 'string'
}
response = falcon.QueryIOCs(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'types': 'string',
'values': 'string',
'from.expiration_timestamp': 'string',
'to.expiration_timestamp': 'string',
'policies': 'string',
'sources': 'string',
'share_levels': 'string',
'created_by': 'string',
'deleted_by': 'string',
'include_deleted': 'string'
}
response = falcon.command('QueryIOCs', parameters=PARAMS)
print(response)
falcon.deauthenticate()Search for processes associated with a custom IOC
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | type | query | string | The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. |
| ✅ | value | query | string | The string representation of the indicator |
| ✅ | device_id | query | string | Specify a host's ID to return only processes from that host. Get a host's ID from GET /devices/queries/devices/v1, the Falcon console, or the Streaming API. |
| limit | query | string | The first process to return, where 0 is the latest offset. Use with the offset parameter to manage pagination of results. | |
| offset | query | string | The first process to return, where 0 is the latest offset. Use with the limit parameter to manage pagination of results. |
from falconpy import iocs as FalconIOCs
falcon = FalconIOCs.Iocs(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'type': 'string',
'value': 'string',
'device_id': 'string',
'limit': 'string',
'offset': 'string'
}
response = falcon.ProcessesRanOn(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'type': 'string',
'value': 'string',
'device_id': 'string',
'limit': 'string',
'offset': 'string'
}
response = falcon.command('ProcessesRanOn', parameters=PARAMS)
print(response)
falcon.deauthenticate()For the provided ProcessID retrieve the process details
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | ProcessID for the running process you want to lookup |
from falconpy import iocs as FalconIOCs
falcon = FalconIOCs.Iocs(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
IDS = 'ID1,ID2,ID3'
response = falcon.entities_processes(ids=IDS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
IDS = 'ID1,ID2,ID3'
response = falcon.command('entities.processes', ids=IDS)
print(response)
falcon.deauthenticate()
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
