Custom IOA

The Custom IOA service collection provides operations for managing custom Indicator of Attack (IOA) rules and rule groups. Create, update, delete, and query rule groups, rules, and rule types. Validate field values and retrieve platform and pattern severity information.

Language	Last Update
Python	v1.4.6
PowerShell	v2.2.9
Go	v0.20.0
TypeScript	v0.6.0
Rust	v0.7.0
Ruby	v1.2.0

This service collection has code examples posted to the repository.

Operation	Description
get_patterns `get_patterns`	Get pattern severities by ID.
get_platformsMixin0 `get_platforms`	Get platforms by ID.
get_rule_groupsMixin0 `get_rule_groups`	Get rule groups by ID.
create_rule_groupMixin0 `create_rule_group`	Create a rule group for a platform with a name and an optional description. Returns the rule group.
delete_rule_groupsMixin0 `delete_rule_groups`	Delete rule groups by ID.
update_rule_groupMixin0 `update_rule_group`	Update a rule group. The following properties can be modified: name, description, enabled.
get_rule_types `get_rule_types`	Get rule types by ID.
get_rules_get `get_rules_get`	Get rules by ID and optionally version in the following format: `ID[:version]`.
get_rulesMixin0 `get_rules`	Get rules by ID and optionally version in the following format: `ID[:version]`. The max number of IDs is constrained by URL size.
create_rule `create_rule`	Create a rule within a rule group. Returns the rule.
delete_rules `delete_rules`	Delete rules from a rule group by ID.
update_rules `update_rules`	Update rules within a rule group. Return the updated rules.
update_rules_v2 `update_rules_v2`	Update name, description, enabled or field_values for individual rules within a rule group.
validate `validate`	Validates field values and checks for matches if a test string is provided.
query_patterns `query_patterns`	Get all pattern severity IDs.
query_platformsMixin0 `query_platforms`	Get all platform IDs.
query_rule_groups_full `query_rule_groups_full`	Find all rule groups matching the query with optional filter.
query_rule_groupsMixin0 `query_rule_groups`	Finds all rule group IDs matching the query with optional filter.
query_rule_types `query_rule_types`	Get all rule type IDs.
query_rulesMixin0 `query_rules`	Finds all rule IDs matching the query with optional filter.

get_patterns

Get pattern severities by ID.

GET /ioarules/entities/pattern-severities/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 get_patterns

Parameters

Name	Type	Data type	Description
ids	query	string or list of strings	The ID(s) of the entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_patterns(ids=id_list)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_patterns(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_patterns",
                          ids=id_list)
print(response)

Get-FalconIoaSeverity -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.CustomIoa.GetPatterns(
    &custom_ioa.GetPatternsParams{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.getPatterns(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

use rusty_falcon::apis::custom_ioa_api::get_patterns;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_patterns(
        &falcon.cfg,  // configuration
        vec!["string".to_string()],  // ids
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.get_patterns(['ID1', 'ID2', 'ID3'])

puts response

get_platformsMixin0

Get platforms by ID.

GET /ioarules/entities/platforms/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 get_platforms

Parameters

Name	Type	Data type	Description
ids	query	string or list of strings	The ID(s) of the entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_platforms(ids=id_list)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_platformsMixin0(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_platformsMixin0",
                          ids=id_list)
print(response)

Get-FalconIoaPlatform -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.CustomIoa.GetPlatformsMixin0(
    &custom_ioa.GetPlatformsMixin0Params{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.getPlatformsMixin0(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

use rusty_falcon::apis::custom_ioa_api::get_platforms_mixin0;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_platforms_mixin0(
        &falcon.cfg,  // configuration
        vec!["string".to_string()],  // ids
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.get_platforms_mixin0(['ID1', 'ID2', 'ID3'])

puts response

get_rule_groupsMixin0

Get rule groups by ID.

GET /ioarules/entities/rule-groups/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 get_rule_groups

Parameters

Name	Type	Data type	Description
ids	query	string or list of strings	The ID(s) of the entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_groups(ids=id_list)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_groupsMixin0(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rule_groupsMixin0",
                          ids=id_list)
print(response)

Get-FalconIoaGroup -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.CustomIoa.GetRuleGroupsMixin0(
    &custom_ioa.GetRuleGroupsMixin0Params{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.getRuleGroupsMixin0(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

use rusty_falcon::apis::custom_ioa_api::get_rule_groups_mixin0;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_rule_groups_mixin0(
        &falcon.cfg,  // configuration
        vec!["string".to_string()],  // ids
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.get_rule_groups_mixin0(['ID1', 'ID2', 'ID3'])

puts response

create_rule_groupMixin0

Create a rule group for a platform with a name and an optional description. Returns the rule group.

POST /ioarules/entities/rule-groups/v1

Scope Custom IOA: WRITE Consumes · Produces application/json

PEP 8 create_rule_group

Parameters

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
description	body	string	Rule group description.
comment	body	string	Comment to associate with this rule group.
name	body	string	Rule group name.
platform	body	string	Rule group platform.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.create_rule_group(comment="string",
                                    description="string",
                                    name="string",
                                    platform="string")
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.create_rule_groupMixin0(comment="string",
                                          description="string",
                                          name="string",
                                          platform="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "comment": "string",
    "description": "string",
    "name": "string",
    "platform": "string"
}

response = falcon.command("create_rule_groupMixin0", body=body_payload)
print(response)

New-FalconIoaGroup -Name "string" -Platform "string"

