CrowdStrike Falcon Twitter URL

Using the IOC service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation IDDescription
indicator_combined_v1
PEP 8indicator_combined
Get Combined for Indicators.
indicator_get_v1
PEP 8indicator_get
Get Indicators by ids.
indicator_create_v1
PEP 8indicator_create
Create Indicators.
indicator_delete_v1
PEP 8indicator_delete
Delete Indicators by ids.
indicator_update_v1
PEP 8indicator_update
Update Indicators.
indicator_search_v1
PEP 8indicator_search
Search for Indicators.
DevicesCount
PEP 8devices_count
Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn
PEP 8devices_ran_on
Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
ProcessesRanOn
PEP 8processes_ran_on
Search for processes associated with a custom IOC
entities_processes
PEP 8entities_processes
For the provided ProcessID retrieve the process details

Passing credentials

WARNING

client_id and client_secret are input variables that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

indicator_combined_v1

Get Combined for Indicators.

PEP8 method name

indicator_combined

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to limit the results.

Available filters:
typevalue
actionseverity
platformstags
expirationexpired
applied_globallyhost_groups
created_oncreated_by
modified_onmodified_by
source 
from_parent
Service Class Support

Uber Class Support
querybooleanThe filter for returning either only indicators for the request customer or its MSSP parents.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringFQL Syntax formatted sort filter.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_combined(filter="string",
                                     offset=integer,
                                     limit=integer,
                                     sort="string",
                                     after="string",
                                     from_parent=boolean
                                     )
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_combined_v1(filter="string",
                                        offset=integer,
                                        limit=integer,
                                        sort="string",
                                        after="string",
                                        from_parent=boolean
                                        )
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("indicator_combined_v1",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          after="string",
                          from_parent=boolean
                          )
print(response)

indicator_get_v1

Get Indicators by ids.

PEP8 method name

indicator_get

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe ids of the Indicators to retrieve.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_get_v1(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_get_v1", ids=id_list)
print(response)

indicator_create_v1

Create Indicators.

PEP8 method name

indicator_create

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
action
Service Class Support

Uber Class Support
bodystringDefault action for IOC.
applied_globally
Service Class Support

Uber Class Support
bodybooleanFlag indicating this IOC is applied globally.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
comment
Service Class Support

Uber Class Support
bodystringIOC comment.
description
Service Class Support

Uber Class Support
bodystringIOC description.
expiration
Service Class Support

Uber Class Support
bodystringUTC formatted date string.
filename
Service Class Support

Uber Class Support
bodystringFilename to use for the metadata dictionary.
host_groups
Service Class Support

Uber Class Support
bodystring or list of stringsList of host groups this IOC applies to.
ignore_warnings
Service Class Support

Uber Class Support
querybooleanFlag to indicate that warnings are ignored.
indicators
Service Class Support

Uber Class Support
bodylist of dictionariesList of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadata
Service Class Support

Uber Class Support
bodydictionaryDictionary containing the filename for the IOC. Not required if the filename keyword is used.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
platforms
Service Class Support

Uber Class Support
bodystring or list of stringsPlatforms this IOC impacts.
retrodetects
Service Class Support

Uber Class Support
querybooleanFlag to indicate whether to submit retrodetects.
severity
Service Class Support

Uber Class Support
bodystringIOC severity.
source
Service Class Support

Uber Class Support
bodystringIOC source.
tags
Service Class Support

Uber Class Support
bodystring or list of stringsIOC tags.
type
Service Class Support

Uber Class Support
bodystringIOC type.
value
Service Class Support

Uber Class Support
bodystringString representation of the IOC.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_create(action="string",
                                   applied_globally=boolean,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename="string",
                                   host_groups=host_group_list,
                                   ignore_warnings=boolean,
                                   platforms=platform_list,
                                   retrodetects="string",
                                   severity="string",
                                   source="string",
                                   tags=tag_list,
                                   type="string"
                                   value="string"
                                   )
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_create_v1(action="string",
                                      applied_globally=boolean,
                                      comment="string",
                                      description="string",
                                      expiration="string",
                                      filename="string",
                                      host_groups=host_group_list,
                                      ignore_warnings=boolean,
                                      platforms=platform_list,
                                      retrodetects="string",
                                      severity="string",
                                      source="string",
                                      tags=tag_list,
                                      type="string"
                                      value="string"
                                      )
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

host_group_list = ['HG1', 'HG2', 'HG3']

platform_list = ['OS1', 'OS2', 'OS3']

tag_list = ['TAG1', 'TAG2', 'TAG3']

