Custom IOA
This service collection has code examples posted to the repository.
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Get pattern severities by ID. | ||||
|
Get platforms by ID. | ||||
|
Get rule groups by ID. | ||||
|
Create a rule group for a platform with a name and an optional description. Returns the rule group. | ||||
|
Delete rule groups by ID. | ||||
|
Update a rule group. The following properties can be modified: name, description, enabled. | ||||
|
Get rule types by ID. | ||||
|
Get rules by ID and optionally version in the following format: ID[:version]. |
||||
|
Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size. |
||||
|
Create a rule within a rule group. Returns the rule. | ||||
|
Delete rules from a rule group by ID. | ||||
|
Update rules within a rule group. Return the updated rules. | ||||
|
Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules. | ||||
|
Validates field values and checks for matches if a test string is provided. | ||||
|
Get all pattern severity IDs. | ||||
|
Get all platform IDs. | ||||
|
Find all rule groups matching the query with optional filter. | ||||
|
Finds all rule group IDs matching the query with optional filter. | ||||
|
Get all rule type IDs. | ||||
|
Finds all rule IDs matching the query with optional filter. | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Get pattern severities by ID.
get_patterns
| Method | Route |
|---|---|
 |
/ioarules/entities/pattern-severities/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
 |
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_patterns(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_patterns(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_patterns", ids=id_list)
print(response)Back to Table of Contents
Get platforms by ID.
get_platforms
| Method | Route |
|---|---|
|
/ioarules/entities/platforms/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_platforms(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_platformsMixin0(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_platformsMixin0", ids=id_list)
print(response)Back to Table of Contents
Get rule groups by ID.
get_rule_groups
| Method | Route |
|---|---|
|
/ioarules/entities/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_groups(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_groupsMixin0(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rule_groupsMixin0", ids=id_list)
print(response)Back to Table of Contents
Create a rule group for a platform with a name and an optional description. Returns the rule group.
create_rule_group
| Method | Route |
|---|---|
 |
/ioarules/entities/rule-groups/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
 |
body | dictionary | Full body payload in JSON format. |
| description |
|
 |
body | string | Rule group description. |
| comment |
|
|
body | string | Comment to associate with this rule group. |
| name |
|
|
body | string | Rule group name. |
| platform |
|
|
body | string | Rule group platform. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_rule_group(description="string",
comment="string",
name="string",
platform="string"
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_rule_groupMixin0(description="string",
comment="string",
name="string",
platform="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"description": "string",
"name": "string",
"platform": "string"
}
response = falcon.command("create_rule_groupMixin0", body=BODY)
print(response)Back to Table of Contents
Delete rule groups by ID.
delete_rule_groups
| Method | Route |
|---|---|
 |
/ioarules/entities/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| comment |
|
|
query | string | Audit log comment for this operation. |
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rule_groupsMixin0(comment="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("delete_rule_groupsMixin0", comment="string", ids=id_list)
print(response)Back to Table of Contents
Update a rule group. The following properties can be modified: name, description, enabled.
update_rule_group
| Method | Route |
|---|---|
 |
/ioarules/entities/rule-groups/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| description |
|
|
body | string | Rule group description. |
| comment |
|
|
body | string | Comment to associate with this rule group. |
| enabled |
|
|
body | boolean | Flag indicating if this rule group is enabled. |
| id |
|
|
body | string | ID of the rule group to be updated. |
| name |
|
|
body | string | Rule group name. |
| rulegroup_version |
|
|
body | integer | Rule group version to update. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_rule_group(comment="string",
description="string",
enabled=boolean,
id="string",
name="string",
rulegroup_version=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_rule_groupMixin0(comment="string",
description="string",
enabled=boolean,
id="string",
name="string",
rulegroup_version=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"description": "string",
"enabled": boolean,
"id": "string",
"name": "string",
"rulegroup_version": integer
}
response = falcon.command("update_rule_groupMixin0", body=BODY)
print(response)Back to Table of Contents
Get rule types by ID.
get_rule_types
| Method | Route |
|---|---|
|
/ioarules/entities/rule-types/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_types(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_types(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rule_types", ids=id_list)
print(response)Back to Table of Contents
Get rules by ID and optionally version in the following format: ID[:version].
get_rules_get
| Method | Route |
|---|---|
|
/ioarules/entities/rules/GET/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | Rule ID(s) to retrieve. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules_get(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules_get(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("get_rules_get", body=BODY)
print(response)Back to Table of Contents
Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.
