Skip to main content
Create, modify, and delete custom indicators of compromise (IOCs) to enhance threat detection and prevention across your environment.

Cmdlets

Edit-FalconIoc

Modify custom indicators. Permissions: IOC Manager APIs: Write
InputObject
object[]
One or more indicators to modify in a single request
Action
string
Action to perform when a host observes the indicator
Platform
string[]
Operating system platform
Severity
string
Severity level
Source
string
Origination source (1-256 characters)
Description
string
Indicator description
Filename
string
Indicator filename, used with hash values
Tag
string[]
Indicator tag
MobileAction
string
Action to perform when a mobile device observes the indicator. Valid values: allow, detect, no_action, prevent
HostGroup
string[]
Host group identifier (32-character hex)
AppliedGlobally
boolean
Assign to all host groups
Expiration
string
Expiration date and time (UTC ISO 8601). When an indicator expires it is set to ‘no_action’
FromParent
boolean
Inheritance from parent CID
Comment
string
Audit log comment
Retrodetect
boolean
Generate retroactive detections for hosts that have observed the indicator
IgnoreWarning
boolean
Ignore warnings and modify all indicators
Id
string
required
Indicator identifier (64-character hex)
Example
# Update an indicator's severity
Edit-FalconIoc -Id '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef' -Severity 'high' -Comment 'Updated severity based on new intelligence'

# Change action to prevent
Edit-FalconIoc -Id '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef' -Action 'prevent' -Retrodetect $true

# Set expiration date
Edit-FalconIoc -Id '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef' -Expiration '2024-12-31T23:59:59Z'

Get-FalconIoc

Search for custom indicators. Permissions: IOC Manager APIs: Read
Id
string[]
Indicator identifier (64-character hex)
Filter
string
Falcon Query Language expression to limit results
Sort
string
Property and direction to sort results. Valid values:
  • action.asc, action.desc
  • applied_globally.asc, applied_globally.desc
  • metadata.av_hits.asc, metadata.av_hits.desc
  • metadata.company_name.raw.asc, metadata.company_name.raw.desc
  • created_by.asc, created_by.desc
  • created_on.asc, created_on.desc
  • expiration.asc, expiration.desc
  • expired.asc, expired.desc
  • metadata.filename.raw.asc, metadata.filename.raw.desc
  • modified_by.asc, modified_by.desc
  • modified_on.asc, modified_on.desc
  • severity_number.asc, severity_number.desc
  • source.asc, source.desc
  • type.asc, type.desc
  • value.asc, value.desc
Limit
int32
Maximum number of results per request (1-2000)
FromParent
boolean
Inheritance from parent CID
Offset
int32
Position to begin retrieving results
After
string
Pagination token to retrieve the next set of results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Example
# Get all custom IOCs
Get-FalconIoc -All -Detailed

# Search for indicators by type
Get-FalconIoc -Filter "type:'ipv4'" -Detailed

# Get indicators created in the last 24 hours
Get-FalconIoc -Filter "created_on:>'now-24h'" -Sort created_on.desc

# Get specific indicator by ID
Get-FalconIoc -Id '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef'

# Get indicators set to 'prevent' action
Get-FalconIoc -Filter "action:'prevent'" -All

Get-FalconIocAction

Search for custom indicator actions. Permissions: IOC Manager APIs: Read
Id
string[]
Custom indicator action identifier
Limit
int32
Maximum number of results per request
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Example
# Get all available IOC actions
Get-FalconIocAction -Detailed

Get-FalconIocPlatform

List custom indicator platforms. Permissions: IOC Manager APIs: Read
Limit
int32
Maximum number of results per request
Offset
int32
Position to begin retrieving results
All
switch
Repeat requests until all available results are retrieved
Example
# List all supported platforms
Get-FalconIocPlatform

Get-FalconIocSeverity

List custom indicator severities. Permissions: IOC Manager APIs: Read
Limit
int32
Maximum number of results per request
Offset
int32
Position to begin retrieving results
All
switch
Repeat requests until all available results are retrieved
Example
# List all severity levels
Get-FalconIocSeverity

Get-FalconIocType

List custom indicator types. Permissions: IOC Manager APIs: Read
Limit
int32
Maximum number of results per request
Offset
int32
Position to begin retrieving results
All
switch
Repeat requests until all available results are retrieved
Example
# List all available IOC types
Get-FalconIocType

