Skip to content

Custom IOA

Joshua Hiller edited this page Dec 10, 2024 · 18 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Custom IOA service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
get_patterns
PEP 8 get_patterns
Get pattern severities by ID.
get_platformsMixin0
PEP 8 get_platforms
Get platforms by ID.
get_rule_groupsMixin0
PEP 8 get_rule_groups
Get rule groups by ID.
create_rule_groupMixin0
PEP 8 create_rule_group
Create a rule group for a platform with a name and an optional description. Returns the rule group.
delete_rule_groupsMixin0
PEP 8 delete_rule_groups
Delete rule groups by ID.
update_rule_groupMixin0
PEP 8 update_rule_group
Update a rule group. The following properties can be modified: name, description, enabled.
get_rule_types
PEP 8 get_rule_types
Get rule types by ID.
get_rules_get
PEP 8 get_rules_get
Get rules by ID and optionally version in the following format: ID[:version].
get_rulesMixin0
PEP 8 get_rules
Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.
create_rule
PEP 8 create_rule
Create a rule within a rule group. Returns the rule.
delete_rules
PEP 8 delete_rules
Delete rules from a rule group by ID.
update_rules
PEP 8 update_rules
Update rules within a rule group. Return the updated rules.
update_rules_v2
PEP 8 update_rules_v2
Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.
validate
PEP 8 validate
Validates field values and checks for matches if a test string is provided.
query_patterns
PEP 8 query_patterns
Get all pattern severity IDs.
query_platformsMixin0
PEP 8 query_platforms
Get all platform IDs.
query_rule_groups_full
PEP 8 query_rule_groups_full
Find all rule groups matching the query with optional filter.
query_rule_groupsMixin0
PEP 8 query_rule_groups
Finds all rule group IDs matching the query with optional filter.
query_rule_types
PEP 8 query_rule_types
Get all rule type IDs.
query_rulesMixin0
PEP 8 query_rules
Finds all rule IDs matching the query with optional filter.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

get_patterns

Get pattern severities by ID.

PEP8 method name

get_patterns

Endpoint

Method Route
GET /ioarules/entities/pattern-severities/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the entities to return.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_patterns(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_patterns(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_patterns", ids=id_list)
print(response)

get_platformsMixin0

Get platforms by ID.

PEP8 method name

get_platforms

Endpoint

Method Route
GET /ioarules/entities/platforms/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the entities to return.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_platforms(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_platformsMixin0(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_platformsMixin0", ids=id_list)
print(response)

get_rule_groupsMixin0

Get rule groups by ID.

PEP8 method name

get_rule_groups

Endpoint

Method Route
GET /ioarules/entities/rule-groups/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the entities to return.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_groups(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_groupsMixin0(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rule_groupsMixin0", ids=id_list)
print(response)

create_rule_groupMixin0

Create a rule group for a platform with a name and an optional description. Returns the rule group.

PEP8 method name

create_rule_group

Endpoint

Method Route
POST /ioarules/entities/rule-groups/v1

Required Scope

custom-ioa:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
description
Service Class Support

Uber Class Support
body string Rule group description.
comment
Service Class Support

Uber Class Support
body string Comment to associate with this rule group.
name
Service Class Support

Uber Class Support
body string Rule group name.
platform
Service Class Support

Uber Class Support
body string Rule group platform.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.create_rule_group(description="string",
                                    comment="string",
                                    name="string",
                                    platform="string"
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.create_rule_groupMixin0(description="string",
                                          comment="string",
                                          name="string",
                                          platform="string"
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
  "comment": "string",
  "description": "string",
  "name": "string",
  "platform": "string"
}

response = falcon.command("create_rule_groupMixin0", body=BODY)
print(response)

delete_rule_groupsMixin0

Delete rule groups by ID.

PEP8 method name

delete_rule_groups

Endpoint

Method Route
DELETE /ioarules/entities/rule-groups/v1

Required Scope

custom-ioa:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
comment
Service Class Support

Uber Class Support
query string Audit log comment for this operation.
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the entities to return.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_groupsMixin0(comment="string", ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("delete_rule_groupsMixin0", comment="string", ids=id_list)
print(response)

update_rule_groupMixin0

Update a rule group. The following properties can be modified: name, description, enabled.

