Skip to content
CrowdStrike Developer Center

IOC

The IOC service collection provides operations for managing custom Indicators of Compromise (IOC) within your CrowdStrike environment. Create, update, delete, and search for indicators. Query aggregates, retrieve action and type information, and look up device and process data associated with custom IOCs.

LanguageLast Update
Pythonv1.4.6
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0
Sample Code

This service collection has code examples posted to the repository.

Table of Contents

Section titled “Table of Contents”
OperationDescription
indicator_aggregate_v1
indicator_aggregate		Get Indicators aggregates as specified via json in the request body.
indicator_combined_v1
indicator_combined		Get Combined for Indicators.
action_get_v1
action_get		Get Actions by ids.
GetIndicatorsReport
get_indicators_report		Launch an indicators report creation job
indicator_get_v1
indicator_get		Get Indicators by ids.
indicator_create_v1
indicator_create		Create Indicators.
indicator_delete_v1
indicator_delete		Delete Indicators by ids.
indicator_update_v1
indicator_update		Update Indicators.
action_query_v1
action_query		Query Actions.
indicator_search_v1
indicator_search		Search for Indicators.
ioc_type_query_v1
ioc_type_query		Query IOC Types.
platform_query_v1
platform_query		Query Platforms.
severity_query_v1
severity_query		Query Severities.
DevicesCount
devices_count_legacy		Number of hosts in your customer account that have observed a given custom IOC
indicator_get_device_count_v1
devices_count		Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn
devices_ran_on_legacy		Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
indicator_get_devices_ran_on_v1
devices_ran_on		Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
ProcessesRanOn
processes_ran_on_legacy		Search for processes associated with a custom IOC (Deprecated)
indicator_get_processes_ran_on_v1
processes_ran_on		Search for processes associated with a custom IOC
entities_processes
entities_processes		For the provided ProcessID retrieve the process details

indicator_aggregate_v1

Section titled “indicator_aggregate_v1”

Get Indicators aggregates as specified via json in the request body.

POST /iocs/aggregates/indicators/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 indicator_aggregate

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute.
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. _count - sort by document count. _term - sort by the string value alphabetically. Supports asc and desc using \| format. Example: _count\|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values include: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.indicator_aggregate(date_ranges="string",
                                      exclude="string",
                                      field="string",
                                      filter="string",
                                      from=integer,
                                      include="string",
                                      interval="string",
                                      max_doc_count=integer,
                                      min_doc_count=integer,
                                      missing="string",
                                      name="string",
                                      q="string",
                                      ranges=ranges,
                                      size=integer,
                                      sort="string",
                                      sub_aggregates=["string"],
                                      time_zone="string",
                                      type="string")
print(response)

indicator_combined_v1

Section titled “indicator_combined_v1”

Get Combined for Indicators.

GET /iocs/combined/indicator/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 indicator_combined

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filterquerystringFQL Syntax formatted filter that should be used to limit the results. Available filters: type, value, action, severity, platforms, tags, expiration, expired, applied_globally, host_groups, created_on, created_by, modified_on, modified_by, source.
from_parentquerybooleanThe filter for returning either only indicators for the request customer or its MSSP parents.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringFQL Syntax formatted sort filter.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


response = falcon.indicator_combined(after="string",
                                     filter="string",
                                     from_parent="string",
                                     limit="string",
                                     offset="string",
                                     sort="string")
print(response)

action_get_v1

Section titled “action_get_v1”

Get Actions by ids.

GET /iocs/entities/actions/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 action_get

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe ids of the actions to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.action_get(ids=id_list)
print(response)

GetIndicatorsReport

Section titled “GetIndicatorsReport”

Launch an indicators report creation job

POST /iocs/entities/indicators-reports/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 get_indicators_report

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
filterbodystringFQL formatted string specifying the search filter. Overridden if search keyword is provided.
from_parentbodybooleanReturn results for the parent only.
querybodystringFQL formatted string specifying the search query. Overridden if search keyword is provided.
report_formatbodystringFormat of the report.
searchbodydictionarySearch parameters provided as a dictionary. Overrides values provided in the filter, query and sort keywords.
sortbodystringFQL formatted string specifying the sort. Overridden if search keyword is provided.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


search = {
    "filter": "string",
    "query": "string",
    "sort": "string"
}


response = falcon.get_indicators_report(filter="string",
                                        from_parent=boolean,
                                        query="string",
                                        report_format="string",
                                        search=search,
                                        sort="string")
print(response)

indicator_get_v1

Section titled “indicator_get_v1”

Get Indicators by ids.