get_rules
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules(ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rulesMixin0(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("get_rulesMixin0", ids=id_list)
print(response)Back to Table of Contents
Create a rule within a rule group. Returns the rule.
create_rule
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| description |
|
|
body | string | Rule description. |
| disposition_id |
|
|
body | integer | Disposition ID of the rule. |
| comment |
|
|
body | string | Comment to associate with this rule. |
| field_values |
|
|
body | dictionary | Dictionary representing the rule field values. |
| pattern_severity |
|
|
body | string | Severity. |
| name |
|
|
body | string | Rule name. |
| rulegroup_id |
|
|
body | string | ID of the Rule group to associate this rule to. |
| ruletype_id |
|
|
body | string | Rule Type ID for this rule. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
field_val = {
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
response = falcon.create_rule(comment="string",
description="string",
disposition_id=integer,
field_values=field_val,
pattern_severity="string",
name="string",
rulegroup_id="string",
ruletype_id="string"
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
field_val = {
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
response = falcon.create_rule(comment="string",
description="string",
disposition_id=integer,
field_values=field_val,
pattern_severity="string",
name="string",
rulegroup_id="string",
ruletype_id="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"description": "string",
"disposition_id": integer,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"name": "string",
"pattern_severity": "string",
"rulegroup_id": "string",
"ruletype_id": "string"
}
response = falcon.command("create_rule", body=BODY)
print(response)Back to Table of Contents
Delete rules from a rule group by ID.
delete_rules
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| comment |
|
|
query | string | Audit log comment for this operation. |
| ids |
|
|
query | string or list of strings | The ID(s) of the entities to return. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
| rule_group_id |
|
|
query | string | The parent rule group ID. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rules(rule_group_id="string", comment="string", ids=id_list)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rules(rule_group_id="string", comment="string", ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("delete_rules",
comment="string",
ids=id_list,
rule_group_id="string"
)
print(response)Back to Table of Contents
Update rules within a rule group. Return the updated rules.
update_rules
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| comment |
|
|
body | string | Comment to associate with this rule. |
| rule_updates |
|
|
body | dictionary | Dictionary representing the rule updates to perfrom. |
| rulegroup_id |
|
|
body | string | ID of the Rule group to associate this rule to. |
| rulegroup_version |
|
|
body | integer | Rule group version. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_update = {
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
response = falcon.update_rules(comment="string",
rule_updates=rule_update,
rulegroup_id="string",
rulegroup_version=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_update = {
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
response = falcon.update_rules(comment="string",
rule_updates=rule_update,
rulegroup_id="string",
rulegroup_version=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"rule_updates": [
{
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
],
"rulegroup_id": "string",
"rulegroup_version": integer
}
response = falcon.command("update_rules", body=BODY)
print(response)Back to Table of Contents
Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.
update_rules_v2
| Method | Route |
|---|---|
|
/ioarules/entities/rules/v2 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| comment |
|
|
body | string | Comment to associate with this rule. |
| rule_updates |
|
|
body | dictionary | Dictionary representing the rule updates to perfrom. |
| rulegroup_id |
|
|
body | string | ID of the Rule group to associate this rule to. |
| rulegroup_version |
|
|
body | integer | Rule group version. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_update = {
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
response = falcon.update_rules_v2(comment="string",
rule_updates=rule_update,
rulegroup_id="string",
rulegroup_version=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
rule_update = {
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
response = falcon.update_rules_v2(comment="string",
rule_updates=rule_update,
rulegroup_id="string",
rulegroup_version=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"comment": "string",
"rule_updates": [
{
"description": "string",
"disposition_id": integer,
"enabled": boolean,
"field_values": [
{
"final_value": "string",
"label": "string",
"name": "string",
"type": "string",
"value": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
],
"instance_id": "string",
"name": "string",
"pattern_severity": "string",
"rulegroup_version": integer
}
],
"rulegroup_id": "string",
"rulegroup_version": integer
}
response = falcon.command("update_rules_v2", body=BODY)
print(response)Back to Table of Contents
Validates field values and checks for matches if a test string is provided.
