Using the IOC service collection
This service collection has code examples posted to the repository.
Table of Contents
| Operation ID | Description | ||||
|---|---|---|---|---|---|
| Get Indicators aggregates as specified via json in the request body. | ||||
| Get Combined for Indicators. | ||||
| Get Actions by ids. | ||||
| Launch an indicators report creation job | ||||
| Get Indicators by ids. | ||||
| Create Indicators. | ||||
| Delete Indicators by ids. | ||||
| Update Indicators. | ||||
| Query Actions. | ||||
| Search for Indicators. | ||||
| Query IOC Types. | ||||
| Query Platforms. | ||||
| Query Severities. | ||||
| Number of hosts in your customer account that have observed a given custom IOC | ||||
| Number of hosts in your customer account that have observed a given custom IOC | ||||
| Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1 | ||||
| Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1 | ||||
| Search for processes associated with a custom IOC (Deprecated) | ||||
| Search for processes associated with a custom IOC | ||||
| For the provided ProcessID retrieve the process details | ||||
Passing credentials
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
indicator_aggregate_v1
Get Indicators aggregates as specified via json in the request body.
PEP8 method name
indicator_aggregate
Endpoint
| Method | Route |
|---|---|
 | /iocs/aggregates/indicators/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |  |  | body | list of dictionaries | Full body payload in JSON format. |
| date_ranges | |  | body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| exclude | | | body | string | Elements to exclude. |
| field | | | body | string | The field on which to compute the aggregation. |
| filter | | | body | string | FQL syntax formatted string to use to filter the results. |
| from | | | body | integer | Starting position. |
| include | | | body | string | Elements to include. |
| interval | | | body | string | Time interval for date histogram aggregations. Valid values include:
|
| max_doc_count | | | body | integer | Only return buckets if values are less than or equal to the value here. |
| min_doc_count | | | body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | | | body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | | | body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | | | body | string | Full text search across all metadata fields. |
| ranges | | | body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size | | | body | integer | The max number of term buckets to be returned. |
| sub_aggregates | | | body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort | | | body | string | FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc |
| time_zone | | | body | string | Time zone for bucket results. |
| type | | | body | string | Type of aggregation. Valid values include:
|
Usage
Service class example (PEP8 syntax)
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.indicator_aggregate(date_ranges=[date_range],
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
date_range = {
"from": "string",
"to": "string"
}
search_range = {
"From": integer,
"To": integer
}
response = falcon.indicator_aggregate_v1(date_ranges=[date_range],
exclude="string",
field="string",
filter="string",
from=integer,
include="string",
interval="string",
max_doc_count=integer,
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=[search_range],
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"date_ranges": [
{
"from": "string",
"to": "string"
}
],
"exclude": "string",
"field": "string",
"filter": "string",
"from": integer,
"include": "string",
"interval": "string",
"max_doc_count": integer,
"min_doc_count": integer,
"missing": "string",
"name": "string",
"q": "string",
"ranges": [
{
"From": integer,
"To": integer
}
],
"size": integer,
"sort": "string",
"sub_aggregates": [
null
]
"time_zone": "string",
"type": "string"
}
response = falcon.command("indicator_aggregate_v1",
filter="string",
from_parent=boolean,
body=BODY
)
print(response)
Back to Table of Contents
indicator_combined_v1
Get Combined for Indicators.
PEP8 method name
indicator_combined
Endpoint
| Method | Route |
|---|---|
 | /iocs/combined/indicator/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| after | | | query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. | ||||||||||||||||
| filter | | | query | string | FQL Syntax formatted filter that should be used to limit the results. Available filters:
| ||||||||||||||||
| from_parent | | | query | boolean | The filter for returning either only indicators for the request customer or its MSSP parents. | ||||||||||||||||
| limit | | | query | integer | Maximum number of results to return. | ||||||||||||||||
| offset | | | query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. | ||||||||||||||||
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. | ||||||||||||||||
| sort | | | query | string | FQL Syntax formatted sort filter. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_combined(filter="string",
offset=integer,
limit=integer,
sort="string",
after="string",
from_parent=boolean
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_combined_v1(filter="string",
offset=integer,
limit=integer,
sort="string",
after="string",
from_parent=boolean
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_combined_v1",
filter="string",
offset=integer,
limit=integer,
sort="string",
after="string",
from_parent=boolean
)
print(response)
Back to Table of Contents
action_get_v1
Get Actions by ids.