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
  "github.com/crowdstrike/gofalcon/falcon/models"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  comment := "string"
  description := "string"
  name := "string"
  platform := "string"

  response, err := client.CustomIoa.CreateRuleGroupMixin0(
    &custom_ioa.CreateRuleGroupMixin0Params{
      Body: &models.APIRuleGroupCreateRequestV1{
        Comment: &comment,
        Description: &description,
        Name: &name,
        Platform: &platform,
      },
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.createRuleGroupMixin0(
  {
    comment: "string",
    description: "string",
    name: "string",
    platform: "string"
}  // body
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::create_rule_group_mixin0;
use rusty_falcon::easy::client::FalconHandle;
use rusty_falcon::models::ApiRuleGroupCreateRequestV1;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let body = ApiRuleGroupCreateRequestV1 {
        comment: Some("string".to_string()),
        description: Some("string".to_string()),
        name: Some("string".to_string()),
        platform: Some("string".to_string()),
        ..Default::default()
    };

    let response = create_rule_group_mixin0(
        &falcon.cfg,  // configuration
        body,  // body
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

body = Falcon::ApiRuleGroupCreateRequestV1.new(
  comment: 'string',
  description: 'string',
  name: 'string',
  platform: 'string'
)

response = api.create_rule_group_mixin0(body)

puts response

delete_rule_groupsMixin0

Delete rule groups by ID.

DELETE /ioarules/entities/rule-groups/v1

Scope Custom IOA: WRITE Consumes · Produces application/json

PEP 8 delete_rule_groups

Parameters

Name	Type	Data type	Description
comment	query	string	Audit log comment for this operation.
ids	query	string or list of strings	The ID(s) of the entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_groups(comment="string", ids=id_list)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_groupsMixin0(comment="string", ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("delete_rule_groupsMixin0",
                          comment="string",
                          ids=id_list)
print(response)

Remove-FalconIoaGroup -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  comment := "string"

  response, err := client.CustomIoa.DeleteRuleGroupsMixin0(
    &custom_ioa.DeleteRuleGroupsMixin0Params{
      Comment: &comment,
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.deleteRuleGroupsMixin0(
  ["ID1", "ID2", "ID3"],  // ids
  "string"  // comment
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::delete_rule_groups_mixin0;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = delete_rule_groups_mixin0(
        &falcon.cfg,  // configuration
        vec!["string".to_string()],  // ids
        Some("string"),  // comment
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.delete_rule_groups_mixin0(['ID1', 'ID2', 'ID3'])

puts response

update_rule_groupMixin0

Update a rule group. The following properties can be modified: name, description, enabled.

PATCH /ioarules/entities/rule-groups/v1

Scope Custom IOA: WRITE Consumes · Produces application/json

PEP 8 update_rule_group

Parameters

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
description	body	string	Rule group description.
comment	body	string	Comment to associate with this rule group.
enabled	body	boolean	Flag indicating if this rule group is enabled.
id	body	string	ID of the rule group to be updated.
name	body	string	Rule group name.
rulegroup_version	body	integer	Rule group version to update.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.update_rule_group(comment="string",
                                    description="string",
                                    enabled=boolean,
                                    id="string",
                                    name="string",
                                    rulegroup_version=integer)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.update_rule_groupMixin0(comment="string",
                                          description="string",
                                          enabled=boolean,
                                          id="string",
                                          name="string",
                                          rulegroup_version=integer)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "comment": "string",
    "description": "string",
    "enabled": boolean,
    "id": "string",
    "name": "string",
    "rulegroup_version": integer
}

response = falcon.command("update_rule_groupMixin0", body=body_payload)
print(response)

Edit-FalconIoaGroup -Id "string"

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
  "github.com/crowdstrike/gofalcon/falcon/models"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  comment := "string"
  description := "string"
  enabled := boolean
  id := "string"
  name := "string"
  rulegroup_version := integer

  response, err := client.CustomIoa.UpdateRuleGroupMixin0(
    &custom_ioa.UpdateRuleGroupMixin0Params{
      Body: &models.APIRuleGroupModifyRequestV1{
        Comment: &comment,
        Description: &description,
        Enabled: &enabled,
        ID: &id,
        Name: &name,
        RulegroupVersion: &rulegroup_version,
      },
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.updateRuleGroupMixin0(
  {
    comment: "string",
    description: "string",
    enabled: boolean,
    id: "string",
    name: "string",
    rulegroupVersion: integer
}  // body
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::update_rule_group_mixin0;
use rusty_falcon::easy::client::FalconHandle;
use rusty_falcon::models::ApiRuleGroupModifyRequestV1;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let body = ApiRuleGroupModifyRequestV1 {
        comment: Some("string".to_string()),
        description: Some("string".to_string()),
        enabled: Some(boolean),
        id: Some("string".to_string()),
        name: Some("string".to_string()),
        rulegroup_version: Some(integer),
        ..Default::default()
    };

    let response = update_rule_group_mixin0(
        &falcon.cfg,  // configuration
        body,  // body
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

body = Falcon::ApiRuleGroupModifyRequestV1.new(
  comment: 'string',
  description: 'string',
  enabled: boolean,
  id: 'string',
  name: 'string',
  rulegroup_version: integer
)

response = api.update_rule_group_mixin0(body)

puts response

get_rule_types

Get rule types by ID.

GET /ioarules/entities/rule-types/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 get_rule_types

Parameters

Name	Type	Data type	Description
ids	query	string or list of strings	The ID(s) of the entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_types(ids=id_list)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rule_types(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rule_types",
                          ids=id_list)
print(response)

Get-FalconIoaType -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.CustomIoa.GetRuleTypes(
    &custom_ioa.GetRuleTypesParams{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.getRuleTypes(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

use rusty_falcon::apis::custom_ioa_api::get_rule_types;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_rule_types(
        &falcon.cfg,  // configuration
        vec!["string".to_string()],  // ids
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.get_rule_types(['ID1', 'ID2', 'ID3'])

puts response

get_rules_get

Get rules by ID and optionally version in the following format: ID[:version].

