Using the Custom IOA service collection

Uber class support Service class support Documentation Version Page Updated

This service collection has code examples posted to the repository.

Operation ID Description

get_patterns
PEP 8	get_patterns

Get pattern severities by ID.

get_platformsMixin0
PEP 8	get_platforms

Get platforms by ID.

get_rule_groupsMixin0
PEP 8	get_rule_groups

Get rule groups by ID.

create_rule_groupMixin0
PEP 8	create_rule_group

Create a rule group for a platform with a name and an optional description. Returns the rule group.

delete_rule_groupsMixin0
PEP 8	delete_rule_groups

Delete rule groups by ID.

update_rule_groupMixin0
PEP 8	update_rule_group

Update a rule group. The following properties can be modified: name, description, enabled.

get_rule_types
PEP 8	get_rule_types

Get rule types by ID.

get_rules_get
PEP 8	get_rules_get

Get rules by ID and optionally version in the following format: ID[:version].

get_rulesMixin0
PEP 8	get_rules

Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.

create_rule
PEP 8	create_rule

Create a rule within a rule group. Returns the rule.

delete_rules
PEP 8	delete_rules

Delete rules from a rule group by ID.

update_rules
PEP 8	update_rules

Update rules within a rule group. Return the updated rules.

update_rules_v2
PEP 8	update_rules_v2

Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.

validate
PEP 8	validate

Validates field values and checks for matches if a test string is provided.

query_patterns
PEP 8	query_patterns

Get all pattern severity IDs.

query_platformsMixin0
PEP 8	query_platforms

Get all platform IDs.

query_rule_groups_full
PEP 8	query_rule_groups_full

Find all rule groups matching the query with optional filter.

query_rule_groupsMixin0
PEP 8	query_rule_groups

Finds all rule group IDs matching the query with optional filter.

query_rule_types
PEP 8	query_rule_types

Get all rule type IDs.

query_rulesMixin0
PEP 8	query_rules

Finds all rule IDs matching the query with optional filter.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

get_patterns

Get pattern severities by ID.

PEP8 method name

get_patterns

Endpoint

Method	Route
	`/ioarules/entities/pattern-severities/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The ID(s) of the entities to return.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_patterns(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_patterns(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_patterns", ids=id_list)
print(response)

get_platformsMixin0

Get platforms by ID.

PEP8 method name

get_platforms

Endpoint

Method	Route
	`/ioarules/entities/platforms/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The ID(s) of the entities to return.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_platforms(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_platformsMixin0(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_platformsMixin0", ids=id_list)
print(response)

get_rule_groupsMixin0

Get rule groups by ID.

PEP8 method name

get_rule_groups

Endpoint

Method	Route
	`/ioarules/entities/rule-groups/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The ID(s) of the entities to return.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_groups(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_groupsMixin0(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rule_groupsMixin0", ids=id_list)
print(response)

create_rule_groupMixin0

Create a rule group for a platform with a name and an optional description. Returns the rule group.

PEP8 method name

create_rule_group

Endpoint

Method	Route
	`/ioarules/entities/rule-groups/v1`

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
description	body	string	Rule group description.
comment	body	string	Comment to associate with this rule group.
name	body	string	Rule group name.
platform	body	string	Rule group platform.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.create_rule_group(description="string",
                                    comment="string",
                                    name="string",
                                    platform="string"
                                    )
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.create_rule_groupMixin0(description="string",
                                          comment="string",
                                          name="string",
                                          platform="string"
                                          )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
  "comment": "string",
  "description": "string",
  "name": "string",
  "platform": "string"
}

response = falcon.command("create_rule_groupMixin0", body=BODY)
print(response)

delete_rule_groupsMixin0

Delete rule groups by ID.

PEP8 method name

delete_rule_groups

Endpoint

Method	Route
	`/ioarules/entities/rule-groups/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
comment	query	string	Audit log comment for this operation.
ids	query	string or list of strings	The ID(s) of the entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_groupsMixin0(comment="string", ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("delete_rule_groupsMixin0", comment="string", ids=id_list)
print(response)

update_rule_groupMixin0

Update a rule group. The following properties can be modified: name, description, enabled.