PEP8 method name
action_get
Endpoint
| Method | Route |
|---|---|
| /iocs/entities/actions/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Parameters
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | The ids of the actions to retrieve. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.action_get(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.action_get_v1(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("action_get_v1", ids=id_list)
print(response)
Back to Table of Contents
GetIndicatorsReport
Launch an indicators report creation job
PEP8 method name
get_indicators_report
Endpoint
| Method | Route |
|---|---|
| /iocs/entities/indicators-reports/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Parameters
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | | | body | dictionary | Full body payload in JSON format. |
| filter | | | body | string | FQL formatted string specifying the search filter. Overridden if search keyword is provided. |
| from_parent | | | body | boolean | Return results for the parent only. |
| query | | | body | string | FQL formatted string specifying the search query. Overridden if search keyword is provided. |
| report_format | | | body | string | Format of the report. |
| search | | | body | dictionary | Search parameters provided as a dictionary. Overrides values provided in the filter, query and sort keywords. |
| sort | | | body | string | FQL formatted string specifying the sort. Overridden if search keyword is provided. |
Usage
Service class example (PEP8 syntax)
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_indicators_report(filter="string",
query="string",
from_parent=boolean,
report_format="string",
sort="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetIndicatorsReport(filter="string",
query="string",
from_parent=boolean,
report_format="string",
sort="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"from_parent": boolean,
"report_format": "string",
"search": {
"filter": "string",
"query": "string",
"sort": "string"
}
}
response = falcon.command("GetIndicatorsReport", body=BODY)
print(response)
Back to Table of Contents
indicator_get_v1
Get Indicators by ids.
PEP8 method name
indicator_get
Endpoint
| Method | Route |
|---|---|
| /iocs/entities/indicators/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | The ids of the Indicators to retrieve. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_get(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_get_v1(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("indicator_get_v1", ids=id_list)
print(response)
Back to Table of Contents
indicator_create_v1
Create Indicators.
PEP8 method name
indicator_create
Endpoint
| Method | Route |
|---|---|
| /iocs/entities/indicators/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| action | | | body | string | Default action for IOC. |
| applied_globally | | | body | boolean | Flag indicating this IOC is applied globally. |
| body | | | body | dictionary | Full body payload in JSON format. |
| comment | | | body | string | IOC comment. |
| description | | | body | string | IOC description. |
| expiration | | | body | string | UTC formatted date string. |
| filename | | | body | string | Filename to use for the metadata dictionary. |
| host_groups | | | body | string or list of strings | List of host groups this IOC applies to. |
| ignore_warnings | | | query | boolean | Flag to indicate that warnings are ignored. |
| indicators | | | body | list of dictionaries | List of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once. |
| metadata | | | body | dictionary | Dictionary containing the filename for the IOC. Not required if the filename keyword is used. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| platforms | | | body | string or list of strings | Platforms this IOC impacts. |
| retrodetects | | | query | boolean | Flag to indicate whether to submit retrodetects. |
| severity | | | body | string | IOC severity. |
| source | | | body | string | IOC source. |
| tags | | | body | string or list of strings | IOC tags. |
| type | | | body | string | IOC type. |
| value | | | body | string | String representation of the IOC. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_create(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
host_groups=host_group_list,
ignore_warnings=boolean,
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_create_v1(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
host_groups=host_group_list,
ignore_warnings=boolean,
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = ['HG1', 'HG2', 'HG3']
platform_list = ['OS1', 'OS2', 'OS3']
tag_list = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"comment": "string",
"indicators": [
{
"action": "string",
"applied_globally": true,
"description": "string",
"expiration": "2021-10-22T10:40:39.372Z",
"host_groups": host_group_list,
"metadata": {
"filename": "string"
},
"mobile_action": "string",
"platforms": platform_list,
"severity": "string",
"source": "string",
"tags": tag_list,
"type": "string",
"value": "string"
}
]
}
response = falcon.command("indicator_create_v1",
retrodetects=boolean,
ignore_warnings=boolean,
body=BODY
)
print(response)
Back to Table of Contents
indicator_delete_v1
Delete Indicators by ids or a filter.