POST /ioarules/entities/rules/GET/v1

Scope Custom IOA: WRITE Consumes · Produces application/json

PEP 8 get_rules_get

Parameters

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
ids	body	string or list of strings	Rule ID(s) to retrieve.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules_get(ids=id_list)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules_get(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

body_payload = {
    "ids": ["string"]
}

response = falcon.command("get_rules_get", body=body_payload)
print(response)

Get-FalconIoaRule -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
  "github.com/crowdstrike/gofalcon/falcon/models"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.CustomIoa.GetRulesGet(
    &custom_ioa.GetRulesGetParams{
      Body: &models.APIRulesGetRequestV1{
        Ids: []string{"string"},
      },
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.getRulesGet(
  {
    ids: []
}  // body
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::get_rules_get;
use rusty_falcon::easy::client::FalconHandle;
use rusty_falcon::models::ApiRulesGetRequestV1;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let body = ApiRulesGetRequestV1 {
        ids: vec!["string".to_string()],
        ..Default::default()
    };

    let response = get_rules_get(
        &falcon.cfg,  // configuration
        body,  // body
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

body = Falcon::ApiRulesGetRequestV1.new(
  ids: []
)

response = api.get_rules_get(body)

puts response

get_rulesMixin0

Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.

GET /ioarules/entities/rules/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 get_rules

Parameters

Name	Type	Data type	Description
ids	query	string or list of strings	The ID(s) of the entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rulesMixin0(ids=id_list)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("get_rulesMixin0",
                          ids=id_list)
print(response)

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.CustomIoa.GetRulesMixin0(
    &custom_ioa.GetRulesMixin0Params{
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.getRulesMixin0(["ID1", "ID2", "ID3"]);  // ids

console.log(response);

use rusty_falcon::apis::custom_ioa_api::get_rules_mixin0;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = get_rules_mixin0(
        &falcon.cfg,  // configuration
        vec!["string".to_string()],  // ids
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.get_rules_mixin0(['ID1', 'ID2', 'ID3'])

puts response

create_rule

Create a rule within a rule group. Returns the rule.

POST /ioarules/entities/rules/v1

Scope Custom IOA: WRITE Consumes · Produces application/json

PEP 8 create_rule

Parameters

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
description	body	string	Rule description.
disposition_id	body	integer	Disposition ID of the rule.
comment	body	string	Comment to associate with this rule.
field_values	body	dictionary	Dictionary representing the rule field values.
pattern_severity	body	string	Severity.
name	body	string	Rule name.
rulegroup_id	body	string	ID of the Rule group to associate this rule to.
ruletype_id	body	string	Rule Type ID for this rule.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

field_values = [
    {
        "final_value": "string",
        "label": "string",
        "name": "string",
        "type": "string",
        "value": "string",
        "values": [
            {
                "label": "string",
                "value": "string"
            }
        ]
    }
]

response = falcon.create_rule(comment="string",
                              description="string",
                              disposition_id=integer,
                              field_values=field_values,
                              name="string",
                              pattern_severity="string",
                              rulegroup_id="string",
                              ruletype_id="string")
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

field_values = [
    {
        "final_value": "string",
        "label": "string",
        "name": "string",
        "type": "string",
        "value": "string",
        "values": [
            {
                "label": "string",
                "value": "string"
            }
        ]
    }
]

response = falcon.create_rule(comment="string",
                              description="string",
                              disposition_id=integer,
                              field_values=field_values,
                              name="string",
                              pattern_severity="string",
                              rulegroup_id="string",
                              ruletype_id="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "comment": "string",
    "description": "string",
    "disposition_id": integer,
    "field_values": [
        {
            "final_value": "string",
            "label": "string",
            "name": "string",
            "type": "string",
            "value": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ],
    "name": "string",
    "pattern_severity": "string",
    "rulegroup_id": "string",
    "ruletype_id": "string"
}

response = falcon.command("create_rule", body=body_payload)
print(response)

New-FalconIoaRule -Name "string" `
  -PatternSeverity "string" `
  -RuletypeId "string" `
  -DispositionId integer `
  -Description "string" `
  -RulegroupId "string"

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
  "github.com/crowdstrike/gofalcon/falcon/models"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  comment := "string"
  description := "string"
  disposition_id := integer
  final_value := "string"
  label := "string"
  name := "string"
  type := "string"
  value := "string"
  pattern_severity := "string"
  rulegroup_id := "string"
  ruletype_id := "string"

  response, err := client.CustomIoa.CreateRule(
    &custom_ioa.CreateRuleParams{
      Body: &models.APIRuleCreateV1{
        Comment: &comment,
        Description: &description,
        DispositionID: &disposition_id,
        FieldValues: []interface{}{
          {
          FinalValue: &final_value,
          Label: &label,
          Name: &name,
          Type: &type,
          Value: &value,
          Values: []interface{}{
            {
            Label: &label,
            Value: &value,
            },
          },
          },
        },
        Name: &name,
        PatternSeverity: &pattern_severity,
        RulegroupID: &rulegroup_id,
        RuletypeID: &ruletype_id,
      },
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.createRule(
  {
    comment: "string",
    description: "string",
    dispositionId: integer,
    fieldValues: [{
        finalValue: "string",
        label: "string",
        name: "string",
        type: "string",
        value: "string",
        values: [{
            label: "string",
            value: "string"
          }]
      }],
    name: "string",
    patternSeverity: "string",
    rulegroupId: "string",
    ruletypeId: "string"
}  // body
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::create_rule;
use rusty_falcon::easy::client::FalconHandle;
use rusty_falcon::models::ApiRuleCreateV1;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let body = ApiRuleCreateV1 {
        comment: Some("string".to_string()),
        description: Some("string".to_string()),
        disposition_id: Some(integer),
        field_values: vec![FieldValue {
            name: Some("string".to_string()),
            type: Some("string".to_string()),
            value: Some("string".to_string()),
            values: vec![ValueItem {
                label: Some("string".to_string()),
                value: Some("string".to_string()),
                ..Default::default()
            }],
            ..Default::default()
        }],
        name: Some("string".to_string()),
        pattern_severity: Some("string".to_string()),
        rulegroup_id: Some("string".to_string()),
        ruletype_id: Some("string".to_string()),
        ..Default::default()
    };