GET /iocs/entities/indicators/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 indicator_get

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe ids of the Indicators to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.indicator_get(ids=id_list)
print(response)

indicator_create_v1

Section titled “indicator_create_v1”

Create Indicators.

POST /iocs/entities/indicators/v1
Scope IOC Management: WRITE Consumes · Produces application/json
PEP 8 indicator_create

Parameters

Section titled “Parameters”
NameTypeData typeDescription
actionbodystringDefault action for IOC.
applied_globallybodybooleanFlag indicating this IOC is applied globally.
bodybodydictionaryFull body payload in JSON format.
commentbodystringIOC comment.
descriptionbodystringIOC description.
expirationbodystringUTC formatted date string.
filenamebodystringFilename to use for the metadata dictionary.
host_groupsbodystring or list of stringsList of host groups this IOC applies to.
ignore_warningsquerybooleanFlag to indicate that warnings are ignored.
indicatorsbodylist of dictionariesList of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadatabodydictionaryDictionary containing the filename for the IOC. Not required if the filename keyword is used.
parametersquerydictionaryFull query string parameters payload in JSON format.
platformsbodystring or list of stringsPlatforms this IOC impacts.
retrodetectsquerybooleanFlag to indicate whether to submit retrodetects.
severitybodystringIOC severity.
sourcebodystringIOC source.
tagsbodystring or list of stringsIOC tags.
typebodystringIOC type.
valuebodystringString representation of the IOC.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


indicators = [
    {
        "action": "string",
        "applied_globally": true,
        "description": "string",
        "expiration": "2021-10-22T10:40:39.372Z",
        "host_groups": [
            "string"
        ],
        "metadata": {
            "filename": "string"
        },
        "mobile_action": "string",
        "platforms": [
            "string"
        ],
        "severity": "string",
        "source": "string",
        "tags": [
            "string"
        ],
        "type": "string",
        "value": "string"
    }
]


response = falcon.indicator_create(action="string",
                                   applied_globally=boolean,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename={},
                                   host_groups=["string"],
                                   ignore_warnings=boolean,
                                   indicators=indicators,
                                   metadata={},
                                   mobile_action="string",
                                   platforms="string",
                                   retrodetects=boolean,
                                   severity="string",
                                   source="string",
                                   tags=["string"],
                                   type="string",
                                   value="string")
print(response)

indicator_delete_v1

Section titled “indicator_delete_v1”

Delete Indicators by ids or a filter.

DELETE /iocs/entities/indicators/v1
Scope IOC Management: WRITE Consumes · Produces application/json
PEP 8 indicator_delete

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL Syntax formatted filter that should be used to delete indicators in bulk. If both filter and ids are provided, then filter takes precedence and ids is ignored.
from_parentquerybooleanLimit action to IOCs originating from the MSSP parent.
idsquerystring or list of stringsThe ids of the Indicators to delete. If both filter and ids are provided, then filter takes precedence and ids is ignored.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.indicator_delete(ids=id_list, from_parent="string")
print(response)

indicator_update_v1

Section titled “indicator_update_v1”

Update Indicators.

