custom_ioa
Custom IOA examples
The examples in this folder focus on leveraging CrowdStrike's Custom IOA API to manage Indicators of Attack within your Falcon Tenant.
This solution supports MSSP scenarios and can clone rules to and delete rules from children.
Custom IOA Cloner - Clone, delete and display Custom IOA rule groups.
Custom IOA Cloner
Running the program
In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes:
Custom IOA
READ, WRITE
Execution syntax
This demonstration was developed to leverage easy to use command-line arguments.
Command line arguments
This program accepts the following command line arguments.
-h
--help
Display command line help and exit
-n
--no_color
Disable color output in result displays
-b
--base_url
Base URL
-t TABLE_FORMAT
--table_format TABLE_FORMAT
Table format to use for display, one of:
plain, simple, github, grid, fancy_grid, pipe, orgtbl, jira, presto, pretty, psql, rst, mediawiki, moinmoin, youtrack, html, unsafehtml, latext, latex_raw, latex_booktabs, latex_longtable, textile, or tsv.
-f FILTER
--filter FILTER
String to filter results (IOA rule group name)
-c
--clone
Clone all IOA rule group matches to new rule groups
-d DELETE_LIST
--delete DELETE_LIST
List of rule group IDs to delete (comma-delimit)
-m MANAGED_TARGETS
--managed_targets MANAGED_TARGETS
List of child CIDs to target for cloning / deletions (comma-delimit)
-k FALCON_CLIENT_ID
--falcon_client_id FALCON_CLIENT_ID
CrowdStrike Falcon API Client ID
-s FALCON_CLIENT_SECRET
--falcon_client_secret FALCON_CLIENT_SECRET
CrowdStrike Falcon API Client Secret
Basic usage
The only required command line arguments are -k (CrowdStrike Falcon API Client ID) and -s (CrowdStrike Falcon API Client Secret).
The default command is "list" with no filters specified, which displays all Custom IOA rule groups within your tenant.
Example
python3 custom_ioa_clone.py -k CLIENT_ID_HERE -s CLIENT_SECRET_HEREExample result
_______ _ _ _______ _______ _____ _______ _____ _____ _______
| | | |______ | | | | | | | | | |_____|
|_____ |_____| ______| | |_____| | | | __|__ |_____| | |
╒══════════════════════════════════╤══════════════════════════════════════════╤════════════╤═════════════════════════════════╕
│ Custom IOA Name │ Description │ Platform │ Rules │
╞══════════════════════════════════╪══════════════════════════════════════════╪════════════╪═════════════════════════════════╡
│ Windows Test IOA │ Test IOA for windows │ windows │ windows custom IOA (ver: 2) │
│ abc1d2ef3g456ab7cd89e0fa1b23cd4e │ │ Enabled │ │
│ │ │ Version: 1 │ │
├──────────────────────────────────┼──────────────────────────────────────────┼────────────┼─────────────────────────────────┤
│ Linux Test IOA │ Validation test policy for custom IOA to │ linux │ │
│ 1bc1f2ec3a426ab7cd89e0fa1b23cd4f │ test linux │ Disabled │ │
│ │ │ Version: 1 │ │
├──────────────────────────────────┼──────────────────────────────────────────┼────────────┼─────────────────────────────────┤
│ test IOA │ test IOA │ windows │ │
│ abc1d2ef3g4c4cba4d89e02a1b23cd4a │ │ Disabled │ │
│ │ │ Version: 1 │ │
├──────────────────────────────────┼──────────────────────────────────────────┼────────────┼─────────────────────────────────┤
│ Exploit Demo │ Exploit Demo │ linux │ SecFrameWork (ver: 4) │
│ 6bc1d2ef3g456ab83d8ae0ba1b23cd4b │ │ Disabled │ │
│ │ │ Version: 1 │ │
├──────────────────────────────────┼──────────────────────────────────────────┼────────────┼─────────────────────────────────┤
│ Sec Framework IOA's │ Security Framework Custom IOAs │ linux │ SecFrameWork (ver: 20) │
│ abc1d2ef3a453ab1cd89e0f41b23cd4c │ │ Enabled │ Detect Shell Shoveling (ver: 4) │
│ │ │ Version: 1 │ │
╘══════════════════════════════════╧══════════════════════════════════════════╧════════════╧═════════════════════════════════╛Filtering by name
You can filter results down using the -f argument to filter by name.
python3 custom_ioa_clone.py -k CLIENT_ID_HERE -s CLIENT_SECRET_HERE -f SEARCH_STRINGCloning IOA rule groups
Cloning IOA rule groups can be performed by passing the -c argument. Any matches to the filter string (-f) are cloned.
python3 custom_ioa_clone.py -k CLIENT_ID_HERE -s CLIENT_SECRET_HERE -f SEARCH_STRING -cCloning IOA rule groups to a child
Cloning IOA rule groups to a child can be performed by passing the -c argument along with the -m argument. Any matches to the filter string (-f) are cloned into valid children specified within the comma delimited list provided.
python3 custom_ioa_clone.py -k CLIENT_ID_HERE -s CLIENT_SECRET_HERE -f SEARCH_STRING -c -m TARGET_CID_1,TARGET_CID_2Deleting IOA rule groups
You must provide the exact rule group ID in order to delete using the -d argument. Multiple IDs may be specified at the same time if you provide these as a comma-delimited list.
python3 custom_ioa_clone.py -k CLIENT_ID_HERE -s CLIENT_SECRET_HERE -d RULE_GROUP_ID1,RULE_GROUP_ID2Deleting IOA rule groups within a child
You may delete rule groups from within a single child by passing the child CID with the -m argument. You must provide the exact rule group ID in order to delete using the -d argument. Multiple IDs may be specified at the same time if you provide these as a comma-delimited list.
python3 custom_ioa_clone.py -k CLIENT_ID_HERE -s CLIENT_SECRET_HERE -m TARGET_CID_1 -d RULE_GROUP_ID1,RULE_GROUP_ID2Command-line help
Command-line help is available via the -h argument.
usage: custom_ioa_clone.py [-h] [-n] [-b BASE_URL] [-t TABLE_FORMAT] [-f FILTER] [-c] [-d DELETE] [-m MANAGED_TARGETS] [-k FALCON_CLIENT_ID] [-s FALCON_CLIENT_SECRET]
Custom IOA duplicator.
______ __ _______ __ __ __
| |.----.-----.--.--.--.--| | __| |_.----.|__| |--.-----.
| ---|| _| _ | | | | _ |__ | _| _|| | <| -__|
|______||__| |_____|________|_____|_______|____|__| |__|__|__|_____|
____ __ ______ _____ ______
/\ _`\ /\ \__ /\__ _\ /\ __`\/\ _ \
\ \ \/\_\ __ __ ____\ \ ,_\ ___ ___ ___ \/_/\ \/ \ \ \/\ \ \ \L\ \
\ \ \/_/_/\ \/\ \ /',__\\ \ \/ / __`\ /' __` __`\ \ \ \ \ \ \ \ \ \ __ \
\ \ \L\ \ \ \_\ \/\__, `\\ \ \_/\ \L\ \/\ \/\ \/\ \ \_\ \__\ \ \_\ \ \ \/\ \
\ \____/\ \____/\/\____/ \ \__\ \____/\ \_\ \_\ \_\ /\_____\\ \_____\ \_\ \_\
\/___/ \/___/ \/___/ \/__/\/___/ \/_/\/_/\/_/ \/_____/ \/_____/\/_/\/_/
______ __
| | |.-----.-----.-----.----.
| ---| || _ | | -__| _|
|______|__||_____|__|__|_____|__|
CrowdStrike FalconPy v.1.1
optional arguments:
-h, --help show this help message and exit
-n, --nocolor Disable color output
-b BASE_URL, --base_url BASE_URL
Base URL
-t TABLE_FORMAT, --table_format TABLE_FORMAT
Tabular display format
search arguments:
-f FILTER, --filter FILTER
String to filter results (IOA rule group name)
action arguments:
-c, --clone Clone all IOA rule group matches to new rule groups
-d DELETE, --delete DELETE
List of rule group IDs to delete (comma-delimit)
mssp arguments:
-m MANAGED_TARGETS, --managed_targets MANAGED_TARGETS
Comma delimited list of children to clone rules to.
required arguments:
-k FALCON_CLIENT_ID, --falcon_client_id FALCON_CLIENT_ID
CrowdStrike Falcon API Client ID
-s FALCON_CLIENT_SECRET, --falcon_client_secret FALCON_CLIENT_SECRET
CrowdStrike Falcon API Client SecretExample source code
Source code for this example can be found here.
Last updated
Was this helpful?