The examples within this folder focus on leveraging CrowdStrike's Falcon IOC API.
Demonstrates the creation of a single IOC using either the Service or Uber Class. Indicator detail is loaded from an external file that can be specified via the command line.
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
| Service Collection | Scope |
|---|---|
| IOC | WRITE |
This sample leverages simple command-line arguments to implement functionality.
Create an indicator using sample indicator file example_indicator.json. The default method uses the Service Class to interact with the CrowdStrike API.
python3 create_ioc.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRETPerform the operation using the Uber class instead with the
-margument.
python3 create_ioc.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -m uberLoad a custom indicator file with the
-iargument. (Indicator should be in JSON format.)
python3 create_ioc.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -i custom_indicator.jsonCommand-line help is available via the -h argument.
python3 create_ioc.py -h
usage: create_ioc.py [-h] -k FALCON_CLIENT_ID -s FALCON_CLIENT_SECRET [-m METHOD] [-i INDICATOR]
___ _______ _______
| || _ || _ |
|. ||. | ||. 1___|
|. ||. | ||. |___
|: ||: 1 ||: 1 |
|::.||::.. . ||::.. . |
`---'`-------'`-------'
Create IOC Example - @jshcodes 06.23.21
FalconPy v.0.8.6+
INDICATOR FILE FORMAT EXAMPLE (JSON)
{
"source": "Test",
"action": "detect",
"expiration": "2023-01-22T15:00:00.000Z",
"description": "Testing",
"type": "ipv4",
"value": "4.1.42.34",
"platforms": ["linux"],
"severity": "LOW",
"applied_globally": true
}
optional arguments:
-h, --help show this help message and exit
-k FALCON_CLIENT_ID, --falcon_client_id FALCON_CLIENT_ID
Falcon API Client ID
-s FALCON_CLIENT_SECRET, --falcon_client_secret FALCON_CLIENT_SECRET
Falcon API Client Secret
-m METHOD, --method METHOD
SDK method to use ('service' or 'uber').
-i INDICATOR, --indicator INDICATOR
Path to the file representing the indicator (JSON format).The source code for this example can be found here.
This program will output a list of IOCs and their details for either the current CID or in each Child CID (Flight Control scenarios). This can be used for regular audits of IOCs across multiple CIDs.
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
| Service Collection | Scope |
|---|---|
| IOC | READ |
| Flight Control | READ |
| Sensor Download | READ |
Note
This program can be executed using an API key that is not scoped for the Flight Control (MSSP) and Sensor Download service collections, but will be unable to lookup the current CID (Sensor Download) or access child CIDs (Flight Control).
This sample leverages simple command-line arguments to implement functionality.
Execute the default example. This will output results to a CSV file named iocs.txt.
python3 ioc_audit.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRETThis sample supports Environment Authentication, meaning you can execute any of the command lines shown below without providing credentials if you have the values
FALCON_CLIENT_IDandFALCON_CLIENT_SECRETdefined in your environment.
python3 ioc_audit.pyChange the output destination with the -o argument.
python3 ioc_audit.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -o new_iocs.txtEnable MSSP mode and audit all Flight Control children with the -m argument.
python3 ioc_audit.py -k $FALCON_CLIENT_ID_PARENT -s $FALCON_CLIENT_SECRET_PARENT -mEnable MSSP mode and audit a specific Flight Control child with the -c argument.
python3 ioc_audit.py -k $FALCON_CLIENT_ID_PARENT -s $FALCON_CLIENT_SECRET_PARENT -c CHILD_CIDAPI debugging can be enabled using the
-dargument.
python3 ioc_audit.py -dCommand-line help is available via the -h argument.
usage: ioc_audit.py [-h] [-d] [-m] [-c CHILD] [-o OUTPUT_FILE] [-k CLIENT_ID] [-s CLIENT_SECRET]
_______ __ _______ __ __ __
| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
|: 1 | |: 1 |
|::.. . | |::.. . | FalconPy
`-------' `-------'
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄
▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌
▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀▀▀
▐░▌ ▐░▌ ▐░▌▐░▌
▐░▌ ▐░▌ ▐░▌▐░▌
▐░▌ ▐░▌ ▐░▌▐░▌
▐░▌ ▐░▌ ▐░▌▐░▌
▐░▌ ▐░▌ ▐░▌▐░▌
▄▄▄▄█░█▄▄▄▄ ▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄
▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌
▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀
▄▄▄ █ ▀
█▄▄ ▀▄▀ █▀▀ █ █ █ █▀▀ █ █▀█ █▀█ █▀▀
█▄▄ ▄▀▄ █▄▄ █▄ █▄█ ▄▄█ █ █▄█ █ █ ▄▄█
This program will output a list of IOCs and their details for either the
current CID or in each Child CID (Flight Control scenarios). This can be
used for regular audits of indicators of compromise across multiple CIDs.
Developed by @Don-Swanson-Adobe
optional arguments:
-h, --help show this help message and exit
-d, --debug Enable API debugging
-m, --mssp List exclusions in all child CIDs (MSSP parents only)
-c CHILD, --child CHILD
List exclusions in a specific child CID (MSSP parents only)
-o OUTPUT_FILE, --output_file OUTPUT_FILE
File to output results to
Required arguments:
-k CLIENT_ID, --client_id CLIENT_ID
CrowdStrike Falcon API key
-s CLIENT_SECRET, --client_secret CLIENT_SECRET
CrowdStrike Falcon API secretThe source code for this example can be found here.