CrowdStrike Falcon CrowdStrike Subreddit

Using the IOC service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation IDDescription
indicator_aggregate_v1
PEP8indicator_aggregate
Get Indicators aggregates as specified via json in the request body.
indicator_combined_v1
PEP 8indicator_combined
Get Combined for Indicators.
action_get_v1
PEP8action_get
Get Actions by ids.
GetIndicatorsReport
PEP8get_indicators_report
Launch an indicators report creation job
indicator_get_v1
PEP 8indicator_get
Get Indicators by ids.
indicator_create_v1
PEP 8indicator_create
Create Indicators.
indicator_delete_v1
PEP 8indicator_delete
Delete Indicators by ids.
indicator_update_v1
PEP 8indicator_update
Update Indicators.
action_query_v1
PEP8action_query
Query Actions.
indicator_search_v1
PEP 8indicator_search
Search for Indicators.
ioc_type_query_v1
PEP8ioc_type_query
Query IOC Types.
platform_query_v1
PEP8platform_query
Query Platforms.
severity_query_v1
PEP8severity_query
Query Severities.
DevicesCount
PEP 8devices_count_legacy
Number of hosts in your customer account that have observed a given custom IOC
indicator_get_device_count_v1
PEP 8devices_count
Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn
PEP 8devices_ran_on_legacy
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
indicator_get_devices_ran_on_v1
PEP 8devices_ran_on
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
ProcessesRanOn
PEP 8processes_ran_on_legacy
Search for processes associated with a custom IOC (Deprecated)
indicator_get_processes_ran_on_v1
PEP 8processes_ran_on
Search for processes associated with a custom IOC
entities_processes
PEP 8entities_processes
For the provided ProcessID retrieve the process details

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

indicator_aggregate_v1

Get Indicators aggregates as specified via json in the request body.

PEP8 method name

indicator_aggregate

Endpoint

MethodRoute
POST/iocs/aggregates/indicators/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodylist of dictionariesFull body payload in JSON format.
date_ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    "from": "2016-05-28T09:00:31Z",
    "to": "2016-05-30T09:00:31Z"
  },
  {
    "from": "2016-06-01T09:00:31Z",
    "to": "2016-06-10T09:00:31Z"
  }
]
exclude
Service Class Support

No Uber Class Support
bodystringElements to exclude.
field
Service Class Support

No Uber Class Support
bodystringThe field on which to compute the aggregation.
filter
Service Class Support

No Uber Class Support
bodystringFQL syntax formatted string to use to filter the results.
from
Service Class Support

No Uber Class Support
bodyintegerStarting position.
include
Service Class Support

No Uber Class Support
bodystringElements to include.
interval
Service Class Support

No Uber Class Support
bodystringTime interval for date histogram aggregations. Valid values include:
  • year
  • month
  • week
  • day
  • hour
  • minute
max_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_count
Service Class Support

No Uber Class Support
bodyintegerOnly return buckets if values are greater than or equal to the value here.
missing
Service Class Support

No Uber Class Support
bodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
name
Service Class Support

No Uber Class Support
bodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
q
Service Class Support

No Uber Class Support
bodystringFull text search across all metadata fields.
ranges
Service Class Support

No Uber Class Support
bodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    "From": 0,
    "To": 70
  },
  {
    "From": 70,
    "To": 100
  }
]
size
Service Class Support

No Uber Class Support
bodyintegerThe max number of term buckets to be returned.
sub_aggregates
Service Class Support

No Uber Class Support
bodylist of dictionariesA nested aggregation, such as:
[
  {
    "name": "max_first_behavior",
    "type": "max",
    "field": "first_behavior"
  }
]

There is a maximum of 3 nested aggregations per request.
sort
Service Class Support

No Uber Class Support
bodystringFQL syntax string to sort bucket results.
  • _count - sort by document count
  • _term - sort by the string value alphabetically
Supports asc and desc using | format.

