Custom IOA
Searching, creating, updating, and deleting Custom IOA (Indicators of Attack) behavioral rules and rule groups using Falcon Custom IOA Service Collection endpoints
API Scopes
Section titled “API Scopes”Custom IOA Rules:readCustom IOA Rules:write
falcon_create_ioa_rule
Section titled “falcon_create_ioa_rule”Required scopes: Custom IOA Rules:write
Create a new Custom IOA behavioral detection rule within a rule group.
Use falcon_get_ioa_rule_types first to discover rule type IDs, required fields, and valid disposition IDs. The field_values parameter defines the behavioral criteria the rule matches against (process names, file paths, command line regex).
Example prompts:
- “Add a process creation rule to IOA group abc123 that detects cmd.exe spawned from Word”
falcon_create_ioa_rule_group
Section titled “falcon_create_ioa_rule_group”Required scopes: Custom IOA Rules:write
Create a new Custom IOA rule group.
Rule groups are containers for behavioral detection rules scoped to a platform. Use falcon_get_ioa_platforms to see valid platform values. After creating a group, use falcon_create_ioa_rule to add detection rules to it.
Example prompts:
- “Create a Windows IOA rule group named ‘Suspicious PowerShell Activity‘“
falcon_delete_ioa_rule_groups
Section titled “falcon_delete_ioa_rule_groups”Required scopes: Custom IOA Rules:write
Delete Custom IOA rule groups by ID.
Permanently removes the rule groups and all rules within them. Use falcon_search_ioa_rule_groups to find rule group IDs.
Example prompts:
- “Delete Custom IOA rule groups abc123 and def456”
falcon_delete_ioa_rules
Section titled “falcon_delete_ioa_rules”Required scopes: Custom IOA Rules:write
Delete Custom IOA behavioral detection rules from a rule group.
Use falcon_search_ioa_rule_groups to find the rule group ID and individual rule instance IDs to delete.
Example prompts:
- “Delete rules from IOA group abc123”
falcon_get_ioa_platforms
Section titled “falcon_get_ioa_platforms”Required scopes: Custom IOA Rules:read
Get all available platforms for Custom IOA rule groups.
Use this to discover valid platform values (windows, mac, linux) before creating a rule group. Returns platform details.
Example prompts:
- “What platforms are available for Custom IOA rule groups?”
falcon_get_ioa_rule_types
Section titled “falcon_get_ioa_rule_types”Required scopes: Custom IOA Rules:read
Get all available Custom IOA rule types.
Use this to discover valid rule type IDs, required fields, and disposition IDs before creating a behavioral detection rule. Returns rule type details including platform, fields, and supported actions.
Example prompts:
- “What Custom IOA rule types are available?”
falcon_search_ioa_rule_groups
Section titled “falcon_search_ioa_rule_groups”Required scopes: Custom IOA Rules:read
Search Custom IOA rule groups and return full details including their rules.
Use this to find rule groups by platform, name, or enabled state. Consult falcon://custom-ioa/rule-groups/fql-guide before constructing filter expressions. Returns rule group objects with their contained behavioral detection rules.
Example prompts:
- “Find enabled Windows Custom IOA rule groups”
falcon_update_ioa_rule
Section titled “falcon_update_ioa_rule”Required scopes: Custom IOA Rules:write
Update an existing Custom IOA behavioral detection rule.
Requires rulegroup_version for optimistic locking. Get the current version and instance_id from falcon_search_ioa_rule_groups.
Example prompts:
- “Enable IOA rule instance abc in group xyz”
falcon_update_ioa_rule_group
Section titled “falcon_update_ioa_rule_group”Required scopes: Custom IOA Rules:write
Update an existing Custom IOA rule group.
Modify name, description, or enabled state. Requires rulegroup_version for optimistic locking — get it from falcon_search_ioa_rule_groups.
Example prompts:
- “Disable IOA rule group abc123”
Resources
Section titled “Resources”falcon://custom-ioa/rule-groups/fql-guide: Contains the guide for thefilterparam of thefalcon_search_ioa_rule_groupstool.