PATCH /iocs/entities/indicators/v1
Scope IOC Management: WRITE Consumes · Produces application/json
PEP 8 indicator_update

Parameters

Section titled “Parameters”
NameTypeData typeDescription
actionbodystringDefault action for IOC.
applied_globallybodybooleanFlag indicating this IOC is applied globally.
bodybodydictionaryFull body payload in JSON format.
bulk_updatebodydictionaryDictionary containing the indicator update in JSON format. Not necessary when using other keywords.
commentbodystringIOC comment.
descriptionbodystringIOC description.
expirationbodystringUTC formatted date string.
filenamebodystringFilename to use for the metadata dictionary.
from_parentbodybooleanReturn results for the parent only.
host_groupsbodystring or list of stringsList of host groups this IOC applies to.
idbodystringThe Indicator ID to be updated. At least one ID must be specified using this keyword, or as part of the indicators list using the indicators keyword.
ignore_warningsquerybooleanFlag to indicate that warnings are ignored.
indicatorsbodylist of dictionariesList of indicators to create. Overrides other keywords excluding body. Allows for the creation of multiple indicators at once.
metadatabodydictionaryDictionary containing the filename for the IOC. Not required if the filename keyword is used.
mobile_actionbodystringMobile action to perform.
parametersquerydictionaryFull query string parameters payload in JSON format.
platformsbodystring or list of stringsPlatforms this IOC impacts.
retrodetectsquerybooleanFlag to indicate whether to submit retrodetects.
severitybodystringIOC severity.
sourcebodystringIOC source.
tagsbodystring or list of stringsIOC tags.
typebodystringIOC type.
valuebodystringString representation of the IOC.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


bulk_update = {
    "action": "string",
    "applied_globally": true,
    "description": "string",
    "expiration": "2021-10-22T11:03:16.123Z",
    "filter": "string",
    "from_parent": true,
    "host_groups": [
        "string"
    ],
    "mobile_action": "string",
    "platforms": [
        "string"
    ],
    "severity": "string",
    "source": "string",
    "tags": [
        "string"
    ]
}


indicators = [
    {
        "action": "string",
        "applied_globally": true,
        "description": "string",
        "expiration": "2021-10-22T11:03:16.123Z",
        "host_groups": [
            "string"
        ],
        "id": "string",
        "metadata": {
            "filename": "string"
        },
        "mobile_action": "string",
        "platforms": [
            "string"
        ],
        "severity": "string",
        "source": "string",
        "tags": [
            "string"
        ]
    }
]


response = falcon.indicator_update(action="string",
                                   applied_globally=boolean,
                                   bulk_update=bulk_update,
                                   comment="string",
                                   description="string",
                                   expiration="string",
                                   filename={},
                                   from_parent=boolean,
                                   host_groups=["string"],
                                   id="string",
                                   indicators=indicators,
                                   ignore_warnings=boolean,
                                   metadata={},
                                   mobile_action="string",
                                   platforms="string",
                                   retrodetects=boolean,
                                   severity="string",
                                   source="string",
                                   tags=["string"],
                                   type="string",
                                   value="string")
print(response)

action_query_v1

Section titled “action_query_v1”

Query Actions.

GET /iocs/queries/actions/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 action_query

Parameters

Section titled “Parameters”
NameTypeData typeDescription
limitqueryintegerMaximum number of results to return.
offsetquerystringThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


response = falcon.action_query(limit=integer, offset="string")
print(response)

indicator_search_v1

Section titled “indicator_search_v1”

Search for Indicators.

GET /iocs/queries/indicators/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 indicator_search

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterquerystringA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results. To access more than 10k indicators, use the after parameter instead of offset.
filterquerystringFQL Syntax formatted filter that should be used to limit the results. Available filters: type, value, action, severity, platforms, tags, expiration, expired, applied_globally, host_groups, created_on, created_by, modified_on, modified_by, source.
from_parentquerybooleanReturn results for the parent only.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the after parameter instead of offset.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringFQL Syntax formatted sort filter.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


response = falcon.indicator_search(after="string",
                                   filter="string",
                                   from_parent="string",
                                   limit="string",
                                   offset="string",
                                   sort="string")
print(response)

ioc_type_query_v1

Section titled “ioc_type_query_v1”

Query IOC Types.