    let response = create_rule(
        &falcon.cfg,  // configuration
        body,  // body
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

body = Falcon::ApiRuleCreateV1.new(
  comment: 'string',
  description: 'string',
  disposition_id: integer,
  field_values: [{
      final_value: 'string',
      label: 'string',
      name: 'string',
      type: 'string',
      value: 'string',
      values: [{
          label: 'string',
          value: 'string'
        }]
    }],
  name: 'string',
  pattern_severity: 'string',
  rulegroup_id: 'string',
  ruletype_id: 'string'
)

response = api.create_rule(body)

puts response

delete_rules

Delete rules from a rule group by ID.

DELETE /ioarules/entities/rules/v1

Scope Custom IOA: WRITE Consumes · Produces application/json

PEP 8 delete_rules

Parameters

Name	Type	Data type	Description
comment	query	string	Audit log comment for this operation.
ids	query	string or list of strings	The ID(s) of the entities to return.
parameters	query	dictionary	Full query string parameters payload in JSON format.
rule_group_id	query	string	The parent rule group ID.

Code Examples

Examples coming soon.

Remove-FalconFileVantageRule -RuleGroupId "string" -Id @("ID1", "ID2")

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/filevantage"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.Filevantage.DeleteRules(
    &filevantage.DeleteRulesParams{
      RuleGroupID: "string",
      Ids: []string{"ID1", "ID2", "ID3"},
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.filevantage.deleteRules(
  "string",  // ruleGroupId
  ["ID1", "ID2", "ID3"]  // ids
);

console.log(response);

use rusty_falcon::apis::filevantage_api::delete_rules;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = delete_rules(
        &falcon.cfg,  // configuration
        "string",  // rule_group_id
        vec!["string".to_string()],  // ids
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::Filevantage.new

response = api.delete_rules('string', ['ID1', 'ID2', 'ID3'])

puts response

update_rules

Update rules within a rule group. Return the updated rules.

PATCH /ioarules/entities/rules/v1

Scope Custom IOA: WRITE Consumes · Produces application/json

PEP 8 update_rules

Parameters

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
comment	body	string	Comment to associate with this rule.
rule_updates	body	dictionary	Dictionary representing the rule updates to perform.
rulegroup_id	body	string	ID of the Rule group to associate this rule to.
rulegroup_version	body	integer	Rule group version.

Code Examples

Examples coming soon.

Edit-FalconFileVantageRule -Id "string" `
  -Precedence integer `
  -RuleGroupId "string"

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/filevantage"
  "github.com/crowdstrike/gofalcon/falcon/models"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  created_timestamp := "string"
  depth := "string"
  description := "string"
  enable_content_capture := boolean
  enable_hash_capture := boolean
  exclude := "string"
  exclude_processes := "string"
  exclude_users := "string"
  id := "string"
  include := "string"
  include_processes := "string"
  include_users := "string"
  modified_timestamp := "string"
  path := "string"
  precedence := integer
  rule_group_id := "string"
  severity := "string"
  type := "string"
  watch_attributes_directory_changes := boolean
  watch_attributes_file_changes := boolean
  watch_create_directory_changes := boolean
  watch_create_file_changes := boolean
  watch_create_key_changes := boolean
  watch_delete_directory_changes := boolean
  watch_delete_file_changes := boolean
  watch_delete_key_changes := boolean
  watch_delete_value_changes := boolean
  watch_permissions_directory_changes := boolean
  watch_permissions_file_changes := boolean
  watch_permissions_key_changes := boolean
  watch_rename_directory_changes := boolean
  watch_rename_file_changes := boolean
  watch_rename_key_changes := boolean
  watch_set_value_changes := boolean
  watch_write_file_changes := boolean