Example: _count|desc
time_zone
Service Class Support

No Uber Class Support
bodystringTime zone for bucket results.
type
Service Class Support

No Uber Class Support
bodystringType of aggregation. Valid values include:
  • date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field.
  • date_range - Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
  • terms - Buckets alerts by the value of a specified field. For example, if field used is scenario, then alerts will be bucketed by the various alert scenario names.
  • range - Buckets alerts by specified (numeric) ranges of a specified field. For example, if doing a range aggregation on the max_severity field, the alerts will be counted by the specified ranges of severity.
  • cardinality - Returns the count of distinct values in a specified field.
  • max - Returns the maximum value of a specified field.
  • min - Returns the minimum value of a specified field.
  • avg - Returns the average value of the specified field.
  • sum - Returns the total sum of all values for the specified field.
  • percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

date_range = {
    "from": "string",
    "to": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.indicator_aggregate(date_ranges=[date_range],
                                      exclude="string",
                                      field="string",
                                      filter="string",
                                      from=integer,
                                      include="string",
                                      interval="string",
                                      max_doc_count=integer,
                                      min_doc_count=integer,
                                      missing="string",
                                      name="string",
                                      q="string",
                                      ranges=[search_range],
                                      size=integer,
                                      sort="string",
                                      time_zone="string",
                                      type="string"
                                      )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

date_range = {
    "from": "string",
    "to": "string"
}
search_range = {
    "From": integer,
    "To": integer
}

response = falcon.indicator_aggregate_v1(date_ranges=[date_range],
                                         exclude="string",
                                         field="string",
                                         filter="string",
                                         from=integer,
                                         include="string",
                                         interval="string",
                                         max_doc_count=integer,
                                         min_doc_count=integer,
                                         missing="string",
                                         name="string",
                                         q="string",
                                         ranges=[search_range],
                                         size=integer,
                                         sort="string",
                                         time_zone="string",
                                         type="string"
                                         )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "date_ranges": [
        {
            "from": "string",
            "to": "string"
        }
    ],
    "exclude": "string",
    "field": "string",
    "filter": "string",
    "from": integer,
    "include": "string",
    "interval": "string",
    "max_doc_count": integer,
    "min_doc_count": integer,
    "missing": "string",
    "name": "string",
    "q": "string",
    "ranges": [
        {
            "From": integer,
            "To": integer
        }
    ],
    "size": integer,
    "sort": "string",
    "sub_aggregates": [
        null
    ]
    "time_zone": "string",
    "type": "string"
}

response = falcon.command("indicator_aggregate_v1",
                          filter="string",
                          from_parent=boolean,
                          body=BODY
                          )

print(response)

Back to Table of Contents

indicator_combined_v1

Get Combined for Indicators.

PEP8 method name

indicator_combined

Endpoint

MethodRoute
GET/iocs/combined/indicator/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to limit the results.

Available filters:
typevalue
actionseverity
platformstags
expirationexpired
applied_globallyhost_groups
created_oncreated_by
modified_onmodified_by
source 
from_parent
Service Class Support

Uber Class Support
querybooleanThe filter for returning either only indicators for the request customer or its MSSP parents.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringFQL Syntax formatted sort filter.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_combined(filter="string",
                                     offset=integer,
                                     limit=integer,
                                     sort="string",
                                     after="string",
                                     from_parent=boolean
                                     )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_combined_v1(filter="string",
                                        offset=integer,
                                        limit=integer,
                                        sort="string",
                                        after="string",
                                        from_parent=boolean
                                        )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_combined_v1",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          after="string",
                          from_parent=boolean
                          )

print(response)

Back to Table of Contents

action_get_v1

Get Actions by ids.

PEP8 method name

action_get

Endpoint

MethodRoute
GET/iocs/entities/actions/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe ids of the actions to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.action_get(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.action_get_v1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("action_get_v1", ids=id_list)

print(response)

Back to Table of Contents

GetIndicatorsReport

Launch an indicators report creation job

PEP8 method name

get_indicators_report

Endpoint

MethodRoute
POST/iocs/entities/indicators-reports/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
filter
Service Class Support

Uber Class Support
bodystringFQL formatted string specifying the search filter. Overridden if search keyword is provided.
from_parent
Service Class Support

Uber Class Support
bodybooleanReturn results for the parent only.
query
Service Class Support

Uber Class Support
bodystringFQL formatted string specifying the search query. Overridden if search keyword is provided.
report_format
Service Class Support