GET /iocs/queries/ioc-types/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 ioc_type_query

Parameters

Section titled “Parameters”
NameTypeData typeDescription
limitqueryintegerMaximum number of results to return.
offsetquerystringThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


response = falcon.ioc_type_query(limit=integer, offset="string")
print(response)

platform_query_v1

Section titled “platform_query_v1”

Query Platforms.

GET /iocs/queries/platforms/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 platform_query

Parameters

Section titled “Parameters”
NameTypeData typeDescription
limitqueryintegerMaximum number of results to return.
offsetquerystringThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


response = falcon.platform_query(limit=integer, offset="string")
print(response)

severity_query_v1

Section titled “severity_query_v1”

Query Severities.

GET /iocs/queries/severities/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 severity_query

Parameters

Section titled “Parameters”
NameTypeData typeDescription
limitqueryintegerMaximum number of results to return.
offsetquerystringThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


response = falcon.severity_query(limit=integer, offset="string")
print(response)

indicator_get_device_count_v1

Section titled “indicator_get_device_count_v1”

Number of hosts in your customer account that have observed a given custom IOC

PEP8 method name

Section titled “PEP8 method name”

devices_count (or indicator_get_device_count_v1)

GET /iocs/aggregates/indicators/device-count/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 devices_count

Parameters

Section titled “Parameters”
NameTypeData typeDescription
typequerystringThe type of the indicator. Valid types include: sha256 (hex-encoded sha256 hash, length 64), md5 (hex-encoded md5 hash, length 32), domain (domain name, length 1-200), ipv4 (valid IPv4 address), ipv6 (valid IPv6 address).
valuequerystringThe string representation of the indicator.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


response = falcon.devices_count(type="string", value="string")
print(response)

indicator_get_devices_ran_on_v1

Section titled “indicator_get_devices_ran_on_v1”

Find hosts that have observed a given custom IOC.

PEP8 method name

Section titled “PEP8 method name”

devices_ran_on (or indicator_get_devices_ran_on_v1)

GET /iocs/queries/indicators/devices/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 devices_ran_on

Parameters

Section titled “Parameters”
NameTypeData typeDescription
typequerystringThe type of the indicator. Valid types include: sha256 (hex-encoded sha256 hash, length 64), md5 (hex-encoded md5 hash, length 32), domain (domain name, length 1-200), ipv4 (valid IPv4 address), ipv6 (valid IPv6 address).
valuequerystringThe string representation of the indicator.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerStarting offset to begin returning results.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


response = falcon.devices_ran_on(type="string",
                                 limit="string",
                                 offset="string",
                                 value="string")
print(response)

indicator_get_processes_ran_on_v1

Section titled “indicator_get_processes_ran_on_v1”

Search for processes associated with a custom IOC

PEP8 method name

Section titled “PEP8 method name”

processes_ran_on or (indicator_get_processes_ran_on_v1)

GET /iocs/queries/indicators/processes/v1
Scope IOC Management: READ Consumes · Produces application/json
PEP 8 processes_ran_on

Parameters

Section titled “Parameters”
NameTypeData typeDescription
typequerystringThe type of the indicator. Valid types include: sha256 (hex-encoded sha256 hash, length 64), md5 (hex-encoded md5 hash, length 32), domain (domain name, length 1-200), ipv4 (valid IPv4 address), ipv6 (valid IPv6 address).
valuequerystringThe string representation of the indicator.
device_idquerystringSpecify a Host AID to return only processes from that host.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerStarting offset to begin returning results.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import IOC


falcon = IOC(client_id=CLIENT_ID,
             client_secret=CLIENT_SECRET
             )


response = falcon.processes_ran_on(type="string",
                                   limit="string",
                                   offset="string",
                                   device_id="string",
                                   value="string")
print(response)

entities_processes

Section titled “entities_processes”

For the provided ProcessID retrieve the process details

GET /processes/entities/processes/v1
Scope IOCs (Indicators of Compromise): READ Consumes · Produces application/json
PEP 8 entities_processes

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsProcessID for the running process you want to lookup.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Iocs


falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.entities_processes(ids=id_list)
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use