  response, err := client.Filevantage.UpdateRules(
    &filevantage.UpdateRulesParams{
      Body: &models.RulegroupsRule{
        ContentFiles: []string{"string"},
        ContentRegistryValues: []string{"string"},
        CreatedTimestamp: &created_timestamp,
        Depth: &depth,
        Description: &description,
        EnableContentCapture: &enable_content_capture,
        EnableHashCapture: &enable_hash_capture,
        Exclude: &exclude,
        ExcludeProcesses: &exclude_processes,
        ExcludeUsers: &exclude_users,
        ID: &id,
        Include: &include,
        IncludeProcesses: &include_processes,
        IncludeUsers: &include_users,
        ModifiedTimestamp: &modified_timestamp,
        Path: &path,
        Precedence: &precedence,
        RuleGroupID: &rule_group_id,
        Severity: &severity,
        Type: &type,
        WatchAttributesDirectoryChanges: &watch_attributes_directory_changes,
        WatchAttributesFileChanges: &watch_attributes_file_changes,
        WatchCreateDirectoryChanges: &watch_create_directory_changes,
        WatchCreateFileChanges: &watch_create_file_changes,
        WatchCreateKeyChanges: &watch_create_key_changes,
        WatchDeleteDirectoryChanges: &watch_delete_directory_changes,
        WatchDeleteFileChanges: &watch_delete_file_changes,
        WatchDeleteKeyChanges: &watch_delete_key_changes,
        WatchDeleteValueChanges: &watch_delete_value_changes,
        WatchPermissionsDirectoryChanges: &watch_permissions_directory_changes,
        WatchPermissionsFileChanges: &watch_permissions_file_changes,
        WatchPermissionsKeyChanges: &watch_permissions_key_changes,
        WatchRenameDirectoryChanges: &watch_rename_directory_changes,
        WatchRenameFileChanges: &watch_rename_file_changes,
        WatchRenameKeyChanges: &watch_rename_key_changes,
        WatchSetValueChanges: &watch_set_value_changes,
        WatchWriteFileChanges: &watch_write_file_changes,
      },
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.filevantage.updateRules(
  {
    contentFiles: [],
    contentRegistryValues: [],
    createdTimestamp: "string",
    depth: "string",
    description: "string",
    enableContentCapture: boolean,
    enableHashCapture: boolean,
    exclude: "string",
    excludeProcesses: "string",
    excludeUsers: "string",
    id: "string",
    include: "string",
    includeProcesses: "string",
    includeUsers: "string",
    modifiedTimestamp: "string",
    path: "string",
    precedence: integer,
    ruleGroupId: "string",
    severity: "string",
    type: "string",
    watchAttributesDirectoryChanges: boolean,
    watchAttributesFileChanges: boolean,
    watchCreateDirectoryChanges: boolean,
    watchCreateFileChanges: boolean,
    watchCreateKeyChanges: boolean,
    watchDeleteDirectoryChanges: boolean,
    watchDeleteFileChanges: boolean,
    watchDeleteKeyChanges: boolean,
    watchDeleteValueChanges: boolean,
    watchPermissionsDirectoryChanges: boolean,
    watchPermissionsFileChanges: boolean,
    watchPermissionsKeyChanges: boolean,
    watchRenameDirectoryChanges: boolean,
    watchRenameFileChanges: boolean,
    watchRenameKeyChanges: boolean,
    watchSetValueChanges: boolean,
    watchWriteFileChanges: boolean
}  // body
);

console.log(response);

use rusty_falcon::apis::filevantage_api::update_rules;
use rusty_falcon::easy::client::FalconHandle;
use rusty_falcon::models::RulegroupsRule;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let body = RulegroupsRule {
        depth: Some("string".to_string()),
        id: Some("string".to_string()),
        include: Some("string".to_string()),
        path: Some("string".to_string()),
        rule_group_id: Some("string".to_string()),
        severity: Some("string".to_string()),
        type: Some("string".to_string()),
        ..Default::default()
    };

    let response = update_rules(
        &falcon.cfg,  // configuration
        body,  // body
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::Filevantage.new

body = {
  content_files: [],
  content_registry_values: [],
  created_timestamp: 'string',
  depth: 'string',
  description: 'string',
  enable_content_capture: boolean,
  enable_hash_capture: boolean,
  exclude: 'string',
  exclude_processes: 'string',
  exclude_users: 'string',
  id: 'string',
  include: 'string',
  include_processes: 'string',
  include_users: 'string',
  modified_timestamp: 'string',
  path: 'string',
  precedence: integer,
  rule_group_id: 'string',
  severity: 'string',
  type: 'string',
  watch_attributes_directory_changes: boolean,
  watch_attributes_file_changes: boolean,
  watch_create_directory_changes: boolean,
  watch_create_file_changes: boolean,
  watch_create_key_changes: boolean,
  watch_delete_directory_changes: boolean,
  watch_delete_file_changes: boolean,
  watch_delete_key_changes: boolean,
  watch_delete_value_changes: boolean,
  watch_permissions_directory_changes: boolean,
  watch_permissions_file_changes: boolean,
  watch_permissions_key_changes: boolean,
  watch_rename_directory_changes: boolean,
  watch_rename_file_changes: boolean,
  watch_rename_key_changes: boolean,
  watch_set_value_changes: boolean,
  watch_write_file_changes: boolean
}

response = api.update_rules(body)

puts response

update_rules_v2

Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.

PATCH /ioarules/entities/rules/v2

Scope Custom IOA: WRITE Consumes · Produces application/json

PEP 8 update_rules_v2

Parameters

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
comment	body	string	Comment to associate with this rule.
rule_updates	body	dictionary	Dictionary representing the rule updates to perform.
rulegroup_id	body	string	ID of the Rule group to associate this rule to.
rulegroup_version	body	integer	Rule group version.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_updates = [
    {
        "description": "string",
        "disposition_id": 0,
        "enabled": true,
        "field_values": [
            {
                "final_value": "string",
                "label": "string",
                "name": "string",
                "type": "string",
                "value": "string",
                "values": [
                    {
                        "label": "string",
                        "value": "string"
                    }
                ]
            }
        ],
        "instance_id": "string",
        "name": "string",
        "pattern_severity": "string",
        "rulegroup_version": 0
    }
]

response = falcon.update_rules_v2(comment="string",
                                  rulegroup_id="string",
                                  rule_updates=rule_updates,
                                  rulegroup_version=integer)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

rule_updates = [
    {
        "description": "string",
        "disposition_id": 0,
        "enabled": true,
        "field_values": [
            {
                "final_value": "string",
                "label": "string",
                "name": "string",
                "type": "string",
                "value": "string",
                "values": [
                    {
                        "label": "string",
                        "value": "string"
                    }
                ]
            }
        ],
        "instance_id": "string",
        "name": "string",
        "pattern_severity": "string",
        "rulegroup_version": 0
    }
]

response = falcon.update_rules_v2(comment="string",
                                  rulegroup_id="string",
                                  rule_updates=rule_updates,
                                  rulegroup_version=integer)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "comment": "string",
    "rule_updates": [
        {
            "description": "string",
            "disposition_id": integer,
            "enabled": boolean,
            "field_values": [
                {
                    "final_value": "string",
                    "label": "string",
                    "name": "string",
                    "type": "string",
                    "value": "string",
                    "values": ["string"]
                }
            ],
            "instance_id": "string",
            "name": "string",
            "pattern_severity": "string",
            "rulegroup_version": integer
        }
    ],
    "rulegroup_id": "string",
    "rulegroup_version": integer
}

response = falcon.command("update_rules_v2", body=body_payload)
print(response)