PEP8 method name

update_rule_group

Endpoint

Method Route
PATCH /ioarules/entities/rule-groups/v1

Required Scope

custom-ioa:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
description
Service Class Support

Uber Class Support
body string Rule group description.
comment
Service Class Support

Uber Class Support
body string Comment to associate with this rule group.
enabled
Service Class Support

Uber Class Support
body boolean Flag indicating if this rule group is enabled.
id
Service Class Support

Uber Class Support
body string ID of the rule group to be updated.
name
Service Class Support

Uber Class Support
body string Rule group name.
rulegroup_version
Service Class Support

Uber Class Support
body integer Rule group version to update.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.update_rule_group(comment="string",
                                    description="string",
                                    enabled=boolean,
                                    id="string",
                                    name="string",
                                    rulegroup_version=integer
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.update_rule_groupMixin0(comment="string",
                                          description="string",
                                          enabled=boolean,
                                          id="string",
                                          name="string",
                                          rulegroup_version=integer
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
  "comment": "string",
  "description": "string",
  "enabled": boolean,
  "id": "string",
  "name": "string",
  "rulegroup_version": integer
}


response = falcon.command("update_rule_groupMixin0", body=BODY)
print(response)

get_rule_types

Get rule types by ID.

PEP8 method name

get_rule_types

Endpoint

Method Route
GET /ioarules/entities/rule-types/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the entities to return.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_types(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_types(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rule_types", ids=id_list)
print(response)

get_rules_get

Get rules by ID and optionally version in the following format: ID[:version].

PEP8 method name

get_rules_get

Endpoint

Method Route
POST /ioarules/entities/rules/GET/v1

Required Scope

custom-ioa:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
ids
Service Class Support

Uber Class Support
body string or list of strings Rule ID(s) to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules_get(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules_get(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

BODY = {
  "ids": id_list
}

response = falcon.command("get_rules_get", body=BODY)
print(response)

get_rulesMixin0

Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.

PEP8 method name

get_rules

Endpoint

Method Route
GET /ioarules/entities/rules/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the entities to return.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rulesMixin0(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rulesMixin0", ids=id_list)
print(response)

create_rule

Create a rule within a rule group. Returns the rule.

PEP8 method name

create_rule

Endpoint

Method Route
POST /ioarules/entities/rules/v1

Required Scope

custom-ioa:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
description
Service Class Support

Uber Class Support
body string Rule description.
disposition_id
Service Class Support

Uber Class Support
body integer Disposition ID of the rule.
comment
Service Class Support

Uber Class Support
body string Comment to associate with this rule.
field_values
Service Class Support

Uber Class Support
body dictionary Dictionary representing the rule field values.
pattern_severity
Service Class Support

Uber Class Support
body string Severity.
name
Service Class Support

Uber Class Support
body string Rule name.
rulegroup_id
Service Class Support

Uber Class Support
body string ID of the Rule group to associate this rule to.
ruletype_id
Service Class Support

Uber Class Support
body string Rule Type ID for this rule.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

field_val = {
    "final_value": "string",
    "label": "string",
    "name": "string",
    "type": "string",
    "value": "string",
    "values": [
        {
            "label": "string",
            "value": "string"
        }
    ]
}

response = falcon.create_rule(comment="string",
                              description="string",
                              disposition_id=integer,
                              field_values=field_val,
                              pattern_severity="string",
                              name="string",
                              rulegroup_id="string",
                              ruletype_id="string"
                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

field_val = {
    "final_value": "string",
    "label": "string",
    "name": "string",
    "type": "string",
    "value": "string",
    "values": [
        {
            "label": "string",
            "value": "string"
        }
    ]
}

response = falcon.create_rule(comment="string",
                              description="string",
                              disposition_id=integer,
                              field_values=field_val,
                              pattern_severity="string",
                              name="string",
                              rulegroup_id="string",
                              ruletype_id="string"
                              )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
  "comment": "string",
  "description": "string",
  "disposition_id": integer,
  "field_values": [
    {
      "final_value": "string",
      "label": "string",
      "name": "string",
      "type": "string",
      "value": "string",
      "values": [
        {
          "label": "string",
          "value": "string"
        }
      ]
    }
  ],
  "name": "string",
  "pattern_severity": "string",
  "rulegroup_id": "string",
  "ruletype_id": "string"
}

response = falcon.command("create_rule", body=BODY)
print(response)

delete_rules

Delete rules from a rule group by ID.

PEP8 method name

delete_rules

Endpoint

Method Route
DELETE /ioarules/entities/rules/v1

Required Scope

custom-ioa:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
comment
Service Class Support

Uber Class Support
query string Audit log comment for this operation.
ids
Service Class Support

Uber Class Support
query string or list of strings The ID(s) of the entities to return.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
rule_group_id
Service Class Support

Uber Class Support
query string The parent rule group ID.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rules(rule_group_id="string", comment="string", ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rules(rule_group_id="string", comment="string", ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("delete_rules",
                          comment="string",
                          ids=id_list,
                          rule_group_id="string"
                          )
print(response)

update_rules

Update rules within a rule group. Return the updated rules.