BODY = {
  "comment": "string",
  "indicators": [
    {
      "action": "string",
      "applied_globally": true,
      "description": "string",
      "expiration": "2021-10-22T10:40:39.372Z",
      "host_groups": host_group_list,
      "metadata": {
        "filename": "string"
      },
      "mobile_action": "string",
      "platforms": platform_list,
      "severity": "string",
      "source": "string",
      "tags": tag_list,
      "type": "string",
      "value": "string"
    }
  ]
}

response = falcon.command("indicator_create_v1",
                          retrodetects=boolean,
                          ignore_warnings=boolean,
                          body=BODY
                          )
print(response)

indicator_delete_v1

Delete Indicators by ids or a filter.

PEP8 method name

indicator_delete

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to delete indicators in bulk. If both filter and ids are provided, then filter takes precedence and ids is ignored.
ids
Service Class Support

Uber Class Support
querystring or list of stringsThe ids of the Indicators to delete. If both filter and ids are provided, then filter takes precedence and ids is ignored.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete(filter="string", comment="string", ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.indicator_delete_v1(filter="string", comment="string", ids=id_list)
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("indicator_delete_v1",
                          filter="string",
                          comment="string",
                          ids=id_list
                          )
print(response)

indicator_update_v1

Update Indicators.

PEP8 method name

indicator_update

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
action
Service Class Support

Uber Class Support
bodystringDefault action for IOC.
applied_globally
Service Class Support

Uber Class Support
bodybooleanFlag indicating this IOC is applied globally.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
bulk_update
Service Class Support

Uber Class Support
bodydictionaryDictionary containing the indicator update in JSON format. Not necessary when using other keywords.
comment
Service Class Support

Uber Class Support
bodystringIOC comment.
description
Service Class Support

Uber Class Support
bodystringIOC description.
expiration
Service Class Support

Uber Class Support
bodystringUTC formatted date string.
filename
Service Class Support

Uber Class Support
bodystringFilename to use for the metadata dictionary.
host_groups
Service Class Support

Uber Class Support
bodystring or list of stringsList of host groups this IOC applies to.
id
Service Class Support

Uber Class Support
bodystringThe Indicator ID to be updated. At least one ID must be specified using this keyword, or as part of the indicators list using the indicators keyword.
ignore_warnings
Service Class Support

Uber Class Support
querybooleanFlag to indicate that warnings are ignored.
indicators
Service Class Support

Uber Class Support
bodylist of dictionariesList of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadata
Service Class Support

Uber Class Support
bodydictionaryDictionary containing the filename for the IOC. Not required if the filename keyword is used.
mobile_action
Service Class Support

Uber Class Support
bodystringMobile action to perform.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
platforms
Service Class Support

Uber Class Support
bodystring or list of stringsPlatforms this IOC impacts.
retrodetects
Service Class Support

Uber Class Support
querybooleanFlag to indicate whether to submit retrodetects.
severity
Service Class Support

Uber Class Support
bodystringIOC severity.
source
Service Class Support

Uber Class Support
bodystringIOC source.
tags
Service Class Support

Uber Class Support
bodystring or list of stringsIOC tags.
type
Service Class Support

Uber Class Support
bodystringIOC type.
value
Service Class Support

Uber Class Support
bodystringString representation of the IOC.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_update(action="string",
                                   applied_globally=boolean,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename="string",
                                   host_groups=host_group_list,
                                   ignore_warnings=boolean,
                                   mobile_action="string",
                                   platforms=platform_list,
                                   retrodetects="string",
                                   severity="string",
                                   source="string",
                                   tags=tag_list,
                                   type="string"
                                   value="string"
                                   )
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

host_group_list = 'HG1,HG2,HG3'  # Can also pass a list here: ['HG1', 'HG2', 'HG3']

platform_list = 'OS1,OS2,OS3'  # Can also pass a list here: ['OS1', 'OS2', 'OS3']

tag_list = 'TAG1,TAG2,TAG3'  # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']

response = falcon.indicator_update_v1(action="string",
                                      applied_globally=boolean,
                                      comment="string",
                                      description="string",
                                      expiration="string",
                                      filename="string",
                                      host_groups=host_group_list,
                                      ignore_warnings=boolean,
                                      mobile_action="string",
                                      platforms=platform_list,
                                      retrodetects="string",
                                      severity="string",
                                      source="string",
                                      tags=tag_list,
                                      type="string"
                                      value="string"
                                      )
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

host_group_list = ['HG1', 'HG2', 'HG3']

platform_list = ['OS1', 'OS2', 'OS3']

tag_list = ['TAG1', 'TAG2', 'TAG3']