Edit-FalconIoaRule -Comment "string" -RulegroupId "string"

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
  "github.com/crowdstrike/gofalcon/falcon/models"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  comment := "string"
  description := "string"
  disposition_id := integer
  enabled := boolean
  final_value := "string"
  label := "string"
  name := "string"
  type := "string"
  value := "string"
  instance_id := "string"
  pattern_severity := "string"
  rulegroup_version := integer
  rulegroup_id := "string"

  response, err := client.CustomIoa.UpdateRulesV2(
    &custom_ioa.UpdateRulesV2Params{
      Body: &models.APIRuleUpdatesRequestV2{
        Comment: &comment,
        RuleUpdates: []interface{}{
          {
          Description: &description,
          DispositionID: &disposition_id,
          Enabled: &enabled,
          FieldValues: []interface{}{
            {
            FinalValue: &final_value,
            Label: &label,
            Name: &name,
            Type: &type,
            Value: &value,
            Values: []interface{}{},
            },
          },
          InstanceID: &instance_id,
          Name: &name,
          PatternSeverity: &pattern_severity,
          RulegroupVersion: &rulegroup_version,
          },
        },
        RulegroupID: &rulegroup_id,
        RulegroupVersion: &rulegroup_version,
      },
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.updateRulesV2(
  {
    comment: "string",
    ruleUpdates: [{
        description: "string",
        dispositionId: integer,
        enabled: boolean,
        fieldValues: [{
            finalValue: "string",
            label: "string",
            name: "string",
            type: "string",
            value: "string",
            values: []
          }],
        instanceId: "string",
        name: "string",
        patternSeverity: "string",
        rulegroupVersion: integer
      }],
    rulegroupId: "string",
    rulegroupVersion: integer
}  // body
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::update_rules_v2;
use rusty_falcon::easy::client::FalconHandle;
use rusty_falcon::models::ApiRuleUpdatesRequestV2;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let body = ApiRuleUpdatesRequestV2 {
        comment: Some("string".to_string()),
        rule_updates: vec![RuleUpdateV2 {
            description: Some("string".to_string()),
            disposition_id: Some(integer),
            enabled: Some(boolean),
            field_values: vec![FieldValue {
                name: Some("string".to_string()),
                type: Some("string".to_string()),
                value: Some("string".to_string()),
                values: vec![],
                ..Default::default()
            }],
            instance_id: Some("string".to_string()),
            name: Some("string".to_string()),
            pattern_severity: Some("string".to_string()),
            rulegroup_version: Some(integer),
            ..Default::default()
        }],
        rulegroup_id: Some("string".to_string()),
        rulegroup_version: Some(integer),
        ..Default::default()
    };

    let response = update_rules_v2(
        &falcon.cfg,  // configuration
        body,  // body
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

body = Falcon::ApiRuleUpdatesRequestV2.new(
  comment: 'string',
  rule_updates: [{
      description: 'string',
      disposition_id: integer,
      enabled: boolean,
      field_values: [{
          final_value: 'string',
          label: 'string',
          name: 'string',
          type: 'string',
          value: 'string',
          values: []
        }],
      instance_id: 'string',
      name: 'string',
      pattern_severity: 'string',
      rulegroup_version: integer
    }],
  rulegroup_id: 'string',
  rulegroup_version: integer
)

response = api.update_rules_v2(body)

puts response

validate

Validates field values and checks for matches if a test string is provided.

POST /ioarules/entities/rules/validate/v1

Scope Custom IOA: WRITE Consumes · Produces application/json

PEP 8 validate

Parameters

Name	Type	Data type	Description
body	body	dictionary	Full body payload in JSON format.
fields	body	list of dictionaries	List of dictionaries containing the fields to be validated.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

fields = [
    {
        "name": "string",
        "test_data": "string",
        "type": "string",
        "values": [
            {
                "label": "string",
                "value": "string"
            }
        ]
    }
]

response = falcon.validate(fields=fields)
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

fields = [
    {
        "name": "string",
        "test_data": "string",
        "type": "string",
        "values": [
            {
                "label": "string",
                "value": "string"
            }
        ]
    }
]

response = falcon.validate(fields=fields)
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "fields": [
        {
            "name": "string",
            "test_data": "string",
            "type": "string",
            "values": [
                {
                    "label": "string",
                    "value": "string"
                }
            ]
        }
    ]
}

response = falcon.command("validate", body=body_payload)
print(response)

Test-FalconIoaRule

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
  "github.com/crowdstrike/gofalcon/falcon/models"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  name := "string"
  test_data := "string"
  type := "string"
  label := "string"
  value := "string"

  response, err := client.CustomIoa.Validate(
    &custom_ioa.ValidateParams{
      Body: &models.APIValidationRequestV1{
        Fields: []interface{}{
          {
          Name: &name,
          TestData: &test_data,
          Type: &type,
          Values: []interface{}{
            {
            Label: &label,
            Value: &value,
            },
          },
          },
        },
      },
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.validate(
  {
    fields: [{
        name: "string",
        testData: "string",
        type: "string",
        values: [{
            label: "string",
            value: "string"
          }]
      }]
}  // body
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::validate;
use rusty_falcon::easy::client::FalconHandle;
use rusty_falcon::models::ApiValidationRequestV1;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let body = ApiValidationRequestV1 {
        fields: vec![ValidationRequestFieldV1 {
            name: Some("string".to_string()),
            test_data: Some("string".to_string()),
            type: Some("string".to_string()),
            values: vec![ValueItem {
                label: Some("string".to_string()),
                value: Some("string".to_string()),
                ..Default::default()
            }],
            ..Default::default()
        }],
        ..Default::default()
    };

    let response = validate(
        &falcon.cfg,  // configuration
        body,  // body
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

body = Falcon::ApiValidationRequestV1.new(
  fields: [{
      name: 'string',
      test_data: 'string',
      type: 'string',
      values: [{
          label: 'string',
          value: 'string'
        }]
    }]
)

response = api.validate(body)

puts response

query_patterns

Get all pattern severity IDs.