Uber Class Support
bodystringFormat of the report.
search
Service Class Support

Uber Class Support
bodydictionarySearch parameters provided as a dictionary. Overrides values provided in the filter, query and sort keywords.
sort
Service Class Support

Uber Class Support
bodystringFQL formatted string specifying the sort. Overridden if search keyword is provided.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.get_indicators_report(filter="string",
                                        query="string",
                                        from_parent=boolean,
                                        report_format="string",
                                        sort="string"
                                        )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.GetIndicatorsReport(filter="string",
                                      query="string",
                                      from_parent=boolean,
                                      report_format="string",
                                      sort="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
  "from_parent": boolean,
  "report_format": "string",
  "search": {
    "filter": "string",
    "query": "string",
    "sort": "string"
  }
}

response = falcon.command("GetIndicatorsReport", body=BODY)

print(response)

Back to Table of Contents

indicator_get_v1

Get Indicators by ids.

PEP8 method name

indicator_get

Endpoint

MethodRoute
GET/iocs/entities/indicators/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe ids of the Indicators to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get_v1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_get_v1", ids=id_list)

print(response)

Back to Table of Contents

indicator_create_v1

Create Indicators.

PEP8 method name

indicator_create

Endpoint

MethodRoute
POST/iocs/entities/indicators/v1

Required Scope

ioc-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
action
Service Class Support

Uber Class Support
bodystringDefault action for IOC.
applied_globally
Service Class Support

Uber Class Support
bodybooleanFlag indicating this IOC is applied globally.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
comment
Service Class Support

Uber Class Support
bodystringIOC comment.
description
Service Class Support

Uber Class Support
bodystringIOC description.
expiration
Service Class Support

Uber Class Support
bodystringUTC formatted date string.
filename
Service Class Support

Uber Class Support
bodystringFilename to use for the metadata dictionary.
host_groups
Service Class Support

Uber Class Support
bodystring or list of stringsList of host groups this IOC applies to.
ignore_warnings
Service Class Support

Uber Class Support
querybooleanFlag to indicate that warnings are ignored.
indicators
Service Class Support

Uber Class Support
bodylist of dictionariesList of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadata
Service Class Support

Uber Class Support
bodydictionaryDictionary containing the filename for the IOC. Not required if the filename keyword is used.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
platforms
Service Class Support

Uber Class Support
bodystring or list of stringsPlatforms this IOC impacts.
retrodetects
Service Class Support

Uber Class Support
querybooleanFlag to indicate whether to submit retrodetects.
severity
Service Class Support

Uber Class Support
bodystringIOC severity.
source
Service Class Support

Uber Class Support
bodystringIOC source.
tags
Service Class Support

Uber Class Support
bodystring or list of stringsIOC tags.
type
Service Class Support

Uber Class Support
bodystringIOC type.
value
Service Class Support

Uber Class Support
bodystringString representation of the IOC.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_create(action="string",
                                   applied_globally=boolean,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename="string",
                                   host_groups=host_group_list,
                                   ignore_warnings=boolean,
                                   platforms=platform_list,
                                   retrodetects="string",
                                   severity="string",
                                   source="string",
                                   tags=tag_list,
                                   type="string"
                                   value="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_create_v1(action="string",
                                      applied_globally=boolean,
                                      comment="string",
                                      description="string",
                                      expiration="string",
                                      filename="string",
                                      host_groups=host_group_list,
                                      ignore_warnings=boolean,
                                      platforms=platform_list,
                                      retrodetects="string",
                                      severity="string",
                                      source="string",
                                      tags=tag_list,
                                      type="string"
                                      value="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

host_group_list = ['HG1', 'HG2', 'HG3']

platform_list = ['OS1', 'OS2', 'OS3']

tag_list = ['TAG1', 'TAG2', 'TAG3']

BODY = {
  "comment": "string",
  "indicators": [
    {
      "action": "string",
      "applied_globally": true,
      "description": "string",
      "expiration": "2021-10-22T10:40:39.372Z",
      "host_groups": host_group_list,
      "metadata": {
        "filename": "string"
      },
      "mobile_action": "string",
      "platforms": platform_list,
      "severity": "string",
      "source": "string",
      "tags": tag_list,
      "type": "string",
      "value": "string"
    }
  ]
}

response = falcon.command("indicator_create_v1",
                          retrodetects=boolean,
                          ignore_warnings=boolean,
                          body=BODY
                          )

print(response)

Back to Table of Contents

indicator_delete_v1

Delete Indicators by ids or a filter.

