List Indicators
Find the IDs of your indicator entities. The IDs can then be used to retrieve your indicator entity with the action Get Indicator Details, which includes the actual value of the indicator.
External Documentation
To learn more, visit the CrowdStrike documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Filter | Narrow the result set by specifying FQL filters, or omit FQL filters to get a list of all IOC IDs in your environment. For more info on FQL filters, see our Falcon Query Language reference. Valid filter fields that can be used to narrow the result set: - type - value - action - mobile_action - severity - platforms - tags - expiration - expired - applied_globally - host_groups - created_on - created_by - modified_on - modified_by - source |
Advanced Parameters
| Parameter | Description |
|---|---|
| After | A pagination token used with the limit parameter to manage pagination of results. On your first request, don't provide an 'after' token. On subsequent requests, provide the 'after' token from the previous response to continue from that place in the results. To access more than 10k indicators, use the 'after' parameter instead of 'offset'. |
| Limit | The maximum records to return. |
| Offset | The offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the 'after' parameter instead of 'offset'. |
| Sort | The sort expression that should be used to sort the results. |
Example Output
{
"errors": [
{
"code": 0,
"id": "string",
"message": "string"
}
],
"meta": {
"pagination": {
"after": "string",
"limit": 0,
"offset": 0,
"total": 0
},
"powered_by": "string",
"query_time": 0,
"trace_id": "string"
},
"resources": [
"string"
]
}
Workflow Library Example
List Indicators with Crowdstrike and Send Results Via Email
Preview this Workflow on desktop