PEP8 method name

update_rule_group

Endpoint

Method	Route
	`/ioarules/entities/rule-groups/v1`

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
description	body	string	Rule group description.
comment	body	string	Comment to associate with this rule group.
enabled	body	boolean	Flag indicating if this rule group is enabled.
id	body	string	ID of the rule group to be updated.
name	body	string	Rule group name.
rulegroup_version	body	integer	Rule group version to update.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.update_rule_group(comment="string",
                                    description="string",
                                    enabled=boolean,
                                    id="string",
                                    name="string",
                                    rulegroup_version=integer
                                    )
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.update_rule_groupMixin0(comment="string",
                                          description="string",
                                          enabled=boolean,
                                          id="string",
                                          name="string",
                                          rulegroup_version=integer
                                          )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
  "comment": "string",
  "description": "string",
  "enabled": boolean,
  "id": "string",
  "name": "string",
  "rulegroup_version": integer
}


response = falcon.command("update_rule_groupMixin0", body=BODY)
print(response)

get_rule_types

Get rule types by ID.

PEP8 method name

get_rule_types

Endpoint

Method	Route
	`/ioarules/entities/rule-types/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The ID(s) of the entities to return.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_types(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_types(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rule_types", ids=id_list)
print(response)

get_rules_get

Get rules by ID and optionally version in the following format: ID[:version].

PEP8 method name

get_rules_get

Endpoint

Method	Route
	`/ioarules/entities/rules/GET/v1`

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
ids			body	string or list of strings	Rule ID(s) to retrieve.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules_get(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules_get(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

BODY = {
  "ids": id_list
}

response = falcon.command("get_rules_get", body=BODY)
print(response)

get_rulesMixin0

Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.

PEP8 method name

get_rules

Endpoint

Method	Route
	`/ioarules/entities/rules/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The ID(s) of the entities to return.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rulesMixin0(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rulesMixin0", ids=id_list)
print(response)

create_rule

Create a rule within a rule group. Returns the rule.

PEP8 method name

create_rule

Endpoint

Method	Route
	`/ioarules/entities/rules/v1`

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
description	body	string	Rule description.
disposition_id	body	integer	Disposition ID of the rule.
comment	body	string	Comment to associate with this rule.
field_values	body	dictionary	Dictionary representing the rule field values.
pattern_severity	body	string	Severity.
name	body	string	Rule name.
rulegroup_id	body	string	ID of the Rule group to associate this rule to.
ruletype_id	body	string	Rule Type ID for this rule.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

field_val = {
    "final_value": "string",
    "label": "string",
    "name": "string",
    "type": "string",
    "value": "string",
    "values": [
        {
            "label": "string",
            "value": "string"
        }
    ]
}

response = falcon.create_rule(comment="string",
                              description="string",
                              disposition_id=integer,
                              field_values=field_val,
                              pattern_severity="string",
                              name="string",
                              rulegroup_id="string",
                              ruletype_id="string"
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

field_val = {
    "final_value": "string",
    "label": "string",
    "name": "string",
    "type": "string",
    "value": "string",
    "values": [
        {
            "label": "string",
            "value": "string"
        }
    ]
}

response = falcon.create_rule(comment="string",
                              description="string",
                              disposition_id=integer,
                              field_values=field_val,
                              pattern_severity="string",
                              name="string",
                              rulegroup_id="string",
                              ruletype_id="string"
                              )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
  "comment": "string",
  "description": "string",
  "disposition_id": integer,
  "field_values": [
    {
      "final_value": "string",
      "label": "string",
      "name": "string",
      "type": "string",
      "value": "string",
      "values": [
        {
          "label": "string",
          "value": "string"
        }
      ]
    }
  ],
  "name": "string",
  "pattern_severity": "string",
  "rulegroup_id": "string",
  "ruletype_id": "string"
}

response = falcon.command("create_rule", body=BODY)
print(response)

delete_rules

Delete rules from a rule group by ID.

PEP8 method name

delete_rules

Endpoint

Method	Route
	`/ioarules/entities/rules/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
comment	query	string	Audit log comment for this operation.
ids	query	string or list of strings	The ID(s) of the entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.
rule_group_id	query	string	The parent rule group ID.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rules(rule_group_id="string", comment="string", ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rules(rule_group_id="string", comment="string", ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("delete_rules",
                          comment="string",
                          ids=id_list,
                          rule_group_id="string"
                          )
print(response)

update_rules

Update rules within a rule group. Return the updated rules.