PEP8 method name

indicator_delete

Endpoint

MethodRoute
DELETE/iocs/entities/indicators/v1

Required Scope

ioc-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to delete indicators in bulk. If both filter and ids are provided, then filter takes precedence and ids is ignored.
from_parent
Service Class Support

Uber Class Support
querybooleanLimit action to IOCs originating from the MSSP parent.
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe ids of the Indicators to delete. If both filter and ids are provided, then filter takes precedence and ids is ignored.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete(filter="string",
                                   from_parent=boolean,
                                   comment="string",
                                   ids=id_list
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete_v1(filter="string",
                                      from_parent=boolean,
                                      comment="string",
                                      ids=id_list
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_delete_v1",
                          filter="string",
                          from_parent=boolean,
                          comment="string",
                          ids=id_list
                          )

print(response)

Back to Table of Contents

indicator_update_v1

Update Indicators.

PEP8 method name

indicator_update

Endpoint

MethodRoute
PATCH/iocs/entities/indicators/v1

Required Scope

ioc-management:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
action
Service Class Support

Uber Class Support
bodystringDefault action for IOC.
applied_globally
Service Class Support

Uber Class Support
bodybooleanFlag indicating this IOC is applied globally.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
bulk_update
Service Class Support

Uber Class Support
bodydictionaryDictionary containing the indicator update in JSON format. Not necessary when using other keywords.
comment
Service Class Support

Uber Class Support
bodystringIOC comment.
description
Service Class Support

Uber Class Support
bodystringIOC description.
expiration
Service Class Support

Uber Class Support
bodystringUTC formatted date string.
filename
Service Class Support

Uber Class Support
bodystringFilename to use for the metadata dictionary.
from_parent
Service Class Support

Uber Class Support
bodybooleanReturn results for the parent only.
host_groups
Service Class Support

Uber Class Support
bodystring or list of stringsList of host groups this IOC applies to.
id
Service Class Support

Uber Class Support
bodystringThe Indicator ID to be updated. At least one ID must be specified using this keyword, or as part of the indicators list using the indicators keyword.
ignore_warnings
Service Class Support

Uber Class Support
querybooleanFlag to indicate that warnings are ignored.
indicators
Service Class Support

Uber Class Support
bodylist of dictionariesList of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadata
Service Class Support

Uber Class Support
bodydictionaryDictionary containing the filename for the IOC. Not required if the filename keyword is used.
mobile_action
Service Class Support

Uber Class Support
bodystringMobile action to perform.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
platforms
Service Class Support

Uber Class Support
bodystring or list of stringsPlatforms this IOC impacts.
retrodetects
Service Class Support

Uber Class Support
querybooleanFlag to indicate whether to submit retrodetects.
severity
Service Class Support

Uber Class Support
bodystringIOC severity.
source
Service Class Support

Uber Class Support
bodystringIOC source.
tags
Service Class Support

Uber Class Support
bodystring or list of stringsIOC tags.
type
Service Class Support

Uber Class Support
bodystringIOC type.
value
Service Class Support

Uber Class Support
bodystringString representation of the IOC.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_update(action="string",
                                   applied_globally=boolean,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename="string",
                                   from_parent=boolean,
                                   host_groups=host_group_list,
                                   ignore_warnings=boolean,
                                   mobile_action="string",
                                   platforms=platform_list,
                                   retrodetects="string",
                                   severity="string",
                                   source="string",
                                   tags=tag_list,
                                   type="string"
                                   value="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_update_v1(action="string",
                                      applied_globally=boolean,
                                      comment="string",
                                      description="string",
                                      expiration="string",
                                      filename="string",
                                      from_parent=boolean,
                                      host_groups=host_group_list,
                                      ignore_warnings=boolean,
                                      mobile_action="string",
                                      platforms=platform_list,
                                      retrodetects="string",
                                      severity="string",
                                      source="string",
                                      tags=tag_list,
                                      type="string"
                                      value="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

host_group_list = ['HG1', 'HG2', 'HG3']

platform_list = ['OS1', 'OS2', 'OS3']

tag_list = ['TAG1', 'TAG2', 'TAG3']

