IOA Exclusions - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the IOA Exclusions service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
getIOAExclusionsV1
PEP 8 get_exclusions
Get a set of IOA Exclusions by specifying their IDs.
createIOAExclusionsV1
PEP 8 create_exclusions
Create the IOA exclusions.
deleteIOAExclusionsV1
PEP 8 delete_exclusions
Delete the IOA exclusions by ID.
updateIOAExclusionsV1
PEP 8 update_exclusions
Update the IOA exclusions.
queryIOAExclusionsV1
PEP 8 query_exclusions
Search for IOA exclusions.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

getIOAExclusionsV1

Get a set of IOA Exclusions by specifying their IDs

PEP8 method name

get_exclusions

Endpoint

Method Route
GET /policy/entities/ioa-exclusions/v1

Required Scope

ioa-exclusions:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The IDs of the exclusions to retrieve.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_exclusions(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.getIOAExclusionsV1(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("getIOAExclusionsV1", ids=id_list)
print(response)

createIOAExclusionsV1

Create the IOA exclusions

PEP8 method name

create_exclusions

Endpoint

Method Route
POST /policy/entities/ioa-exclusions/v1

Required Scope

ioa-exclusions_write:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
cl_regex
Service Class Support

Uber Class Support
body string Command line regular expression.
comment
Service Class Support

Uber Class Support
body string String comment describing why the exclusions was created.
description
Service Class Support

Uber Class Support
body string Exclusion description.
detection_json
Service Class Support

Uber Class Support
body string JSON formatted detection template.
groups
Service Class Support

Uber Class Support
body list of strings Group ID(s) impacted by the exclusion.
ifn_regex
Service Class Support

Uber Class Support
body string Indicator file name regular expression.
name
Service Class Support

Uber Class Support
body string Name of the exclusion.
pattern_id
Service Class Support

Uber Class Support
body string ID of the pattern to use for the exclusion.
pattern_name
Service Class Support

Uber Class Support
body string Name of the pattern to use for the exclusion.

Usage

Service class example (PEP8 syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

group_list = ['ID1', 'ID2', 'ID3']

response = falcon.create_exclusions(cl_regex="string",
                                    comment="string",
                                    description="string",
                                    detection_json="string",
                                    groups=group_list,
                                    ifn_regex="string",
                                    name="string",
                                    pattern_id="string",
                                    pattern_name="string"
                                    )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

group_list = ['ID1', 'ID2', 'ID3']

response = falcon.createIOAExclusionsV1(cl_regex="string",
                                        comment="string",
                                        description="string",
                                        detection_json="string",
                                        groups=group_list,
                                        ifn_regex="string",
                                        name="string",
                                        pattern_id="string",
                                        pattern_name="string"
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

group_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "cl_regex": "string",
    "comment": "string",
    "description": "string",
    "detection_json": "string",
    "groups": group_list,
    "ifn_regex": "string",
    "name": "string",
    "pattern_id": "string",
    "pattern_name": "string"
}

response = falcon.command("createIOAExclusionsV1", body=BODY)
print(response)

deleteIOAExclusionsV1

Delete the IOA exclusions by id

PEP8 method name

delete_exclusions

Endpoint

Method Route
DELETE /policy/entities/ioa-exclusions/v1

Required Scope

ioa-exclusions_write:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
comment
Service Class Support

Uber Class Support
query string Explains why this exclusion was deleted.
ids
Service Class Support

Uber Class Support
query string or list of strings The IDs of the exclusions to retrieve.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_exclusions(comment="string", ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.deleteIOAExclusionsV1(comment="string", ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("deleteIOAExclusionsV1", comment="string", ids=id_list)
print(response)

updateIOAExclusionsV1

Update the IOA exclusions

PEP8 method name

update_exclusions

Endpoint

Method Route
PATCH /policy/entities/ioa-exclusions/v1

Required Scope

ioa-exclusions_write:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
cl_regex
Service Class Support

