Custom IOA
This service collection has code examples posted to the repository.
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Get pattern severities by ID. | ||||
|
Get platforms by ID. | ||||
|
Get rule groups by ID. | ||||
|
Create a rule group for a platform with a name and an optional description. Returns the rule group. | ||||
|
Delete rule groups by ID. | ||||
|
Update a rule group. The following properties can be modified: name, description, enabled. | ||||
|
Get rule types by ID. | ||||
|
Get rules by ID and optionally version in the following format: ID[:version]. |
||||
|
Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size. |
||||
|
Create a rule within a rule group. Returns the rule. | ||||
|
Delete rules from a rule group by ID. | ||||
|
Update rules within a rule group. Return the updated rules. | ||||
|
Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules. | ||||
|
Validates field values and checks for matches if a test string is provided. | ||||
|
Get all pattern severity IDs. | ||||
|
Get all platform IDs. | ||||
|
Find all rule groups matching the query with optional filter. | ||||
|
Finds all rule group IDs matching the query with optional filter. | ||||
|
Get all rule type IDs. | ||||
|
Finds all rule IDs matching the query with optional filter. | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Get pattern severities by ID.
get_patterns
| Method | Route |
|---|---|
 |
/ioarules/entities/pattern-severities/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
 |
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_patterns(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_patterns(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_patterns", ids=id_list)
print(response)Get platforms by ID.
get_platforms
| Method | Route |
|---|---|
|
/ioarules/entities/platforms/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_platforms(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_platformsMixin0(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_platformsMixin0", ids=id_list)
print(response)Get rule groups by ID.
get_rule_groups
| Method | Route |
|---|---|
|
/ioarules/entities/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_groups(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_groupsMixin0(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rule_groupsMixin0", ids=id_list)
print(response)Create a rule group for a platform with a name and an optional description. Returns the rule group.
create_rule_group
| Method | Route |
|---|---|
 |
/ioarules/entities/rule-groups/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
 |
body | dictionary | Full body payload in JSON format. |
| description |
|
 |
body | string | Rule group description. |
| comment |
|
|
body | string | Comment to associate with this rule group. |
| name |
|
|
body | string | Rule group name. |
| platform |
|
|
body | string | Rule group platform. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_rule_group(description="string",
comment="string",
name="string",
platform="string"
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_rule_groupMixin0(description="string",
comment="string",
name="string",
platform="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"description": "string",
"name": "string",
"platform": "string"
}
response = falcon.command("create_rule_groupMixin0", body=BODY)
print(response)Delete rule groups by ID.
delete_rule_groups
| Method | Route |
|---|---|
 |
/ioarules/entities/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| comment |
|
|
query | string | Audit log comment for this operation. |
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rule_groupsMixin0(comment="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("delete_rule_groupsMixin0", comment="string", ids=id_list)
print(response)Update a rule group. The following properties can be modified: name, description, enabled.
update_rule_group
| Method | Route |
|---|---|
 |
/ioarules/entities/rule-groups/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| description |
|
|
body | string | Rule group description. |
| comment |
|
|
body | string | Comment to associate with this rule group. |
| enabled |
|
|
body | boolean | Flag indicating if this rule group is enabled. |
| id |
|
|
body | string | ID of the rule group to be updated. |
| name |
|
|
body | string | Rule group name. |
| rulegroup_version |
|
|
body | integer | Rule group version to update. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_rule_group(comment="string",
description="string",
enabled=boolean,
id="string",
name="string",
rulegroup_version=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_rule_groupMixin0(comment="string",
description="string",
enabled=boolean,
id="string",
name="string",
rulegroup_version=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"description": "string",
"enabled": boolean,
"id": "string",
"name": "string",
"rulegroup_version": integer
}
response = falcon.command("update_rule_groupMixin0", body=BODY)
print(response)Get rule types by ID.
get_rule_types
| Method | Route |
|---|---|
|
/ioarules/entities/rule-types/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_types(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_types(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rule_types", ids=id_list)
print(response)Get rules by ID and optionally version in the following format: ID[:version].
get_rules_get
| Method | Route |
|---|---|
|
/ioarules/entities/rules/GET/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | Rule ID(s) to retrieve. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules_get(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules_get(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("get_rules_get", body=BODY)
print(response)Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.
get_rules
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rulesMixin0(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rulesMixin0", ids=id_list)
print(response)Create a rule within a rule group. Returns the rule.
create_rule
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| description |
|
|
body | string | Rule description. |
| disposition_id |
|
|
body | integer | Disposition ID of the rule. |
| comment |
|
|
body | string | Comment to associate with this rule. |
| field_values |
|
|
body | dictionary | Dictionary representing the rule field values. |
| pattern_severity |
|
|
body | string | Severity. |
| name |
|
|
body | string | Rule name. |
| rulegroup_id |
|
|
body | string | ID of the Rule group to associate this rule to. |
| ruletype_id |
|
|
body | string | Rule Type ID for this rule. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
field_val = {
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
response = falcon.create_rule(comment="string",
description="string",
disposition_id=integer,
field_values=field_val,
pattern_severity="string",
name="string",
rulegroup_id="string",
ruletype_id="string"
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
field_val = {
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
response = falcon.create_rule(comment="string",
description="string",
disposition_id=integer,
field_values=field_val,
pattern_severity="string",
name="string",
rulegroup_id="string",
ruletype_id="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"description": "string",
"disposition_id": integer,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"name": "string",
"pattern_severity": "string",
"rulegroup_id": "string",
"ruletype_id": "string"
}
response = falcon.command("create_rule", body=BODY)
print(response)Delete rules from a rule group by ID.