BODY = {
    "bulk_update": {
        "action": "string",
        "applied_globally": boolean,
        "description": "string",
        "expiration": "2021-10-22T11:03:16.123Z",
        "filter": "string",
        "from_parent": boolean,
        "host_groups": host_group_list,
        "mobile_action": "string",
        "platforms": platform_list,
        "severity": "string",
        "source": "string",
        "tags": tag_list
    },
    "comment": "string",
    "indicators": [
        {
            "action": "string",
            "applied_globally": boolean,
            "description": "string",
            "expiration": "2021-10-22T11:03:16.123Z",
            "host_groups": host_group_list,
            "id": "string",
            "metadata": {
                "filename": "string"
            },
            "mobile_action": "string",
            "platforms": platform_list,
            "severity": "string",
            "source": "string",
            "tags": tag_list
        }
    ]
}

response = falcon.command("indicator_update_v1",
                          ignore_warnings=boolean,
                          retrodetects=boolean,
                          body=BODY
                          )

print(response)

Back to Table of Contents

action_query_v1

Query Actions.

PEP8 method name

action_query

Endpoint

MethodRoute
GET/iocs/queries/actions/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

NameServiceUberTypeData typeDescription
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
querystringThe offset to start retrieving records from.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.action_query(offset="string", limit=integer)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.action_query_v1(offset="string", limit=integer)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("action_query_v1", offset="string", limit=integer)

print(response)

Back to Table of Contents

indicator_search_v1

Search for Indicators.

PEP8 method name

indicator_search

Endpoint

MethodRoute
GET/iocs/queries/indicators/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to limit the results.

Available filters:
typevalue
actionseverity
platformstags
expirationexpired
applied_globallyhost_groups
created_oncreated_by
modified_onmodified_by
source 
from_parent
Service Class Support

Uber Class Support
querybooleanReturn results for the parent only.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringFQL Syntax formatted sort filter.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_search(filter="string",
                                   from_parent=boolean,
                                   offset=integer,
                                   limit=integer,
                                   sort="string",
                                   after="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_search_v1(filter="string",
                                      from_parent=boolean,
                                      offset=integer,
                                      limit=integer,
                                      sort="string",
                                      after="string"
                                      )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_search_v1",
                          filter="string",
                          from_parent=boolean,
                          offset=integer,
                          limit=integer,
                          sort="string",
                          after="string"
                          )

print(response)

Back to Table of Contents

ioc_type_query_v1

Query IOC Types.

PEP8 method name

ioc_type_query

Endpoint

MethodRoute
GET/iocs/queries/ioc-types/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

NameServiceUberTypeData typeDescription
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
querystringThe offset to start retrieving records from.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.ioc_type_query(offset="string", limit=integer)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.ioc_type_query_v1(offset="string", limit=integer)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ioc_type_query_v1", offset="string", limit=integer)

print(response)

Back to Table of Contents

platform_query_v1

Query Platforms.

PEP8 method name

platform_query

Endpoint

MethodRoute
GET/iocs/queries/platforms/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

NameServiceUberTypeData typeDescription
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
querystringThe offset to start retrieving records from.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.platform_query(offset="string", limit=integer)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.platform_query_v1(offset="string", limit=integer)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("platform_query_v1", offset="string", limit=integer)

print(response)

Back to Table of Contents

severity_query_v1

Query Severities.

PEP8 method name

severity_query

Endpoint

MethodRoute
GET/iocs/queries/severities/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

NameServiceUberTypeData typeDescription
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
querystringThe offset to start retrieving records from.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy.ioc import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.severity_query(offset="string", limit=integer)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.severity_query_v1(offset="string", limit=integer)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("severity_query_v1", offset="string", limit=integer)

print(response)

Back to Table of Contents

DevicesCountLegacy

Number of hosts in your customer account that have observed a given custom IOC

Deprecated operation

This operation has been superseded by the indicator_get_device_count_v1 operation.

