IOCs - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the IOCs service collection

Uber class support Service class support Documentation Version Page Updated Deprecated

This class has been superseded by the new IOC service class.

Table of Contents

Operation ID Description
DevicesCount
PEP 8 devices_count
Number of hosts in your customer account that have observed a given custom IOC
GetIOC
PEP 8 get_ioc
Deprecated 		This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.
CreateIOC
PEP 8 create_ioc
Deprecated 		This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.
DeleteIOC
PEP 8 delete_ioc
Deprecated 		This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.
UpdateIOC
PEP 8 update_ioc
Deprecated 		This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.
DevicesRanOn
PEP 8 devices_ran_on
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
QueryIOCs
PEP 8 query_iocs
Deprecated 		This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.
ProcessesRanOn
PEP 8 processes_ran_on
Search for processes associated with a custom IOC
entities_processes
PEP 8 entities_processes
For the provided ProcessID retrieve the process details

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

DevicesCount

Number of hosts in your customer account that have observed a given custom IOC

PEP8 method name

devices_count

Endpoint

Method Route
GET /indicators/aggregates/devices-count/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support
Uber Class Support
 query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support
Uber Class Support
 query string The string representation of the indicator.
parameters
Service Class Support
Uber Class Support
 query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.devices_count(type="string", value="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.DevicesCount(type="string", value="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DevicesCount", type="string", value="string")
print(response)

GetIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.

PEP8 method name

get_ioc

Endpoint

Method Route
GET /indicators/entities/iocs/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

CreateIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.

PEP8 method name

create_ioc

Endpoint

Method Route
POST /indicators/entities/iocs/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

DeleteIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.

PEP8 method name

delete_ioc

Endpoint

Method Route
DELETE /indicators/entities/iocs/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

UpdateIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.

PEP8 method name

update_ioc

Endpoint

Method Route
PATCH /indicators/entities/iocs/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

DevicesRanOn

Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1

PEP8 method name

devices_ran_on

Endpoint

Method Route
GET /indicators/queries/devices/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support
Uber Class Support
 query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support
Uber Class Support
 query string The string representation of the indicator.
limit
Service Class Support
Uber Class Support
 query integer Maximum number of results to return.
offset
Service Class Support
Uber Class Support
 query integer Starting offset to begin returning results.
parameters
Service Class Support
Uber Class Support
 query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.devices_ran_on(type="string",
                                 value="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.DevicesRanOn(type="string",
                               value="string",
                               limit="string",
                               offset="string"
                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DevicesRanOn",
                          type="string",
                          value="string",
                          limit="string",
                          offset="string"
                          )
print(response)

QueryIOCs

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.

PEP8 method name

query_iocs

Endpoint

Method Route
GET /indicators/queries/iocs/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

ProcessesRanOn

Search for processes associated with a custom IOC

PEP8 method name

processes_ran_on

Endpoint

Method Route
GET /indicators/queries/processes/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
type
Service Class Support
Uber Class Support
 query string The type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support
Uber Class Support
 query string The string representation of the indicator.
device_id
Service Class Support
Uber Class Support
 query string Specify a Host AID to return only processes from that host.
limit
Service Class Support
Uber Class Support
 query integer Maximum number of results to return.
offset
Service Class Support
Uber Class Support
 query integer Starting offset to begin returning results.
parameters
Service Class Support
Uber Class Support
 query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.processes_ran_on(type="string",
                                   value="string",
                                   device_id="string",
                                   limit="string",
                                   offset="string"
                                   )
print(response)
Service class example (Operation ID syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.ProcessesRanOn(type="string",
                                 value="string",
                                 device_id="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ProcessesRanOn",
                          type="string",
                          value="string",
                          device_id="string",
                          limit="string",
                          offset="string"
                          )
print(response)

entities_processes

For the provided ProcessID retrieve the process details

PEP8 method name

entities_processes

Endpoint

Method Route
GET /processes/entities/processes/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support
Uber Class Support
 query string or list of strings ProcessID for the running process you want to lookup.
parameters
Service Class Support
Uber Class Support
 query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_processes", ids=id_list)
print(response)

⚠️ **GitHub.com Fallback** ⚠️