PEP8 method name
indicator_delete
Endpoint
| Method | Route |
|---|---|
 | /iocs/entities/indicators/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | FQL Syntax formatted filter that should be used to delete indicators in bulk. If both filter and ids are provided, then filter takes precedence and ids is ignored. |
| from_parent | | | query | boolean | Limit action to IOCs originating from the MSSP parent. |
| ids | | | query | string or list of strings | The ids of the Indicators to delete. If both filter and ids are provided, then filter takes precedence and ids is ignored. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_delete(filter="string",
from_parent=boolean,
comment="string",
ids=id_list
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.indicator_delete_v1(filter="string",
from_parent=boolean,
comment="string",
ids=id_list
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("indicator_delete_v1",
filter="string",
from_parent=boolean,
comment="string",
ids=id_list
)
print(response)
Back to Table of Contents
indicator_update_v1
Update Indicators.
PEP8 method name
indicator_update
Endpoint
| Method | Route |
|---|---|
 | /iocs/entities/indicators/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| action | | | body | string | Default action for IOC. |
| applied_globally | | | body | boolean | Flag indicating this IOC is applied globally. |
| body | | | body | dictionary | Full body payload in JSON format. |
| bulk_update | | | body | dictionary | Dictionary containing the indicator update in JSON format. Not necessary when using other keywords. |
| comment | | | body | string | IOC comment. |
| description | | | body | string | IOC description. |
| expiration | | | body | string | UTC formatted date string. |
| filename | | | body | string | Filename to use for the metadata dictionary. |
| from_parent | | | body | boolean | Return results for the parent only. |
| host_groups | | | body | string or list of strings | List of host groups this IOC applies to. |
| id | | | body | string | The Indicator ID to be updated. At least one ID must be specified using this keyword, or as part of the indicators list using the indicators keyword. |
| ignore_warnings | | | query | boolean | Flag to indicate that warnings are ignored. |
| indicators | | | body | list of dictionaries | List of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once. |
| metadata | | | body | dictionary | Dictionary containing the filename for the IOC. Not required if the filename keyword is used. |
| mobile_action | | | body | string | Mobile action to perform. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| platforms | | | body | string or list of strings | Platforms this IOC impacts. |
| retrodetects | | | query | boolean | Flag to indicate whether to submit retrodetects. |
| severity | | | body | string | IOC severity. |
| source | | | body | string | IOC source. |
| tags | | | body | string or list of strings | IOC tags. |
| type | | | body | string | IOC type. |
| value | | | body | string | String representation of the IOC. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_update(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
from_parent=boolean,
host_groups=host_group_list,
ignore_warnings=boolean,
mobile_action="string",
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = 'HG1,HG2,HG3' # Can also pass a list here: ['HG1', 'HG2', 'HG3']
platform_list = 'OS1,OS2,OS3' # Can also pass a list here: ['OS1', 'OS2', 'OS3']
tag_list = 'TAG1,TAG2,TAG3' # Can also pass a list here: ['TAG1', 'TAG2', 'TAG3']
response = falcon.indicator_update_v1(action="string",
applied_globally=boolean,
comment="string",
description="string",
expiration="string",
filename="string",
from_parent=boolean,
host_groups=host_group_list,
ignore_warnings=boolean,
mobile_action="string",
platforms=platform_list,
retrodetects="string",
severity="string",
source="string",
tags=tag_list,
type="string"
value="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
host_group_list = ['HG1', 'HG2', 'HG3']
platform_list = ['OS1', 'OS2', 'OS3']
tag_list = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"bulk_update": {
"action": "string",
"applied_globally": boolean,
"description": "string",
"expiration": "2021-10-22T11:03:16.123Z",
"filter": "string",
"from_parent": boolean,
"host_groups": host_group_list,
"mobile_action": "string",
"platforms": platform_list,
"severity": "string",
"source": "string",
"tags": tag_list
},
"comment": "string",
"indicators": [
{
"action": "string",
"applied_globally": boolean,
"description": "string",
"expiration": "2021-10-22T11:03:16.123Z",
"host_groups": host_group_list,
"id": "string",
"metadata": {
"filename": "string"
},
"mobile_action": "string",
"platforms": platform_list,
"severity": "string",
"source": "string",
"tags": tag_list
}
]
}
response = falcon.command("indicator_update_v1",
ignore_warnings=boolean,
retrodetects=boolean,
body=BODY
)
print(response)
Back to Table of Contents
action_query_v1
Query Actions.
