-
Notifications
You must be signed in to change notification settings - Fork 71
Edit FalconIoc
bk-cs edited this page Sep 3, 2024
·
22 revisions
Modify custom indicators
Requires 'IOC Manager APIs: Write'.
Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
---|---|---|---|---|---|---|---|
InputObject | Object[] | One or more indicators to modify in a single request | X | ||||
Action | String | Action to perform when a host observes the indicator | |||||
Platform | String[] | Operating system platform | |||||
Source | String | Origination source | 1 |
256 |
|||
Severity | String | Severity level | |||||
Description | String | Indicator description | |||||
Filename | String | Indicator filename, used with hash values | |||||
Tag | String[] | Indicator tag | |||||
MobileAction | String | Action to perform when a mobile device observes the indicator |
no_action allow detect prevent
|
||||
HostGroup | String[] | Host group identifier | |||||
AppliedGlobally | Boolean | Assign to all host groups | |||||
Expiration | String | Expiration date. When an indicator expires, its action is set to 'no_action' but it remains in your indicator list. | |||||
FromParent | Boolean | Inheritance from parent CID | |||||
Comment | String | Audit log comment | |||||
Retrodetect | Boolean | Generate retroactive detections for hosts that have observed the indicator | |||||
IgnoreWarning | Boolean | Ignore warnings and modify all indicators | |||||
Id | String | Indicator identifier |
Edit-FalconIoc [[-Action] <String>] [[-Platform] <String[]>] [[-Source] <String>] [[-Severity] <String>] [[-Description] <String>] [[-Filename] <String>] [[-Tag] <String[]>] [[-MobileAction] <String>] [[-HostGroup] <String[]>] [[-AppliedGlobally] <Boolean>] [[-Expiration] <String>] [[-FromParent] <Boolean>] [[-Comment] <String>] [[-Retrodetect] <Boolean>] [[-IgnoreWarning] <Boolean>] [-Id] <String> [-WhatIf] [-Confirm] [<CommonParameters>]
Edit-FalconIoc -InputObject <Object[]> [[-Comment] <String>] [[-Retrodetect] <Boolean>] [[-IgnoreWarning] <Boolean>] [-WhatIf] [-Confirm] [<CommonParameters>]
PATCH /iocs/entities/indicators/v1
Edit-FalconIoc -Id <id> -Source testSource -Action detect -Severity low -Description 'test description update' -Platforms windows -Tags test_tag2 -HostGroup all -Expiration '2021-05-01T12:00:00Z'
2024-09-03: PSFalcon v2.2.7
- Using PSFalcon
-
Commands and Permissions
- Configuration Import/Export
- Container Security
- Detection and Prevention Policies
- Discover for Cloud and Containers
- Discover
- Event Streams
- Falcon Complete Dashboards
- Falcon Complete Message Center
- Falcon Data Replicator
- Falcon Intelligence
- Falcon Intelligence Recon
- Falcon OverWatch Dashboards
- Falcon Sandbox
- FileVantage
- Firewall Management
- Flight Control
- Horizon
- Host and Host Group Management
- Identity Protection
- Image Assessment
- Incident and Detection Monitoring
- Installation Tokens
- Kubernetes Protection
- MalQuery
- Mobile Host Enrollment
- On-Demand Scanning
- Quarantine
- Real-time Response
- Real-time Response Policy
- Scheduled Reports and Searches
- Sensor Download
- Sensor Update Policy
- Spotlight
- Tailored Intelligence
- Third-party ingestion
- USB Device Control Policy
- Users and Roles
- Zero Trust Assessment
- Examples
-
CrowdStrike SDKs
- PSFalcon - PowerShell
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust