To learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
FilterNarrow the result set by specifying FQL filters, or omit FQL filters to get a list of all IOC IDs in your environment.For more info on FQL filters, see our Falcon Query Language reference.Valid filter fields that can be used to narrow the result set:- type
  • value
  • action
  • mobile_action
  • severity
  • platforms
  • tags
  • expiration
  • expired
  • applied_globally
  • host_groups
  • created_on
  • created_by
  • modified_on
  • modified_by
  • source |

Advanced Parameters

ParameterDescription
AfterA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an ‘after’ token. On subsequent requests, provide the ‘after’ token from the previous response to continue from that place in the results. To access more than 10k indicators, use the ‘after’ parameter instead of ‘offset’.
LimitThe maximum records to return.
OffsetThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the ‘after’ parameter instead of ‘offset’.
SortThe sort expression that should be used to sort the results.

Example Output

{    "errors": [        {            "code": 0,            "id": "string",            "message": "string"        }    ],    "meta": {        "pagination": {            "after": "string",            "limit": 0,            "offset": 0,            "total": 0        },        "powered_by": "string",        "query_time": 0,        "trace_id": "string"    },    "resources": [        "string"    ]}

Workflow Library Example

List Indicators with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?

List IncidentsList IOC Actions