Skip to content
CrowdStrike Developer Center

IOCs

The IOCs service collection provides operations for querying custom indicators of compromise. This class has been superseded by the new IOC service class.

LanguageLast Update
Pythonv1.4.6
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

Table of Contents

Section titled “Table of Contents”
OperationDescription
DevicesCount
devices_count		Number of hosts in your customer account that have observed a given custom IOC.
GetIOC
get_ioc		This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.
deprecated
CreateIOC
create_ioc		This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.
deprecated
DeleteIOC
delete_ioc		This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.
deprecated
UpdateIOC
update_ioc		This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.
deprecated
DevicesRanOn
devices_ran_on		Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1.
QueryIOCs
query_iocs		This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.
deprecated
ProcessesRanOn
processes_ran_on		Search for processes associated with a custom IOC.
entities_processes
entities_processes		For the provided ProcessID retrieve the process details.

DevicesCount

Section titled “DevicesCount”

Number of hosts in your customer account that have observed a given custom IOC.

GET /indicators/aggregates/devices-count/v1
Scope IOCs (Indicators of Compromise): READ Consumes · Produces application/json
PEP 8 devices_count

Parameters

Section titled “Parameters”
NameTypeData typeDescription
typequerystringThe type of the indicator. Valid types include: sha256 (hex-encoded sha256 hash string, length min: 64, max: 64); md5 (hex-encoded md5 hash string, length min: 32, max: 32); domain (a domain name, length min: 1, max: 200); ipv4 (a valid IPv4 address); ipv6 (a valid IPv6 address).
valuequerystringThe string representation of the indicator.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Iocs


falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )


response = falcon.devices_count(type="string", value="string")
print(response)

GetIOC

Section titled “GetIOC”

This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.

GET /indicators/entities/iocs/v1
Scope IOCs (Indicators of Compromise): READ Consumes · Produces application/json
PEP 8 get_ioc
deprecated

Keywords and arguments are ignored in deprecated methods. This method and the corresponding endpoint are deprecated.

Code Examples

Section titled “Code Examples”

Examples coming soon.

CreateIOC

Section titled “CreateIOC”

This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.

POST /indicators/entities/iocs/v1
Scope IOCs (Indicators of Compromise): WRITE Consumes · Produces application/json
PEP 8 create_ioc
deprecated

Keywords and arguments are ignored in deprecated methods. This method and the corresponding endpoint are deprecated.

Code Examples

Section titled “Code Examples”

Examples coming soon.

DeleteIOC

Section titled “DeleteIOC”

This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.

DELETE /indicators/entities/iocs/v1
Scope IOCs (Indicators of Compromise): WRITE Consumes · Produces application/json
PEP 8 delete_ioc
deprecated

Keywords and arguments are ignored in deprecated methods. This method and the corresponding endpoint are deprecated.

Code Examples

Section titled “Code Examples”

Examples coming soon.

UpdateIOC

Section titled “UpdateIOC”

This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.

PATCH /indicators/entities/iocs/v1
Scope IOCs (Indicators of Compromise): WRITE Consumes · Produces application/json
PEP 8 update_ioc
deprecated

Keywords and arguments are ignored in deprecated methods. This method and the corresponding endpoint are deprecated.

Code Examples

Section titled “Code Examples”

Examples coming soon.

DevicesRanOn

Section titled “DevicesRanOn”

Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1.

GET /indicators/queries/devices/v1
Scope IOCs (Indicators of Compromise): READ Consumes · Produces application/json
PEP 8 devices_ran_on

Parameters

Section titled “Parameters”
NameTypeData typeDescription
typequerystringThe type of the indicator. Valid types include: sha256 (hex-encoded sha256 hash string, length min: 64, max: 64); md5 (hex-encoded md5 hash string, length min: 32, max: 32); domain (a domain name, length min: 1, max: 200); ipv4 (a valid IPv4 address); ipv6 (a valid IPv6 address).
valuequerystringThe string representation of the indicator.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerStarting offset to begin returning results.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Iocs


falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )


response = falcon.devices_ran_on(type="string",
                                 limit="string",
                                 offset="string",
                                 value="string")
print(response)

QueryIOCs

Section titled “QueryIOCs”

This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.

GET /indicators/queries/iocs/v1
Scope IOCs (Indicators of Compromise): READ Consumes · Produces application/json
PEP 8 query_iocs
deprecated

Keywords and arguments are ignored in deprecated methods. This method and the corresponding endpoint are deprecated.

Code Examples

Section titled “Code Examples”

Examples coming soon.

ProcessesRanOn

Section titled “ProcessesRanOn”

Search for processes associated with a custom IOC.

GET /indicators/queries/processes/v1
Scope IOCs (Indicators of Compromise): READ Consumes · Produces application/json
PEP 8 processes_ran_on

Parameters

Section titled “Parameters”
NameTypeData typeDescription
typequerystringThe type of the indicator. Valid types include: sha256 (hex-encoded sha256 hash string, length min: 64, max: 64); md5 (hex-encoded md5 hash string, length min: 32, max: 32); domain (a domain name, length min: 1, max: 200); ipv4 (a valid IPv4 address); ipv6 (a valid IPv6 address).
valuequerystringThe string representation of the indicator.
device_idquerystringSpecify a Host AID to return only processes from that host.
limitqueryintegerMaximum number of results to return.
offsetqueryintegerStarting offset to begin returning results.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Iocs


falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )


response = falcon.processes_ran_on(type="string",
                                   limit="string",
                                   offset="string",
                                   device_id="string",
                                   value="string")
print(response)

entities_processes

Section titled “entities_processes”

For the provided ProcessID retrieve the process details.

GET /processes/entities/processes/v1
Scope IOCs (Indicators of Compromise): READ Consumes · Produces application/json
PEP 8 entities_processes

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsProcessID for the running process you want to lookup.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Iocs


falcon = Iocs(client_id=CLIENT_ID,
              client_secret=CLIENT_SECRET
              )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.entities_processes(ids=id_list)
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use