Edit FalconIoc - CrowdStrike/psfalcon GitHub Wiki
Modify custom indicators
Requires 'IOC Manager APIs: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| InputObject | Object[] | One or more indicators to modify in a single request | X | ||||
| Action | String | Action to perform when a host observes the indicator | |||||
| Platform | String[] | Operating system platform | |||||
| Severity | String | Severity level | |||||
| Source | String | Origination source | 1 |
256 |
|||
| Description | String | Indicator description | |||||
| Filename | String | Indicator filename, used with hash values | |||||
| Tag | String[] | Indicator tag | |||||
| MobileAction | String | Action to perform when a mobile device observes the indicator |
allowdetectno_actionprevent
|
||||
| HostGroup | String[] | Host group identifier | |||||
| AppliedGlobally | Boolean | Assign to all host groups | |||||
| Expiration | String | Expiration date and time (UTC ISO 8601). When an indicator expires it is set to 'no_action'. | |||||
| FromParent | Boolean | Inheritance from parent CID | |||||
| Comment | String | Audit log comment | |||||
| Retrodetect | Boolean | Generate retroactive detections for hosts that have observed the indicator | |||||
| IgnoreWarning | Boolean | Ignore warnings and modify all indicators | |||||
| Id | String | Indicator identifier |
Edit-FalconIoc [[-Action] <String>] [[-Platform] <String[]>] [[-Severity] <String>] [[-Source] <String>] [[-Description] <String>] [[-Filename] <String>] [[-Tag] <String[]>] [[-MobileAction] <String>] [[-HostGroup] <String[]>] [[-AppliedGlobally] <Boolean>] [[-Expiration] <String>] [[-FromParent] <Boolean>] [[-Comment] <String>] [[-Retrodetect] <Boolean>] [[-IgnoreWarning] <Boolean>] [-Id] <String> [-WhatIf] [-Confirm] [<CommonParameters>]Edit-FalconIoc -InputObject <Object[]> [[-Comment] <String>] [[-Retrodetect] <Boolean>] [[-IgnoreWarning] <Boolean>] [-WhatIf] [-Confirm] [<CommonParameters>]PATCH /iocs/entities/indicators/v1
Edit-FalconIoc -Id <id> -Source testSource -Action detect -Severity low -Description 'test description update' -Platforms windows -Tags test_tag2 -HostGroup all -Expiration '2021-05-01T12:00:00Z'2025-09-19: PSFalcon v2.2.9