PEP8 method name

update_rules

Endpoint

Method Route
PATCH /ioarules/entities/rules/v1

Required Scope

custom-ioa:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
comment
Service Class Support

Uber Class Support
body string Comment to associate with this rule.
rule_updates
Service Class Support

Uber Class Support
body dictionary Dictionary representing the rule updates to perfrom.
rulegroup_id
Service Class Support

Uber Class Support
body string ID of the Rule group to associate this rule to.
rulegroup_version
Service Class Support

Uber Class Support
body integer Rule group version.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_update = {
    "description": "string",
    "disposition_id": integer,
    "enabled": boolean,
    "field_values": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ],
    "instance_id": "string",
    "name": "string",
    "pattern_severity": "string",
    "rulegroup_version": integer
}

response = falcon.update_rules(comment="string",
                               rule_updates=rule_update,
                               rulegroup_id="string",
                               rulegroup_version=integer
                               )
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_update = {
    "description": "string",
    "disposition_id": integer,
    "enabled": boolean,
    "field_values": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ],
    "instance_id": "string",
    "name": "string",
    "pattern_severity": "string",
    "rulegroup_version": integer
}

response = falcon.update_rules(comment="string",
                               rule_updates=rule_update,
                               rulegroup_id="string",
                               rulegroup_version=integer
                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "comment": "string",
    "rule_updates": [
        {
            "description": "string",
            "disposition_id": 0,
            "enabled": true,
            "field_values": [
                {
                    "final_value": "string",
                    "label": "string",
                    "name": "string",
                    "type": "string",
                    "value": "string",
                    "values": [
                        {
                            "label": "string",
                            "value": "string"
                        }
                    ]
                }
            ],
            "instance_id": "string",
            "name": "string",
            "pattern_severity": "string",
            "rulegroup_version": 0
        }
    ],
    "rulegroup_id": "string",
    "rulegroup_version": 0
}

response = falcon.command("update_rules", body=BODY)
print(response)

update_rules_v2

Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.

PEP8 method name

update_rules_v2

Endpoint

Method Route
PATCH /ioarules/entities/rules/v2

Required Scope

custom-ioa:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
comment
Service Class Support

Uber Class Support
body string Comment to associate with this rule.
rule_updates
Service Class Support

Uber Class Support
body dictionary Dictionary representing the rule updates to perfrom.
rulegroup_id
Service Class Support

Uber Class Support
body string ID of the Rule group to associate this rule to.
rulegroup_version
Service Class Support

Uber Class Support
body integer Rule group version.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_update = {
    "description": "string",
    "disposition_id": integer,
    "enabled": boolean,
    "field_values": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ],
    "instance_id": "string",
    "name": "string",
    "pattern_severity": "string",
    "rulegroup_version": integer
}

response = falcon.update_rules(comment="string",
                               rule_updates=rule_update,
                               rulegroup_id="string",
                               rulegroup_version=integer
                               )
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_update = {
    "description": "string",
    "disposition_id": integer,
    "enabled": boolean,
    "field_values": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ],
    "instance_id": "string",
    "name": "string",
    "pattern_severity": "string",
    "rulegroup_version": integer
}

response = falcon.update_rules(comment="string",
                               rule_updates=rule_update,
                               rulegroup_id="string",
                               rulegroup_version=integer
                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "comment": "string",
    "rule_updates": [
        {
            "description": "string",
            "disposition_id": integer,
            "enabled": boolean,
            "field_values": [
                {
                    "final_value": "string",
                    "label": "string",
                    "name": "string",
                    "type": "string",
                    "value": "string",
                    "values": [
                        {
                            "label": "string",
                            "value": "string"
                        }
                    ]
                }
            ],
            "instance_id": "string",
            "name": "string",
            "pattern_severity": "string",
            "rulegroup_version": integer
        }
    ],
    "rulegroup_id": "string",
    "rulegroup_version": integer
}

response = falcon.command("update_rules", body=BODY)

print(response)

validate

Validates field values and checks for matches if a test string is provided.

PEP8 method name

validate

Endpoint

Method Route
POST /ioarules/entities/rules/validate/v1

Required Scope

custom-ioa:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
fields
Service Class Support

Uber Class Support
body list of dictionaries List of dictionaries containing the fields to be validated.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

fields_to_validate = [{
    "name": "string",
    "test_data": "string",
    "type": "string",
    "values": [
        {
            "label": "string",
            "value": "string"
        }
    ]
}]

response = falcon.validate(fields=field_to_validate)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

fields_to_validate = [{
    "name": "string",
    "test_data": "string",
    "type": "string",
    "values": [
        {
            "label": "string",
            "value": "string"
        }
    ]
}]

response = falcon.validate(fields=field_to_validate)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "fields": [
        {
            "name": "string",
            "test_data": "string",
            "type": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ]
}

response = falcon.command("validate", body=BODY)
print(response)

query_patterns

Get all pattern severity IDs.

PEP8 method name

query_patterns

Endpoint

Method Route
GET /ioarules/queries/pattern-severities/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_patterns(offset=integer, limit=integer)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_patterns(offset=integer, limit=integer)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_patterns", limit=integer, offset=integer)
print(response)

query_platformsMixin0

Get all platform IDs.

PEP8 method name

query_platforms

Endpoint

Method Route
GET /ioarules/queries/platforms/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_platforms(offset=integer, limit=integer)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_platformsMixin0(offset=integer, limit=integer)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_platformsMixin0", offset=integer, limit=integer)
print(response)

query_rule_groups_full

Find all rule groups matching the query with optional filter.

PEP8 method name

query_rule_groups_full

Endpoint

Method Route
GET /ioarules/queries/rule-groups-full/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.

Available filters:
  • enabled
  • platform
  • name
  • description
  • rules.action_label
  • rules.name
  • rules.description
  • rules.pattern_severity
  • rules.ruletype_name
  • rules.enabled
Filter range criteria:
  • created_on
  • modified_on
You may use any common date format,
such as 2010-05-15T14:55:21.892315096Z for date format fields.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Match query criteria which includes all the filter string fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: modified_on.desc)

Available sort fields:
  • created_by
  • created_on
  • modified_by
  • modified_on
  • enabled
  • name
  • description
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groups_full(sort="string",
                                         filter="string",
                                         q="string",
                                         offset="string",
                                         limit=integer
                                         )
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groups_full(sort="string",
                                         filter="string",
                                         q="string",
                                         offset="string",
                                         limit=integer
                                         )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_groups_full",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          limit=integer
                          )
print(response)

query_rule_groupsMixin0

Finds all rule group IDs matching the query with optional filter.

PEP8 method name

query_rule_groups

Endpoint

Method Route
GET /ioarules/queries/rule-groups/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.

Available filters:
  • enabled
  • platform
  • name
  • description
  • rules.action_label
  • rules.name
  • rules.description
  • rules.pattern_severity
  • rules.ruletype_name
  • rules.enabled
Filter range criteria:
  • created_on
  • modified_on
You may use any common date format,
such as 2010-05-15T14:55:21.892315096Z for date format fields.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Match query criteria which includes all the filter string fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: modified_on.desc)

Available sort fields:
  • created_by
  • created_on
  • modified_by
  • modified_on
  • enabled
  • name
  • description
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groups(sort="string",
                                    filter="string",
                                    q="string",
                                    offset="string",
                                    limit=integer
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groupsMixin0(sort="string",
                                          filter="string",
                                          q="string",
                                          offset="string",
                                          limit=integer
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_groupsMixin0",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          limit=integer
                          )
print(response)

query_rule_types

Get all rule type IDs.

PEP8 method name

query_rule_types

Endpoint

Method Route
GET /ioarules/queries/rule-types/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_types(offset=integer, limit=integer)
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_types(offset=integer, limit=integer)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_types", offset=integer, limit=integer)
print(response)

query_rulesMixin0

Finds all rule IDs matching the query with optional filter.

PEP8 method name

query_rules

Endpoint

Method Route
GET /ioarules/queries/rules/v1

Required Scope

custom-ioa:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.

Available filters:
  • enabled
  • platform
  • name
  • description
  • rules.action_label
  • rules.name
  • rules.description
  • rules.pattern_severity
  • rules.ruletype_name
  • rules.enabled
Filter range criteria:
  • created_on
  • modified_on
You may use any common date format,
such as 2010-05-15T14:55:21.892315096Z for date format fields.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
q
Service Class Support

Uber Class Support
query string Match query criteria which includes all the filter string fields.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: rules.created_on.desc)

Available sort fields:
  • rules.ruletype_name
  • rules.enabled
  • rules.created_by
  • rules.current_version.name
  • rules.current_version.modified_by
  • rules.created_on
  • rules.current_version.description
  • rules.current_version.pattern_severity
  • rules.current_version.action_label
  • rules.current_version.modified_on
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rules(sort="string",
                              filter="string",
                              q="string",
                              offset="string",
                              limit=integer
                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import CustomIOA

# Do not hardcode API credentials!
falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rulesMixin0(sort="string",
                                    filter="string",
                                    q="string",
                                    offset="string",
                                    limit=integer
                                    )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rulesMixin0",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          limit=integer
                          )
print(response)

CrowdStrike Falcon

Clone this wiki locally