BODY = {
    "bulk_update": {
        "action": "string",
        "applied_globally": true,
        "description": "string",
        "expiration": "2021-10-22T11:03:16.123Z",
        "filter": "string",
        "host_groups": host_group_list,
        "mobile_action": "string",
        "platforms": platform_list,
        "severity": "string",
        "source": "string",
        "tags": tag_list
    },
    "comment": "string",
    "indicators": [
        {
            "action": "string",
            "applied_globally": true,
            "description": "string",
            "expiration": "2021-10-22T11:03:16.123Z",
            "host_groups": host_group_list,
            "id": "string",
            "metadata": {
                "filename": "string"
            },
            "mobile_action": "string",
            "platforms": platform_list,
            "severity": "string",
            "source": "string",
            "tags": tag_list
        }
    ]
}

response = falcon.command("indicator_update_v1",
                          ignore_warnings=boolean,
                          retrodetects=boolean,
                          body=BODY
                          )
print(response)

indicator_search_v1

Search for Indicators.

PEP8 method name

indicator_search

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
after
Service Class Support

Uber Class Support
querystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted filter that should be used to limit the results.

Available filters:
typevalue
actionseverity
platformstags
expirationexpired
applied_globallyhost_groups
created_oncreated_by
modified_onmodified_by
source 
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringFQL Syntax formatted sort filter.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_search(filter="string",
                                   offset=integer,
                                   limit=integer,
                                   sort="string",
                                   after="string"
                                   )
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.indicator_search_v1(filter="string",
                                      offset=integer,
                                      limit=integer,
                                      sort="string",
                                      after="string"
                                      )
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("indicator_search_v1",
                          filter="string",
                          offset=integer,
                          limit=integer,
                          sort="string",
                          after="string"
                          )
print(response)

DevicesCount

Number of hosts in your customer account that have observed a given custom IOC

PEP8 method name

devices_count

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_count(type="string", value="string")
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.DevicesCount(type="string", value="string")
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("DevicesCount", type="string", value="string")
print(response)

DevicesRanOn

Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1

PEP8 method name

devices_ran_on

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerStarting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.devices_ran_on(type="string",
                                 value="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.DevicesRanOn(type="string",
                               value="string",
                               limit="string",
                               offset="string"
                               )
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("DevicesRanOn",
                          type="string",
                          value="string",
                          limit="string",
                          offset="string"
                          )
print(response)

ProcessesRanOn

Search for processes associated with a custom IOC

PEP8 method name

processes_ran_on

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
type
Service Class Support

Uber Class Support
querystringThe type of the indicator.

Valid types include:
  • sha256: A hex-encoded sha256 hash string.
    Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string.
    Length - min 32, max: 32.
  • domain: A domain name.
    Length - min: 1, max: 200.
  • ipv4: An IPv4 address.
    Must be a valid IP address.
  • ipv6: An IPv6 address.
    Must be a valid IP address.
value
Service Class Support

Uber Class Support
querystringThe string representation of the indicator.
device_id
Service Class Support

Uber Class Support
querystringSpecify a Host AID to return only processes from that host.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of results to return.
offset
Service Class Support

Uber Class Support
queryintegerStarting offset to begin returning results.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.processes_ran_on(type="string",
                                   value="string",
                                   device_id="string",
                                   limit="string",
                                   offset="string"
                                   )
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

response = falcon.ProcessesRanOn(type="string",
                                 value="string",
                                 device_id="string",
                                 limit="string",
                                 offset="string"
                                 )
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

response = falcon.command("ProcessesRanOn",
                          type="string",
                          value="string",
                          device_id="string",
                          limit="string",
                          offset="string"
                          )
print(response)

entities_processes

For the provided ProcessID retrieve the process details

PEP8 method name

entities_processes

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsProcessID for the running process you want to lookup.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import IOC

# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_processes(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarness

# Do not hardcode API credentials!
falcon = APIHarness(client_id=CLIENT_ID,
                    client_secret=CLIENT_SECRET
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_processes", ids=id_list)
print(response)