Get FalconIoc - CrowdStrike/psfalcon GitHub Wiki

Get-FalconIoc

SYNOPSIS

Search for custom indicators

DESCRIPTION

Requires 'IOC Manager APIs: Read'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Id String[] Indicator identifier X X
Filter String Falcon Query Language expression to limit results

type
value
action
mobile_action
severity
platforms
tags
expiration
expired
applied_globally
host_groups
created_on
created_by
modified_on
modified_by
source
Sort String Property and direction to sort results action.asc
action.desc
applied_globally.asc
applied_globally.desc
metadata.av_hits.asc
metadata.av_hits.desc
metadata.company_name.raw.asc
metadata.company_name.raw.desc
created_by.asc
created_by.desc
created_on.asc
created_on.desc
expiration.asc
expiration.desc
expired.asc
expired.desc
metadata.filename.raw.asc
metadata.filename.raw.desc
modified_by.asc
modified_by.desc
modified_on.asc
modified_on.desc
metadata.original_filename.raw.asc
metadata.original_filename.raw.desc
metadata.product_name.raw.asc
metadata.product_name.raw.desc
metadata.product_version.asc
metadata.product_version.desc
severity_number.asc
severity_number.desc
source.asc
source.desc
type.asc
type.desc
value.asc
value.desc
Limit Int32 Maximum number of results per request 1 2000
FromParent Boolean Inheritance from parent CID
Offset Int32 Position to begin retrieving results
After String Pagination token to retrieve the next set of results
Detailed Switch Retrieve detailed information
All Switch Repeat requests until all available results are retrieved
Total Switch Display total result count instead of results

SYNTAX

Get-FalconIoc [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-After <String>] [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconIoc -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconIoc [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-FromParent] <Boolean>] [-Offset <Int32>] [-After <String>] -Detailed [-All] [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

GET /iocs/combined/indicator/v1
GET /iocs/entities/indicators/v1
GET /iocs/queries/indicators/v1

falconpy

indicator_search_v1
indicator_get_v1
indicator_combined_v1

USAGE

Finding domain indicator identifiers

Get-FalconIoc -Filter "type:'domain'

Retrieving details about an indicator by its identifier

Get-FalconIoc -Id <id>, <id>

Retrieving indicator details in large batches

Get-FalconIoc -Filter "type:'domain'+tags:'MalDomain_20201215'+tags:'domains_mac'" -Detailed -All

See Get-FalconIocHost. See Get-FalconIocProcess.

2023-04-25: PSFalcon v2.2.5

⚠️ **GitHub.com Fallback** ⚠️