Find the IDs of your indicator entities. The IDs can then be used to retrieve your indicator entity with the action Get Indicator Details, which includes the actual value of the indicator. The following permission is required to run this action:
  • IOC Management: Read and Write.
External DocumentationTo learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
FilterNarrow the result set by specifying FQL filters, or omit FQL filters to get a list of all IOC IDs in your environment.
For more info on FQL filters, see our Falcon Query Language reference.
Valid filter fields that can be used to narrow the result set:

- type

- value

- action

- mobile_action

- severity

- platforms

- tags

- expiration

- expired

- applied_globally

- host_groups

- created_on

- created_by

- modified_on

- modified_by

- source
Return All PagesAutomatically fetch all resources, page by page.

Advanced Parameters

ParameterDescription
AfterA pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an ‘after’ token. On subsequent requests, provide the ‘after’ token from the previous response to continue from that place in the results. To access more than 10k indicators, use the ‘after’ parameter instead of ‘offset’.
LimitThe maximum records to return.
OffsetThe offset to start retrieving records from. Offset and After params are mutually exclusive. If none provided then scrolling will be used by default. To access more than 10k iocs, use the ‘after’ parameter instead of ‘offset’.
SortThe sort expression that should be used to sort the results.

Example Output

{
	"meta": {
		"query_time": 1,
		"pagination": {
			"limit": 31,
			"total": 1,
			"offset": 0
		},
		"powered_by": "<string>",
		"trace_id": "<string>"
	},
	"errors": null,
	"resources": []
}

Workflow Library Example

List Indicators with Crowdstrike and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop