-
Notifications
You must be signed in to change notification settings - Fork 81
Edit FalconIoc
bk-cs edited this page Sep 3, 2024
·
23 revisions
Modify custom indicators
Requires 'IOC Manager APIs: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| InputObject | Object[] | One or more indicators to modify in a single request | X | ||||
| Action | String | Action to perform when a host observes the indicator | |||||
| Platform | String[] | Operating system platform | |||||
| Source | String | Origination source | 1 |
256 |
|||
| Severity | String | Severity level | |||||
| Description | String | Indicator description | |||||
| Filename | String | Indicator filename, used with hash values | |||||
| Tag | String[] | Indicator tag | |||||
| MobileAction | String | Action to perform when a mobile device observes the indicator |
no_actionallowdetectprevent
|
||||
| HostGroup | String[] | Host group identifier | |||||
| AppliedGlobally | Boolean | Assign to all host groups | |||||
| Expiration | String | Expiration date. When an indicator expires, its action is set to 'no_action' but it remains in your indicator list. | |||||
| FromParent | Boolean | Inheritance from parent CID | |||||
| Comment | String | Audit log comment | |||||
| Retrodetect | Boolean | Generate retroactive detections for hosts that have observed the indicator | |||||
| IgnoreWarning | Boolean | Ignore warnings and modify all indicators | |||||
| Id | String | Indicator identifier |
Edit-FalconIoc [[-Action] <String>] [[-Platform] <String[]>] [[-Source] <String>] [[-Severity] <String>] [[-Description] <String>] [[-Filename] <String>] [[-Tag] <String[]>] [[-MobileAction] <String>] [[-HostGroup] <String[]>] [[-AppliedGlobally] <Boolean>] [[-Expiration] <String>] [[-FromParent] <Boolean>] [[-Comment] <String>] [[-Retrodetect] <Boolean>] [[-IgnoreWarning] <Boolean>] [-Id] <String> [-WhatIf] [-Confirm] [<CommonParameters>]Edit-FalconIoc -InputObject <Object[]> [[-Comment] <String>] [[-Retrodetect] <Boolean>] [[-IgnoreWarning] <Boolean>] [-WhatIf] [-Confirm] [<CommonParameters>]PATCH /iocs/entities/indicators/v1
Edit-FalconIoc -Id <id> -Source testSource -Action detect -Severity low -Description 'test description update' -Platforms windows -Tags test_tag2 -HostGroup all -Expiration '2021-05-01T12:00:00Z'2024-09-03: PSFalcon v2.2.7

- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Assets
- CAO Hunting
- Case Templates
- Cases
- Channel File Control Settings
- Cloud Security API Assets
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- IT Automation - Policies
- IT Automation - Task Executions
- IT Automation - Tasks
- IT Automation - User Groups
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- NGSIEM
- NGSIEM Dashboards
- NGSIEM Lookup Files
- NGSIEM Parsers
- NGSIEM Saved Queries
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust