ioa_exclusions
IOA Exclusions samples
The examples within this folder focus on leveraging CrowdStrike Falcon IOA Exclusions collection.
IOA Audit
This program will output a list of IOA exclusions and their details for either the current CID or in each Child CID (Flight Control scenarios). This can be used for regular audits of IOA exclusions across multiple CIDs.
Running the program
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
IOA Exclusions
READ
Flight Control
READ
Sensor Download
READ
[!NOTE] This program can be executed using an API key that is not scoped for the Flight Control (MSSP) and Sensor Download service collections, but will be unable to lookup the current CID (Sensor Download) or access child CIDs (Flight Control).
Execution syntax
This sample leverages simple command-line arguments to implement functionality.
Basic usage
Execute the default example. This will output results to a CSV file named ioa_exclusions.txt.
python3 ioa_audit.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRETThis sample supports Environment Authentication, meaning you can execute any of the command lines shown below without providing credentials if you have the values
FALCON_CLIENT_IDandFALCON_CLIENT_SECRETdefined in your environment.
python3 ioa_audit.pyChange the output destination with the -o argument.
python3 ioa_audit.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -o new_ioa_exclusions.txtEnable MSSP mode and audit all Flight Control children with the -m argument.
python3 ioa_audit.py -k $FALCON_CLIENT_ID_PARENT -s $FALCON_CLIENT_SECRET_PARENT -mEnable MSSP mode and audit a specific Flight Control child with the -c argument.
python3 ioa_audit.py -k $FALCON_CLIENT_ID_PARENT -s $FALCON_CLIENT_SECRET_PARENT -c CHILD_CIDAPI debugging can be enabled using the
-dargument.
python3 ioa_audit.py -dCommand-line help
Command-line help is available via the -h argument.
usage: ioa_audit.py [-h] [-d] [-m] [-c CHILD] [-o OUTPUT_FILE] [-k CLIENT_ID] [-s CLIENT_SECRET]
_______ __ _______ __ __ __
| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
|: 1 | |: 1 |
|::.. . | |::.. . | FalconPy
`-------' `-------'
_____ _______ _____
/\ \ /::\ \ /\ \
/::\ \ /::::\ \ /::\ \
\:::\ \ /::::::\ \ /::::\ \
\:::\ \ /::::::::\ \ /::::::\ \
\:::\ \ /:::/~~\:::\ \ /:::/\:::\ \
\:::\ \ /:::/ \:::\ \ /:::/__\:::\ \
/::::\ \ /:::/ / \:::\ \ /::::\ \:::\ \
____ /::::::\ \ /:::/____/ \:::\____\ /::::::\ \:::\ \
/\ \ /:::/\:::\ \ |:::| | |:::| | /:::/\:::\ \:::\ \
/::\ \/:::/ \:::\____\|:::|____| |:::| |/:::/ \:::\ \:::\____\
\:::\ /:::/ \::/ / \:::\ \ /:::/ / \::/ \:::\ /:::/ /
\:::\/:::/ / \/____/ \:::\ \ /:::/ / \/____/ \:::\/:::/ /
\::::::/ / \:::\ /:::/ / \::::::/ /
\::::/____/ \:::\__/:::/ / \::::/ /
\:::\ \ \::::::::/ / /:::/ /
\:::\ \ \::::::/ / /:::/ /
\:::\ \ \::::/ / /:::/ /
\:::\____\ \::/____/ /:::/ /
\::/ / ¯¯ \::/ /
\/____/ ▄▄▄ █ ▀ \/____/
█▄▄ ▀▄▀ █▀▀ █ █ █ █▀▀ █ █▀█ █▀█ █▀▀
█▄▄ ▄▀▄ █▄▄ █▄ █▄█ ▄▄█ █ █▄█ █ █ ▄▄█
This program will output a list of IOA exclusions and their details for
either the current CID or in each Child CID (Flight Control scenarios).
This can be used for regular audits of IOA exclusions across multiple CIDs.
Developed by @Don-Swanson-Adobe
optional arguments:
-h, --help show this help message and exit
-d, --debug Enable API debugging
-m, --mssp List groups in all child CIDs (MSSP parents only)
-c CHILD, --child CHILD
List groups in a specific child CID (MSSP parents only)
-o OUTPUT_FILE, --output_file OUTPUT_FILE
File to output results to
Required arguments:
-k CLIENT_ID, --client_id CLIENT_ID
CrowdStrike Falcon API key
-s CLIENT_SECRET, --client_secret CLIENT_SECRET
CrowdStrike Falcon API secretExample source code
The source code for this example can be found here.
Last updated
Was this helpful?