delete_rules
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| comment |
|
|
query | string | Audit log comment for this operation. |
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| rule_group_id |
|
|
query | string | The parent rule group ID. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rules(rule_group_id="string", comment="string", ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rules(rule_group_id="string", comment="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("delete_rules",
comment="string",
ids=id_list,
rule_group_id="string"
)
print(response)Update rules within a rule group. Return the updated rules.
update_rules
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| comment |
|
|
body | string | Comment to associate with this rule. |
| rule_updates |
|
|
body | dictionary | Dictionary representing the rule updates to perfrom. |
| rulegroup_id |
|
|
body | string | ID of the Rule group to associate this rule to. |
| rulegroup_version |
|
|
body | integer | Rule group version. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_update = {
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
response = falcon.update_rules(comment="string",
rule_updates=rule_update,
rulegroup_id="string",
rulegroup_version=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_update = {
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
response = falcon.update_rules(comment="string",
rule_updates=rule_update,
rulegroup_id="string",
rulegroup_version=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"rule_updates": [
{
"description": "string",
"disposition_id": 0,
"enabled": true,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": 0
}
],
"rulegroup_id": "string",
"rulegroup_version": 0
}
response = falcon.command("update_rules", body=BODY)
print(response)Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.
update_rules_v2
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v2 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| comment |
|
|
body | string | Comment to associate with this rule. |
| rule_updates |
|
|
body | dictionary | Dictionary representing the rule updates to perfrom. |
| rulegroup_id |
|
|
body | string | ID of the Rule group to associate this rule to. |
| rulegroup_version |
|
|
body | integer | Rule group version. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_update = {
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
response = falcon.update_rules(comment="string",
rule_updates=rule_update,
rulegroup_id="string",
rulegroup_version=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_update = {
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
response = falcon.update_rules(comment="string",
rule_updates=rule_update,
rulegroup_id="string",
rulegroup_version=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"rule_updates": [
{
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
],
"rulegroup_id": "string",
"rulegroup_version": integer
}
response = falcon.command("update_rules", body=BODY)
print(response)Validates field values and checks for matches if a test string is provided.
validate
| Method | Route |
|---|---|
|
/ioarules/entities/rules/validate/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| fields |
|
|
body | list of dictionaries | List of dictionaries containing the fields to be validated. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
fields_to_validate = [{
"name": "string",
"test_data": "string",
"type": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}]
response = falcon.validate(fields=field_to_validate)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
fields_to_validate = [{
"name": "string",
"test_data": "string",
"type": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}]
response = falcon.validate(fields=field_to_validate)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"fields": [
{
"name": "string",
"test_data": "string",
"type": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
]
}
response = falcon.command("validate", body=BODY)
print(response)Get all pattern severity IDs.
query_patterns
| Method | Route |
|---|---|
|
/ioarules/queries/pattern-severities/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_patterns(offset=integer, limit=integer)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_patterns(offset=integer, limit=integer)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_patterns", limit=integer, offset=integer)
print(response)Get all platform IDs.
query_platforms
| Method | Route |
|---|---|
|
/ioarules/queries/platforms/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_platforms(offset=integer, limit=integer)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_platformsMixin0(offset=integer, limit=integer)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_platformsMixin0", offset=integer, limit=integer)
print(response)Find all rule groups matching the query with optional filter.
query_rule_groups_full
| Method | Route |
|---|---|
|
/ioarules/queries/rule-groups-full/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL Syntax formatted string used to limit the results. Available filters:
such as 2010-05-15T14:55:21.892315096Z for date format fields. |
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| q |
|
|
query | string | Match query criteria which includes all the filter string fields. |
| sort |
|
|
query | string | The property to sort by. (Ex: modified_on.desc) Available sort fields:
|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groups_full(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groups_full(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rule_groups_full",
sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)Finds all rule group IDs matching the query with optional filter.
query_rule_groups
| Method | Route |
|---|---|
|
/ioarules/queries/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL Syntax formatted string used to limit the results. Available filters:
such as 2010-05-15T14:55:21.892315096Z for date format fields. |
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| q |
|
|
query | string | Match query criteria which includes all the filter string fields. |
| sort |
|
|
query | string | The property to sort by. (Ex: modified_on.desc) Available sort fields:
|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groups(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groupsMixin0(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rule_groupsMixin0",
sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)Get all rule type IDs.
query_rule_types
| Method | Route |
|---|---|
|
/ioarules/queries/rule-types/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_types(offset=integer, limit=integer)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_types(offset=integer, limit=integer)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rule_types", offset=integer, limit=integer)
print(response)Finds all rule IDs matching the query with optional filter.
query_rules
| Method | Route |
|---|---|
|
/ioarules/queries/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL Syntax formatted string used to limit the results. Available filters:
such as 2010-05-15T14:55:21.892315096Z for date format fields. |
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| q |
|
|
query | string | Match query criteria which includes all the filter string fields. |
| sort |
|
|
query | string | The property to sort by. (Ex: rules.created_on.desc) Available sort fields:
|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rules(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rulesMixin0(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rulesMixin0",
sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