GET /ioarules/queries/pattern-severities/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 query_patterns

Parameters

Name	Type	Data type	Description
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_patterns(limit=integer, offset="string")
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_patterns(limit=integer, offset="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_patterns",
                          offset="string",
                          limit=integer)
print(response)

Get-FalconIoaSeverity -Limit integer -Offset integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  offset := "string"
  limit := int64(0)

  response, err := client.CustomIoa.QueryPatterns(
    &custom_ioa.QueryPatternsParams{
      Offset: &offset,
      Limit: &limit,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.queryPatterns(
  "string",  // offset
  integer  // limit
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::query_patterns;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = query_patterns(
        &falcon.cfg,  // configuration
        Some("string"),  // offset
        Some(integer),  // limit
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.query_patterns(offset: 'string', limit: integer)

puts response

query_platformsMixin0

Get all platform IDs.

GET /ioarules/queries/platforms/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 query_platforms

Parameters

Name	Type	Data type	Description
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_platforms(limit=integer, offset="string")
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_platformsMixin0(limit=integer, offset="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_platformsMixin0",
                          offset="string",
                          limit=integer)
print(response)

Get-FalconIoaPlatform -Limit integer -Offset integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  offset := "string"
  limit := int64(0)

  response, err := client.CustomIoa.QueryPlatformsMixin0(
    &custom_ioa.QueryPlatformsMixin0Params{
      Offset: &offset,
      Limit: &limit,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.queryPlatformsMixin0(
  "string",  // offset
  integer  // limit
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::query_platforms_mixin0;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = query_platforms_mixin0(
        &falcon.cfg,  // configuration
        Some("string"),  // offset
        Some(integer),  // limit
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.query_platforms_mixin0(offset: 'string', limit: integer)

puts response

query_rule_groups_full

Find all rule groups matching the query with optional filter.

GET /ioarules/queries/rule-groups-full/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 query_rule_groups_full

Parameters

Name	Type	Data type	Description
filter	query	string	FQL formatted string used to limit the results. Available filters: `enabled`, `platform`, `name`, `description`, `rules.action_label`, `rules.name`, `rules.description`, `rules.pattern_severity`, `rules.ruletype_name`, `rules.enabled`. Filter range criteria: `created_on`, `modified_on`.
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
q	query	string	Match query criteria which includes all the filter string fields.
sort	query	string	The property to sort by. (Ex: modified_on.desc). Available sort fields: `created_by`, `created_on`, `modified_by`, `modified_on`, `enabled`, `name`, `description`.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groups_full(filter="string",
                                         limit=integer,
                                         offset="string",
                                         q="string",
                                         sort="string")
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groups_full(filter="string",
                                         limit=integer,
                                         offset="string",
                                         q="string",
                                         sort="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_groups_full",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          limit=integer)
print(response)

Get-FalconIoaGroup -Filter "string" `
  -Query "string" `
  -Sort "string" `
  -Limit integer `
  -Offset integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  sort := "string"
  filter := "string"
  q := "string"
  offset := "string"
  limit := int64(0)

  response, err := client.CustomIoa.QueryRuleGroupsFull(
    &custom_ioa.QueryRuleGroupsFullParams{
      Sort: &sort,
      Filter: &filter,
      Q: &q,
      Offset: &offset,
      Limit: &limit,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.queryRuleGroupsFull(
  "string",  // sort
  "string",  // filter
  "string",  // q
  "string",  // offset
  integer  // limit
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::query_rule_groups_full;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = query_rule_groups_full(
        &falcon.cfg,  // configuration
        Some("string"),  // sort
        Some("string"),  // filter
        Some("string"),  // q
        Some("string"),  // offset
        Some(integer),  // limit
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.query_rule_groups_full(sort: 'string',
                                      filter: 'string',
                                      q: 'string',
                                      offset: 'string',
                                      limit: integer)

puts response

query_rule_groupsMixin0

Finds all rule group IDs matching the query with optional filter.

GET /ioarules/queries/rule-groups/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 query_rule_groups

Parameters

Name	Type	Data type	Description
filter	query	string	FQL formatted string used to limit the results. Available filters: `enabled`, `platform`, `name`, `description`, `rules.action_label`, `rules.name`, `rules.description`, `rules.pattern_severity`, `rules.ruletype_name`, `rules.enabled`. Filter range criteria: `created_on`, `modified_on`.
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
q	query	string	Match query criteria which includes all the filter string fields.
sort	query	string	The property to sort by. (Ex: modified_on.desc). Available sort fields: `created_by`, `created_on`, `modified_by`, `modified_on`, `enabled`, `name`, `description`.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groups(filter="string",
                                    limit=integer,
                                    offset="string",
                                    q="string",
                                    sort="string")
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_groupsMixin0(filter="string",
                                          limit=integer,
                                          offset="string",
                                          q="string",
                                          sort="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_groupsMixin0",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          limit=integer)
print(response)