PEP8 method name
action_query
Endpoint
| Method | Route |
|---|---|
| /iocs/queries/actions/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Parameters
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit | | | query | integer | Maximum number of results to return. |
| offset | | | query | string | The offset to start retrieving records from. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.action_query(offset="string", limit=integer)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.action_query_v1(offset="string", limit=integer)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("action_query_v1", offset="string", limit=integer)
print(response)
Back to Table of Contents
indicator_search_v1
Search for Indicators.
PEP8 method name
indicator_search
Endpoint
| Method | Route |
|---|---|
| /iocs/queries/indicators/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| after | | | query | string | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset. | ||||||||||||||||
| filter | | | query | string | FQL Syntax formatted filter that should be used to limit the results. Available filters:
| ||||||||||||||||
| from_parent | | | query | boolean | Return results for the parent only. | ||||||||||||||||
| limit | | | query | integer | Maximum number of results to return. | ||||||||||||||||
| offset | | | query | integer | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset. | ||||||||||||||||
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. | ||||||||||||||||
| sort | | | query | string | FQL Syntax formatted sort filter. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_search(filter="string",
from_parent=boolean,
offset=integer,
limit=integer,
sort="string",
after="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_search_v1(filter="string",
from_parent=boolean,
offset=integer,
limit=integer,
sort="string",
after="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_search_v1",
filter="string",
from_parent=boolean,
offset=integer,
limit=integer,
sort="string",
after="string"
)
print(response)
Back to Table of Contents
ioc_type_query_v1
Query IOC Types.
PEP8 method name
ioc_type_query
Endpoint
| Method | Route |
|---|---|
| /iocs/queries/ioc-types/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Parameters
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit | | | query | integer | Maximum number of results to return. |
| offset | | | query | string | The offset to start retrieving records from. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ioc_type_query(offset="string", limit=integer)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ioc_type_query_v1(offset="string", limit=integer)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ioc_type_query_v1", offset="string", limit=integer)
print(response)
Back to Table of Contents
platform_query_v1
Query Platforms.
PEP8 method name
platform_query
Endpoint
| Method | Route |
|---|---|
| /iocs/queries/platforms/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Parameters
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit | | | query | integer | Maximum number of results to return. |
| offset | | | query | string | The offset to start retrieving records from. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.platform_query(offset="string", limit=integer)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.platform_query_v1(offset="string", limit=integer)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("platform_query_v1", offset="string", limit=integer)
print(response)
Back to Table of Contents
severity_query_v1
Query Severities.
PEP8 method name
severity_query
Endpoint
| Method | Route |
|---|---|
| /iocs/queries/severities/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Parameters
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit | | | query | integer | Maximum number of results to return. |
| offset | | | query | string | The offset to start retrieving records from. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy.ioc import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.severity_query(offset="string", limit=integer)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.severity_query_v1(offset="string", limit=integer)
print(response)
Uber class example
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("severity_query_v1", offset="string", limit=integer)
print(response)
Back to Table of Contents
DevicesCountLegacy
Number of hosts in your customer account that have observed a given custom IOC
Deprecated operation
This operation has been superseded by the indicator_get_device_count_v1 operation.