validate
| Method | Route |
|---|---|
|
/ioarules/entities/rules/validate/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| fields |
|
|
body | list of dictionaries | List of dictionaries containing the fields to be validated. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
fields_to_validate = [{
"name": "string",
"test_data": "string",
"type": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}]
response = falcon.validate(fields=field_to_validate)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
fields_to_validate = [{
"name": "string",
"test_data": "string",
"type": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}]
response = falcon.validate(fields=field_to_validate)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"fields": [
{
"name": "string",
"test_data": "string",
"type": "string",
"values": [
{
"label": "string",
"value": "string"
}
]
}
]
}
response = falcon.command("validate", body=BODY)
print(response)Back to Table of Contents
Get all pattern severity IDs.
query_patterns
| Method | Route |
|---|---|
|
/ioarules/queries/pattern-severities/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_patterns(offset=integer, limit=integer)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_patterns(offset=integer, limit=integer)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_patterns", limit=integer, offset=integer)
print(response)Back to Table of Contents
Get all platform IDs.
query_platforms
| Method | Route |
|---|---|
|
/ioarules/queries/platforms/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_platforms(offset=integer, limit=integer)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_platformsMixin0(offset=integer, limit=integer)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_platformsMixin0", offset=integer, limit=integer)
print(response)Back to Table of Contents
Find all rule groups matching the query with optional filter.
query_rule_groups_full
| Method | Route |
|---|---|
|
/ioarules/queries/rule-groups-full/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL Syntax formatted string used to limit the results. Available filters:
such as 2010-05-15T14:55:21.892315096Z for date format fields. |
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| q |
|
|
query | string | Match query criteria which includes all the filter string fields. |
| sort |
|
|
query | string | The property to sort by. (Ex: modified_on.desc) Available sort fields:
|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groups_full(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groups_full(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rule_groups_full",
sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)Back to Table of Contents
Finds all rule group IDs matching the query with optional filter.
query_rule_groups
| Method | Route |
|---|---|
|
/ioarules/queries/rule-groups/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL Syntax formatted string used to limit the results. Available filters:
such as 2010-05-15T14:55:21.892315096Z for date format fields. |
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| q |
|
|
query | string | Match query criteria which includes all the filter string fields. |
| sort |
|
|
query | string | The property to sort by. (Ex: modified_on.desc) Available sort fields:
|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groups(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_groupsMixin0(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rule_groupsMixin0",
sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)Back to Table of Contents
Get all rule type IDs.
query_rule_types
| Method | Route |
|---|---|
|
/ioarules/queries/rule-types/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_types(offset=integer, limit=integer)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rule_types(offset=integer, limit=integer)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rule_types", offset=integer, limit=integer)
print(response)Back to Table of Contents
Finds all rule IDs matching the query with optional filter.
query_rules
| Method | Route |
|---|---|
|
/ioarules/queries/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL Syntax formatted string used to limit the results. Available filters:
such as 2010-05-15T14:55:21.892315096Z for date format fields. |
| limit |
|
|
query | integer | Maximum number of records to return. |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| q |
|
|
query | string | Match query criteria which includes all the filter string fields. |
| sort |
|
|
query | string | The property to sort by. (Ex: rules.created_on.desc) Available sort fields:
|
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rules(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import CustomIOA
# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rulesMixin0(sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("query_rulesMixin0",
sort="string",
filter="string",
q="string",
offset="string",
limit=integer
)
print(response)Back to Table of Contents
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Admission Control Policies
- Alerts
- API Integrations
- ASPM
- CAO Hunting
- Case Management
- Certificate Based Exclusions
- Cloud AWS Registration
- Cloud Azure Registration
- Cloud GCP Registration
- Cloud OCI Registration
- Cloud Policies
- Cloud Connect AWS (deprecated)
- Cloud Security Assets
- Cloud Security
- Cloud Security Compliance
- Cloud Security Detections
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Image Compliance
- Container Images
- Container Packages
- Container Vulnerabilities
- Content Update Policies
- Correlation Rules
- Correlation Rules Admin
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Data Protection Configuration
- DataScanner (deprecated)
- Delivery Settings
- Deployments
- Detects (deprecated)
- Device Content
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- FaaS Execution
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- Intelligence Feeds
- Intelligence Indicator Graph
- IOA Exclusions
- IOC
- IOCs (deprecated)
- IT Automation
- Kubernetes Container Compliance
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- NGSIEM
- OAuth2
- ODS (On Demand Scan)
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- SaaS Security
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Serverless Exports
- Serverless Vulnerabilities
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Spotlight Vulnerability Metadata
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