Get-FalconIoaGroup -Filter "string" `
  -Query "string" `
  -Sort "string" `
  -Limit integer `
  -Offset integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  sort := "string"
  filter := "string"
  q := "string"
  offset := "string"
  limit := int64(0)

  response, err := client.CustomIoa.QueryRuleGroupsMixin0(
    &custom_ioa.QueryRuleGroupsMixin0Params{
      Sort: &sort,
      Filter: &filter,
      Q: &q,
      Offset: &offset,
      Limit: &limit,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.queryRuleGroupsMixin0(
  "string",  // sort
  "string",  // filter
  "string",  // q
  "string",  // offset
  integer  // limit
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::query_rule_groups_mixin0;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = query_rule_groups_mixin0(
        &falcon.cfg,  // configuration
        Some("string"),  // sort
        Some("string"),  // filter
        Some("string"),  // q
        Some("string"),  // offset
        Some(integer),  // limit
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.query_rule_groups_mixin0(sort: 'string',
                                        filter: 'string',
                                        q: 'string',
                                        offset: 'string',
                                        limit: integer)

puts response

query_rule_types

Get all rule type IDs.

GET /ioarules/queries/rule-types/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 query_rule_types

Parameters

Name	Type	Data type	Description
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_types(limit=integer, offset="string")
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rule_types(limit=integer, offset="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rule_types",
                          offset="string",
                          limit=integer)
print(response)

Get-FalconIoaType -Limit integer -Offset integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  offset := "string"
  limit := int64(0)

  response, err := client.CustomIoa.QueryRuleTypes(
    &custom_ioa.QueryRuleTypesParams{
      Offset: &offset,
      Limit: &limit,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.queryRuleTypes(
  "string",  // offset
  integer  // limit
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::query_rule_types;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = query_rule_types(
        &falcon.cfg,  // configuration
        Some("string"),  // offset
        Some(integer),  // limit
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.query_rule_types(offset: 'string', limit: integer)

puts response

query_rulesMixin0

Finds all rule IDs matching the query with optional filter.

GET /ioarules/queries/rules/v1

Scope Custom IOA: READ Consumes · Produces application/json

PEP 8 query_rules

Parameters

Name	Type	Data type	Description
filter	query	string	FQL formatted string used to limit the results. Available filters: `enabled`, `platform`, `name`, `description`, `rules.action_label`, `rules.name`, `rules.description`, `rules.pattern_severity`, `rules.ruletype_name`, `rules.enabled`. Filter range criteria: `created_on`, `modified_on`.
limit	query	integer	Maximum number of records to return.
offset	query	integer	Starting index of overall result set from which to return ids.
q	query	string	Match query criteria which includes all the filter string fields.
sort	query	string	The property to sort by. (Ex: rules.created_on.desc). Available sort fields: `rules.ruletype_name`, `rules.enabled`, `rules.created_by`, `rules.current_version.name`, `rules.current_version.modified_by`, `rules.created_on`, `rules.current_version.description`, `rules.current_version.pattern_severity`, `rules.current_version.action_label`, `rules.current_version.modified_on`.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rules(filter="string",
                              limit=integer,
                              offset="string",
                              q="string",
                              sort="string")
print(response)

from falconpy import CustomIOA

falcon = CustomIOA(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_rulesMixin0(filter="string",
                                    limit=integer,
                                    offset="string",
                                    q="string",
                                    sort="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("query_rulesMixin0",
                          sort="string",
                          filter="string",
                          q="string",
                          offset="string",
                          limit=integer)
print(response)

Get-FalconIoaRule -Filter "string" `
  -Query "string" `
  -Sort "string" `
  -Limit integer `
  -Offset integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/custom_ioa"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  sort := "string"
  filter := "string"
  q := "string"
  offset := "string"
  limit := int64(0)

  response, err := client.CustomIoa.QueryRulesMixin0(
    &custom_ioa.QueryRulesMixin0Params{
      Sort: &sort,
      Filter: &filter,
      Q: &q,
      Offset: &offset,
      Limit: &limit,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.customIoa.queryRulesMixin0(
  "string",  // sort
  "string",  // filter
  "string",  // q
  "string",  // offset
  integer  // limit
);

console.log(response);

use rusty_falcon::apis::custom_ioa_api::query_rules_mixin0;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = query_rules_mixin0(
        &falcon.cfg,  // configuration
        Some("string"),  // sort
        Some("string"),  // filter
        Some("string"),  // q
        Some("string"),  // offset
        Some(integer),  // limit
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::CustomIoa.new

response = api.query_rules_mixin0(sort: 'string',
                                  filter: 'string',
                                  q: 'string',
                                  offset: 'string',
                                  limit: integer)

puts response

Custom IOA

Table of Contents

get_patterns

Parameters

Code Examples

get_platformsMixin0

Parameters

Code Examples

get_rule_groupsMixin0

Parameters

Code Examples

create_rule_groupMixin0

Parameters

Code Examples

delete_rule_groupsMixin0

Parameters

Code Examples

update_rule_groupMixin0

Parameters

Code Examples

get_rule_types

Parameters

Code Examples

get_rules_get

Parameters

Code Examples

get_rulesMixin0

Parameters

Code Examples

create_rule

Parameters

Code Examples

delete_rules

Parameters

Code Examples

update_rules

Parameters

Code Examples

update_rules_v2

Parameters

Code Examples

validate

Parameters

Code Examples

query_patterns

Parameters

Code Examples

query_platformsMixin0

Parameters

Code Examples

query_rule_groups_full

Parameters

Code Examples

query_rule_groupsMixin0

Parameters

Code Examples

query_rule_types

Parameters

Code Examples

query_rulesMixin0

Parameters

Code Examples