PEP8 method name

update_rules

Endpoint

Method	Route
	`/ioarules/entities/rules/v1`

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
comment	body	string	Comment to associate with this rule.
rule_updates	body	dictionary	Dictionary representing the rule updates to perfrom.
rulegroup_id	body	string	ID of the Rule group to associate this rule to.
rulegroup_version	body	integer	Rule group version.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_update = {
    "description": "string",
    "disposition_id": integer,
    "enabled": boolean,
    "field_values": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ],
    "instance_id": "string",
    "name": "string",
    "pattern_severity": "string",
    "rulegroup_version": integer
}

response = falcon.update_rules(comment="string",
                               rule_updates=rule_update,
                               rulegroup_id="string",
                               rulegroup_version=integer
                               )
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_update = {
    "description": "string",
    "disposition_id": integer,
    "enabled": boolean,
    "field_values": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ],
    "instance_id": "string",
    "name": "string",
    "pattern_severity": "string",
    "rulegroup_version": integer
}

response = falcon.update_rules(comment="string",
                               rule_updates=rule_update,
                               rulegroup_id="string",
                               rulegroup_version=integer
                               )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "comment": "string",
    "rule_updates": [
        {
            "description": "string",
            "disposition_id": 0,
            "enabled": true,
            "field_values": [
                {
                    "final_value": "string",
                    "label": "string",
                    "name": "string",
                    "type": "string",
                    "value": "string",
                    "values": [
                        {
                            "label": "string",
                            "value": "string"
                        }
                    ]
                }
            ],
            "instance_id": "string",
            "name": "string",
            "pattern_severity": "string",
            "rulegroup_version": 0
        }
    ],
    "rulegroup_id": "string",
    "rulegroup_version": 0
}

response = falcon.command("update_rules", body=BODY)
print(response)

update_rules_v2

PEP8 method name

update_rules_v2

Endpoint

Method	Route
	`/ioarules/entities/rules/v2`

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
comment	body	string	Comment to associate with this rule.
rule_updates	body	dictionary	Dictionary representing the rule updates to perfrom.
rulegroup_id	body	string	ID of the Rule group to associate this rule to.
rulegroup_version	body	integer	Rule group version.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_update = {
    "description": "string",
    "disposition_id": integer,
    "enabled": boolean,
    "field_values": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ],
    "instance_id": "string",
    "name": "string",
    "pattern_severity": "string",
    "rulegroup_version": integer
}

response = falcon.update_rules(comment="string",
                               rule_updates=rule_update,
                               rulegroup_id="string",
                               rulegroup_version=integer
                               )
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_update = {
    "description": "string",
    "disposition_id": integer,
    "enabled": boolean,
    "field_values": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ],
    "instance_id": "string",
    "name": "string",
    "pattern_severity": "string",
    "rulegroup_version": integer
}

response = falcon.update_rules(comment="string",
                               rule_updates=rule_update,
                               rulegroup_id="string",
                               rulegroup_version=integer
                               )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "comment": "string",
    "rule_updates": [
        {
            "description": "string",
            "disposition_id": integer,
            "enabled": boolean,
            "field_values": [
                {
                    "final_value": "string",
                    "label": "string",
                    "name": "string",
                    "type": "string",
                    "value": "string",
                    "values": [
                        {
                            "label": "string",
                            "value": "string"
                        }
                    ]
                }
            ],
            "instance_id": "string",
            "name": "string",
            "pattern_severity": "string",
            "rulegroup_version": integer
        }
    ],
    "rulegroup_id": "string",
    "rulegroup_version": integer
}

response = falcon.command("update_rules", body=BODY)

print(response)

validate

Validates field values and checks for matches if a test string is provided.

PEP8 method name

validate

Endpoint

Method	Route
	`/ioarules/entities/rules/validate/v1`

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
fields			body	list of dictionaries	List of dictionaries containing the fields to be validated.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

fields_to_validate = [{
    "name": "string",
    "test_data": "string",
    "type": "string",
    "values": [
        {
            "label": "string",
            "value": "string"
        }
    ]
}]

response = falcon.validate(fields=field_to_validate)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

fields_to_validate = [{
    "name": "string",
    "test_data": "string",
    "type": "string",
    "values": [
        {
            "label": "string",
            "value": "string"
        }
    ]
}]

response = falcon.validate(fields=field_to_validate)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "fields": [
        {
            "name": "string",
            "test_data": "string",
            "type": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ]
}

response = falcon.command("validate", body=BODY)
print(response)

query_patterns

Get all pattern severity IDs.

