New FalconIoc - CrowdStrike/psfalcon GitHub Wiki
Create custom indicators
Requires 'IOC Manager APIs: Write'.
Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
---|---|---|---|---|---|---|---|
InputObject | Object[] | One or more indicators to create in a single request | X | ||||
Action | String | Action to perform when a host observes the indicator | |||||
Platform | String[] | Operating system platform | |||||
Source | String | Origination source | 1 |
256 |
|||
Severity | String | Severity level | |||||
Description | String | Indicator description | |||||
Filename | String | Indicator filename,used with hash values | |||||
Tag | String[] | Indicator tag | |||||
MobileAction | String | Action to perform when a mobile device observes the indicator |
no_action allow detect prevent
|
||||
HostGroup | String[] | Host group identifier | |||||
AppliedGlobally | Boolean | Assign to all host groups | |||||
Expiration | String | Expiration date. When an indicator expires,its action is set to 'no_action' but it remains in your indicator list. | |||||
Comment | String | Audit log comment | |||||
Retrodetect | Boolean | Generate retroactive detections for hosts that have observed the indicator | |||||
IgnoreWarning | Boolean | Ignore warnings and create all indicators | |||||
Type | String | Indicator type | |||||
Value | String | String representation of the indicator |
New-FalconIoc [-Action] <String> [-Platform] <String[]> [[-Source] <String>] [[-Severity] <String>] [[-Description] <String>] [[-Filename] <String>] [[-Tag] <String[]>] [[-MobileAction] <String>] [[-HostGroup] <String[]>] [[-AppliedGlobally] <Boolean>] [[-Expiration] <String>] [[-Comment] <String>] [[-Retrodetect] <Boolean>] [[-IgnoreWarning] <Boolean>] [-Type] <String> [-Value] <String> [-WhatIf] [-Confirm] [<CommonParameters>]
New-FalconIoc -InputObject <Object[]> [[-Comment] <String>] [[-Retrodetect] <Boolean>] [[-IgnoreWarning] <Boolean>] [-WhatIf] [-Confirm] [<CommonParameters>]
POST /iocs/entities/indicators/v1
New-FalconIoc -Type domain -Value example01.com -Action detect -Severity medium -Description 'test description' -Platforms windows, mac, linux -Tags test_tag -HostGroup <host_group_id>, <host_group_id> -Expiration 2021-05-01
$Array = @(
@{
type = 'domain'
value = 'example01.com'
action = 'detect'
severity = 'medium'
description = 'test description'
platforms = @('windows', 'mac', 'linux')
tags = @('test_tag')
host_groups = @('<id>')
},
@{
type = 'sha256'
value = 'a88787d8ff144c502c7f5cffaafe2cc588d86079f9de88304c26b0cb99ce91cc'
source = 'bd20201216'
filename = 'iexplore.exe'
action = 'prevent'
severity = 'high'
description = 'test block description'
platforms = @('windows')
tags = @('test_tag', 'test_tag2')
applied_globally = $true
}
)
New-FalconIoc -Array $Array
2024-09-03: PSFalcon v2.2.7