Uber Class Support
body string Command line regular expression.
comment
Service Class Support

Uber Class Support
body string String comment describing why the exclusions was created.
description
Service Class Support

Uber Class Support
body string Exclusion description.
detection_json
Service Class Support

Uber Class Support
body string JSON formatted detection template.
groups
Service Class Support

Uber Class Support
body list of strings Group ID(s) impacted by the exclusion.
id
Service Class Support

Uber Class Support
body string ID of the exclusion to update.
ifn_regex
Service Class Support

Uber Class Support
body string Indicator file name regular expression.
name
Service Class Support

Uber Class Support
body string Name of the exclusion.
pattern_id
Service Class Support

Uber Class Support
body string ID of the pattern to use for the exclusion.
pattern_name
Service Class Support

Uber Class Support
body string Name of the pattern to use for the exclusion.

Usage

Service class example (PEP8 syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

group_list = ['ID1', 'ID2', 'ID3']

response = falcon.update_exclusions(cl_regex="string",
                                    comment="string",
                                    description="string",
                                    detection_json="string",
                                    groups=group_list,
                                    ifn_regex="string",
                                    name="string",
                                    pattern_id="string",
                                    pattern_name="string"
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

group_list = ['ID1', 'ID2', 'ID3']

response = falcon.updateIOAExclusionsV1(cl_regex="string",
                                        comment="string",
                                        description="string",
                                        detection_json="string",
                                        groups=group_list,
                                        ifn_regex="string",
                                        name="string",
                                        pattern_id="string",
                                        pattern_name="string"
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

group_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "cl_regex": "string",
    "comment": "string",
    "description": "string",
    "detection_json": "string",
    "groups": group_list,
    "id": "string",
    "ifn_regex": "string",
    "name": "string",
    "pattern_id": "string",
    "pattern_name": "string"
}

response = falcon.command("updateIOAExclusionsV1", body=BODY)
print(response)

queryIOAExclusionsV1

Search for IOA exclusions.

PEP8 method name

query_exclusions

Endpoint

Method Route
GET /policy/queries/ioa-exclusions/v1

Required Scope

ioa-exclusions:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
cl_regex
Service Class Support

Uber Class Support
body string Command line regular expression.
filter
Service Class Support

No Uber Class Support
query string The filter expression that should be used to limit the results. FQL syntax.

Available filters:
  • name
  • pattern_id
  • pattern_name
  • applied_globally
  • created_on
  • created_by
  • last_modified
  • modified_by
ifn_regex
Service Class Support

Uber Class Support
body string Indicator file name regular expression.
limit
Service Class Support

No Uber Class Support
query integer The maximum number of records to return. [1-500]
offset
Service Class Support

No Uber Class Support
query integer The offset to start retrieving records from.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

No Uber Class Support
query string The property to sort by.
FQL syntax. (e.g. last_behavior.asc)

Available sort fields:
  • name
  • pattern_id
  • pattern_name
  • applied_globally
  • created_on
  • created_by
  • last_modified
  • modified_by

Usage

Service class example (PEP8 syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

response = falcon.query_exclusions(cl_regex="string",
                                   filter="string",
                                   offset=integer,
                                   ifn_regex="string",
                                   limit=integer,
                                   sort="string"
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy import IOAExclusions

# Do not hardcode API credentials!
falcon = IOAExclusions(client_id=CLIENT_ID,
                       client_secret=CLIENT_SECRET
                       )

response = falcon.queryIOAExclusionsV1(cl_regex="string",
                                       filter="string",
                                       offset=integer,
                                       ifn_regex="string",
                                       limit=integer,
                                       sort="string"
                                       )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queryIOAExclusionsV1",
                          cl_regex="string",
                          filter="string",
                          offset=integer,
                          ifn_regex="string",
                          limit=integer,
                          sort="string"
                          )
print(response)
⚠️ **GitHub.com Fallback** ⚠️