CrowdStrike Falcon CrowdStrike Subreddit

Using the IOCs service collection

Uber class support Service class support Documentation Version Page Updated Deprecated

This class has been superseded by the new IOC service class.

Table of Contents

Operation IDDescription
DevicesCount
PEP 8devices_count
Number of hosts in your customer account that have observed a given custom IOC
GetIOC
PEP 8get_ioc
Deprecated
This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.
CreateIOC
PEP 8create_ioc
Deprecated
This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.
DeleteIOC
PEP 8delete_ioc
Deprecated
This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.
UpdateIOC
PEP 8update_ioc
Deprecated
This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.
DevicesRanOn
PEP 8devices_ran_on
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
QueryIOCs
PEP 8query_iocs
Deprecated
This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.
ProcessesRanOn
PEP 8processes_ran_on
Search for processes associated with a custom IOC
entities_processes
PEP 8entities_processes
For the provided ProcessID retrieve the process details

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

DevicesCount

Number of hosts in your customer account that have observed a given custom IOC

PEP8 method name

devices_count

Endpoint

MethodRoute
GET/indicators/aggregates/devices-count/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.devices_count(type="string", value="string")
print(response)

Service class example (Operation ID syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.DevicesCount(type="string", value="string")
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DevicesCount", type="string", value="string")
print(response)

GetIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.

PEP8 method name

get_ioc

Endpoint

MethodRoute
GET/indicators/entities/iocs/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

CreateIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.

PEP8 method name

create_ioc

Endpoint

MethodRoute
POST/indicators/entities/iocs/v1

Required Scope

iocs-indicators-of-compromise:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

DeleteIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.

PEP8 method name

delete_ioc

Endpoint

MethodRoute
DELETE/indicators/entities/iocs/v1

Required Scope

iocs-indicators-of-compromise:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

UpdateIOC

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.

PEP8 method name

update_ioc

Endpoint

MethodRoute
PATCH/indicators/entities/iocs/v1

Required Scope

iocs-indicators-of-compromise:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

DevicesRanOn

Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1

PEP8 method name

devices_ran_on

Endpoint

MethodRoute
GET/indicators/queries/devices/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerStarting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.devices_ran_on(type="string",
                                 value="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)

Service class example (Operation ID syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.DevicesRanOn(type="string",
                               value="string",
                               limit="string",
                               offset="string"
                               )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DevicesRanOn",
                          type="string",
                          value="string",
                          limit="string",
                          offset="string"
                          )
print(response)

QueryIOCs

Deprecated

This method is deprecated.

This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.

PEP8 method name

query_iocs

Endpoint

MethodRoute
GET/indicators/queries/iocs/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Keywords and arguments are ignored in deprecated methods.

Usage

This method and the corresponding endpoint are deprecated.

ProcessesRanOn

Search for processes associated with a custom IOC

PEP8 method name

processes_ran_on

Endpoint

MethodRoute
GET/indicators/queries/processes/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
device_id
Service Class Support

Uber Class Support
querystringSpecify a Host AID to return only processes from that host.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerStarting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.processes_ran_on(type="string",
                                   value="string",
                                   device_id="string",
                                   limit="string",
                                   offset="string"
                                   )
print(response)

Service class example (Operation ID syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

response = falcon.ProcessesRanOn(type="string",
                                 value="string",
                                 device_id="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ProcessesRanOn",
                          type="string",
                          value="string",
                          device_id="string",
                          limit="string",
                          offset="string"
                          )
print(response)

entities_processes

For the provided ProcessID retrieve the process details

PEP8 method name

entities_processes

Endpoint

MethodRoute
GET/processes/entities/processes/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsProcessID for the running process you want to lookup.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import Iocs

# Do not hardcode API credentials!
falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_processes", ids=id_list)
print(response)