IOC
Searching, creating, and deleting custom IOCs using Falcon IOC Service Collection endpoints
API Scopes
Section titled “API Scopes”IOC Management:readIOC Management:write
falcon_add_ioc
Section titled “falcon_add_ioc”Required scopes: IOC Management:write
Create one or more custom IOCs.
Provide type/value/action for a single IOC, or pass a bulk indicators array. Returns the created indicator records on success.
Example prompts:
- “Block the domain evil.example.com”
- “Add a SHA256 hash IOC with prevent action”
falcon_remove_iocs
Section titled “falcon_remove_iocs”Required scopes: IOC Management:write
Remove custom IOCs by IDs or FQL filter.
Provide either specific IDs or an FQL filter for bulk removal. If both are given, filter takes precedence. Returns an empty list on success.
Example prompts:
- “Delete IOC with ID abc123”
- “Remove all expired IOCs”
falcon_search_iocs
Section titled “falcon_search_iocs”Required scopes: IOC Management:read
Search custom IOCs and return full IOC details.
Use this to find IOCs by type, value, action, severity, or expiration status. Consult falcon://ioc/search/fql-guide before constructing filter expressions. Returns full indicator records including metadata, platforms, and host groups.
Example prompts:
- “Find all active domain IOCs”
- “Show me SHA256 hash IOCs with prevent action”
Resources
Section titled “Resources”falcon://ioc/search/fql-guide: Contains the guide for thefilterparam of thefalcon_search_iocstool.