PEP8 method name
devices_count_legacy
Endpoint
| Method | Route |
|---|---|
| /indicators/aggregates/devices-count/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type | | | query | string | The type of the indicator. Valid types include:
|
| value | | | query | string | The string representation of the indicator. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.devices_count_legacy(type="string", value="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.DevicesCount(type="string", value="string")
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("DevicesCount", type="string", value="string")
print(response)
Back to Table of Contents
indicator_get_device_count_v1
Number of hosts in your customer account that have observed a given custom IOC
PEP8 method name
devices_count (or indicator_get_device_count_v1)
Endpoint
| Method | Route |
|---|---|
| /iocs/aggregates/indicators/device-count/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type | | | query | string | The type of the indicator. Valid types include:
|
| value | | | query | string | The string representation of the indicator. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.devices_count(type="string", value="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_get_device_count_v1(type="string", value="string")
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_get_device_count_v1", type="string", value="string")
print(response)
Back to Table of Contents
DevicesRanOnLegacy
Find hosts that have observed a given custom IOC.
Deprecated operation
This operation has been superseded by the indicator_get_devices_ran_on_v1 operation.
PEP8 method name
devices_ran_on_legacy
Endpoint
| Method | Route |
|---|---|
| /indicators/queries/devices/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type | | | query | string | The type of the indicator. Valid types include:
|
| value | | | query | string | The string representation of the indicator. |
| limit | | | query | integer | Maximum number of results to return. |
| offset | | | query | integer | Starting offset to begin returning results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.devices_ran_on_legacy(type="string",
value="string",
limit="string",
offset="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.DevicesRanOn(type="string",
value="string",
limit="string",
offset="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("DevicesRanOn",
type="string",
value="string",
limit="string",
offset="string"
)
print(response)
Back to Table of Contents
indicator_get_devices_ran_on_v1
Find hosts that have observed a given custom IOC.
PEP8 method name
devices_ran_on (or indicator_get_devices_ran_on_v1)
Endpoint
| Method | Route |
|---|---|
| /iocs/queries/indicators/devices/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type | | | query | string | The type of the indicator. Valid types include:
|
| value | | | query | string | The string representation of the indicator. |
| limit | | | query | integer | Maximum number of results to return. |
| offset | | | query | integer | Starting offset to begin returning results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.devices_ran_on(type="string",
value="string",
limit="string",
offset="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_get_device_count_v1(type="string",
value="string",
limit="string",
offset="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_get_device_count_v1",
type="string",
value="string",
limit="string",
offset="string"
)
print(response)
Back to Table of Contents
ProcessesRanOnLegacy
Search for processes associated with a custom IOC
Deprecated operation
This operation has been superseded by the indicator_get_processes_ran_on_v1 operation.
PEP8 method name
processes_ran_on_legacy
Endpoint
| Method | Route |
|---|---|
| /indicators/queries/processes/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type | | | query | string | The type of the indicator. Valid types include:
|
| value | | | query | string | The string representation of the indicator. |
| device_id | | | query | string | Specify a Host AID to return only processes from that host. |
| limit | | | query | integer | Maximum number of results to return. |
| offset | | | query | integer | Starting offset to begin returning results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.processes_ran_on_legacy(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ProcessesRanOn(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ProcessesRanOn",
type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)
Back to Table of Contents
indicator_get_processes_ran_on_v1
Search for processes associated with a custom IOC
PEP8 method name
processes_ran_on or (indicator_get_processes_ran_on_v1)
Endpoint
| Method | Route |
|---|---|
| /iocs/queries/indicators/processes/v1 |
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| type | | | query | string | The type of the indicator. Valid types include:
|
| value | | | query | string | The string representation of the indicator. |
| device_id | | | query | string | Specify a Host AID to return only processes from that host. |
| limit | | | query | integer | Maximum number of results to return. |
| offset | | | query | integer | Starting offset to begin returning results. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.processes_ran_on(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.indicator_get_processes_ran_on_v1(type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("indicator_get_processes_ran_on_v1",
type="string",
value="string",
device_id="string",
limit="string",
offset="string"
)
print(response)
Back to Table of Contents
entities_processes
For the provided ProcessID retrieve the process details
PEP8 method name
entities_processes
Endpoint
| Method | Route |
|---|---|
| /processes/entities/processes/v1 |
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | ProcessID for the running process you want to lookup. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_processes(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import IOC
# Do not hardcode API credentials!
falcon = IOC(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_processes(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_processes", ids=id_list)
print(response)
Back to Table of Contents