New-FalconIoc

Create custom indicators. Permissions: IOC Manager APIs: Write
InputObject
object[]
One or more indicators to create in a single request
Type
string
required
Indicator type
Value
string
required
String representation of the indicator
Action
string
required
Action to perform when a host observes the indicator
Platform
string[]
required
Operating system platform
Severity
string
required
Severity level
Source
string
Origination source (1-256 characters)
Description
string
Indicator description
Filename
string
Indicator filename, used with hash values
Tag
string[]
Indicator tag
MobileAction
string
Action to perform when a mobile device observes the indicator. Valid values: allow, detect, no_action, prevent
HostGroup
string[]
Host group identifier (32-character hex). Required if AppliedGlobally is not set
AppliedGlobally
boolean
Assign to all host groups. Required if HostGroup is not set
Expiration
string
Expiration date and time (UTC ISO 8601). When an indicator expires it is set to ‘no_action’
Comment
string
Audit log comment
Retrodetect
boolean
Generate retroactive detections for hosts that have observed the indicator
IgnoreWarning
boolean
Ignore warnings and create all indicators
Example
# Create a malicious IP indicator
New-FalconIoc -Type 'ipv4' -Value '192.0.2.100' -Action 'prevent' -Platform 'windows','linux','mac' -Severity 'high' -Source 'Threat Intel Feed' -Description 'C2 server identified by threat intelligence' -AppliedGlobally $true -Comment 'Added from threat feed'

# Create a file hash indicator
New-FalconIoc -Type 'sha256' -Value 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' -Action 'detect' -Platform 'windows' -Severity 'medium' -Filename 'malware.exe' -AppliedGlobally $true -Retrodetect $true

# Create a domain indicator with expiration
New-FalconIoc -Type 'domain' -Value 'malicious-site.com' -Action 'prevent' -Platform 'windows','mac' -Severity 'critical' -Tag 'phishing','campaign-2024' -AppliedGlobally $true -Expiration '2024-12-31T23:59:59Z'

# Create indicator for specific host groups
$HostGroups = @('a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6', 'p6o5n4m3l2k1j0i9h8g7f6e5d4c3b2a1')
New-FalconIoc -Type 'ipv4' -Value '198.51.100.50' -Action 'detect' -Platform 'linux' -Severity 'low' -HostGroup $HostGroups

Remove-FalconIoc

Remove custom indicators. Permissions: IOC Manager APIs: Write
Filter
string
Falcon Query Language expression to find indicators for removal
Comment
string
Audit log comment
FromParent
boolean
Inheritance from parent CID
Id
string[]
Indicator identifier (64-character hex)
Example
# Remove a specific indicator
Remove-FalconIoc -Id '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef' -Comment 'False positive'

# Remove expired indicators
Remove-FalconIoc -Filter "expired:true" -Comment 'Cleanup expired IOCs'

# Remove indicators by tag
Remove-FalconIoc -Filter "tags:'temp-investigation'" -Comment 'Investigation closed'

IOC Management Workflow

1

Identify Threat Indicators

Obtain IOC values from threat intelligence feeds, incident investigations, or security research.
2

Validate IOC Types

Use Get-FalconIocType to verify supported indicator types (IPv4, domain, SHA256, etc.).
3

Create Indicators

Use New-FalconIoc to create indicators with appropriate action, severity, and scope.
4

Monitor and Update

Use Get-FalconIoc to review existing indicators and Edit-FalconIoc to update as needed.
5

Clean Up

Remove outdated or false positive indicators using Remove-FalconIoc.

Best Practices

Set expiration dates on temporary IOCs to automatically prevent them from blocking legitimate traffic after investigations conclude.
Use the Retrodetect parameter when creating or editing IOCs only when you need to identify past compromises. This can generate significant detections.
Apply meaningful tags to group related indicators (e.g., by campaign, threat actor, or investigation ID) for easier management.
Always use the Comment parameter to maintain an audit trail of why indicators were created, modified, or removed.

Falcon Intelligence

Access CrowdStrike threat intelligence

Detections

Manage and investigate detections

Build docs developers (and LLMs) love

Get started for freeTalk to us