PEP8 method name

query_patterns

Endpoint

Method	Route
	`/ioarules/queries/pattern-severities/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_patterns(offset=integer, limit=integer)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_patterns(offset=integer, limit=integer)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_patterns", limit=integer, offset=integer)
print(response)

query_platformsMixin0

Get all platform IDs.

PEP8 method name

query_platforms

Endpoint

Method	Route
	`/ioarules/queries/platforms/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_platforms(offset=integer, limit=integer)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_platformsMixin0(offset=integer, limit=integer)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_platformsMixin0", offset=integer, limit=integer)
print(response)

query_rule_groups_full

Find all rule groups matching the query with optional filter.

PEP8 method name

query_rule_groups_full

Endpoint

Method	Route
	`/ioarules/queries/rule-groups-full/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	FQL Syntax formatted string used to limit the results. Available filters: enabled platform name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name rules.enabled Filter range criteria: created_on modified_on You may use any common date format, such as `2010-05-15T14:55:21.892315096Z` for date format fields.
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
q	query	string	Match query criteria which includes all the filter string fields.
sort	query	string	The property to sort by. (Ex: modified_on.desc) Available sort fields: created_by created_on modified_by modified_on enabled name description
parameters	query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groups_full(sort="string",
                                         filter="string",
                                         q="string",
                                         offset="string",
                                         limit=integer
                                         )
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groups_full(sort="string",
                                         filter="string",
                                         q="string",
                                         offset="string",
                                         limit=integer
                                         )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_groups_full",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          limit=integer
                          )
print(response)

query_rule_groupsMixin0

Finds all rule group IDs matching the query with optional filter.

PEP8 method name

query_rule_groups

Endpoint

Method	Route
	`/ioarules/queries/rule-groups/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	FQL Syntax formatted string used to limit the results. Available filters: enabled platform name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name rules.enabled Filter range criteria: created_on modified_on You may use any common date format, such as `2010-05-15T14:55:21.892315096Z` for date format fields.
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
q	query	string	Match query criteria which includes all the filter string fields.
sort	query	string	The property to sort by. (Ex: modified_on.desc) Available sort fields: created_by created_on modified_by modified_on enabled name description
parameters	query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groups(sort="string",
                                    filter="string",
                                    q="string",
                                    offset="string",
                                    limit=integer
                                    )
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groupsMixin0(sort="string",
                                          filter="string",
                                          q="string",
                                          offset="string",
                                          limit=integer
                                          )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_groupsMixin0",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          limit=integer
                          )
print(response)

query_rule_types

Get all rule type IDs.

PEP8 method name

query_rule_types

Endpoint

Method	Route
	`/ioarules/queries/rule-types/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_types(offset=integer, limit=integer)
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_types(offset=integer, limit=integer)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_types", offset=integer, limit=integer)
print(response)

query_rulesMixin0

Finds all rule IDs matching the query with optional filter.

PEP8 method name

query_rules

Endpoint

Method	Route
	`/ioarules/queries/rules/v1`

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	FQL Syntax formatted string used to limit the results. Available filters: enabled platform name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name rules.enabled Filter range criteria: created_on modified_on You may use any common date format, such as `2010-05-15T14:55:21.892315096Z` for date format fields.
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
q	query	string	Match query criteria which includes all the filter string fields.
sort	query	string	The property to sort by. (Ex: rules.created_on.desc) Available sort fields: rules.ruletype_name rules.enabled rules.created_by rules.current_version.name rules.current_version.modified_by rules.created_on rules.current_version.description rules.current_version.pattern_severity rules.current_version.action_label rules.current_version.modified_on
parameters	query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rules(sort="string",
                              filter="string",
                              q="string",
                              offset="string",
                              limit=integer
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rulesMixin0(sort="string",
                                    filter="string",
                                    q="string",
                                    offset="string",
                                    limit=integer
                                    )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rulesMixin0",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          limit=integer
                          )
print(response)

Custom IOA - CrowdStrike/falconpy GitHub Wiki

Using the Custom IOA service collection

Table of Contents

Passing credentials

get_patterns

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

get_platformsMixin0

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

get_rule_groupsMixin0

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

create_rule_groupMixin0

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

delete_rule_groupsMixin0

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

update_rule_groupMixin0

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

get_rule_types

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

get_rules_get

PEP8 method name

Endpoint

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

get_rulesMixin0

PEP8 method name

Endpoint

Content-Type