PEP8 method name

devices_count_legacy

Endpoint

MethodRoute
GET/indicators/aggregates/devices-count/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_count_legacy(type="string", value="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.DevicesCount(type="string", value="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DevicesCount", type="string", value="string")

print(response)

Back to Table of Contents

indicator_get_device_count_v1

Number of hosts in your customer account that have observed a given custom IOC

PEP8 method name

devices_count (or indicator_get_device_count_v1)

Endpoint

MethodRoute
GET/iocs/aggregates/indicators/device-count/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_count(type="string", value="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_get_device_count_v1(type="string", value="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_get_device_count_v1", type="string", value="string")

print(response)

Back to Table of Contents

DevicesRanOnLegacy

Find hosts that have observed a given custom IOC.

Deprecated operation

This operation has been superseded by the indicator_get_devices_ran_on_v1 operation.

PEP8 method name

devices_ran_on_legacy

Endpoint

MethodRoute
GET/indicators/queries/devices/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerStarting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_ran_on_legacy(type="string",
                                        value="string",
                                        limit="string",
                                        offset="string"
                                        )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.DevicesRanOn(type="string",
                               value="string",
                               limit="string",
                               offset="string"
                               )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("DevicesRanOn",
                          type="string",
                          value="string",
                          limit="string",
                          offset="string"
                          )

print(response)

Back to Table of Contents

indicator_get_devices_ran_on_v1

Find hosts that have observed a given custom IOC.

PEP8 method name

devices_ran_on (or indicator_get_devices_ran_on_v1)

Endpoint

MethodRoute
GET/iocs/queries/indicators/devices/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerStarting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_ran_on(type="string",
                                 value="string",
                                 limit="string",
                                 offset="string"
                                 )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_get_device_count_v1(type="string",
                                                value="string",
                                                limit="string",
                                                offset="string"
                                                )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_get_device_count_v1",
                          type="string",
                          value="string",
                          limit="string",
                          offset="string"
                          )

print(response)

Back to Table of Contents

ProcessesRanOnLegacy

Search for processes associated with a custom IOC

Deprecated operation

This operation has been superseded by the indicator_get_processes_ran_on_v1 operation.

PEP8 method name

processes_ran_on_legacy

Endpoint

MethodRoute
GET/indicators/queries/processes/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
device_id
Service Class Support

Uber Class Support
querystringSpecify a Host AID to return only processes from that host.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerStarting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.processes_ran_on_legacy(type="string",
                                          value="string",
                                          device_id="string",
                                          limit="string",
                                          offset="string"
                                          )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.ProcessesRanOn(type="string",
                                 value="string",
                                 device_id="string",
                                 limit="string",
                                 offset="string"
                                 )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ProcessesRanOn",
                          type="string",
                          value="string",
                          device_id="string",
                          limit="string",
                          offset="string"
                          )

print(response)

Back to Table of Contents

indicator_get_processes_ran_on_v1

Search for processes associated with a custom IOC

PEP8 method name

processes_ran_on or (indicator_get_processes_ran_on_v1)

Endpoint

MethodRoute
GET/iocs/queries/indicators/processes/v1

Required Scope

ioc-management:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
device_id
Service Class Support

Uber Class Support
querystringSpecify a Host AID to return only processes from that host.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerStarting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.processes_ran_on(type="string",
                                   value="string",
                                   device_id="string",
                                   limit="string",
                                   offset="string"
                                   )

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_get_processes_ran_on_v1(type="string",
                                                    value="string",
                                                    device_id="string",
                                                    limit="string",
                                                    offset="string"
                                                    )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("indicator_get_processes_ran_on_v1",
                          type="string",
                          value="string",
                          device_id="string",
                          limit="string",
                          offset="string"
                          )

print(response)

Back to Table of Contents

entities_processes

For the provided ProcessID retrieve the process details

PEP8 method name

entities_processes

Endpoint

MethodRoute
GET/processes/entities/processes/v1

Required Scope

iocs-indicators-of-compromise:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsProcessID for the running process you want to lookup.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_processes", ids=id_list)

print(response)

Back to Table of Contents