Is indicator_create_v1 function support bulk create ? #1173

uyggnodoow · 2024-05-27T08:36:55Z

uyggnodoow
May 27, 2024

Hello

The more IoCs you add, the more you increase the code runtime.
I don't see it in the docs, but does it support Bulk Create as well?

If there is another way, could you please let me know?

Answered by uyggnodoow

Jun 14, 2024

Hello @jshcodes

I solved the problem. The cause was adding duplicate hash values.

Thank you.

View full answer

jshcodes · 2024-06-07T16:09:41Z

jshcodes
Jun 7, 2024
Maintainer

Hi @uyggnodoow -

The body payload for this operation defines the indicators to be created as a list. You can create multiple IOCs with a single API call by leveraging the Uber Class or by providing a list of dictionaries to the indicators keyword when using the Service Class.

Thank you for the question! 😄

0 replies

uyggnodoow · 2024-06-10T03:41:57Z

uyggnodoow
Jun 10, 2024
Author

Hi @jshcodes

Thanks for answer. I will test it.

0 replies

uyggnodoow · 2024-06-10T04:45:50Z

uyggnodoow
Jun 10, 2024
Author

@jshcodes

I ran it like below, but it failed to work.
Any idea what could be the problem?

The code looks like this

credentials = {
    'client_id': config['crowdstrikeClientId'],
    'client_secret': config['crowdstrikeClientSecret']
}
cs = APIHarnessV2(creds=credentials)

   ...

body = {
    'comment': 'crowdstrikeEDR',
    'indicators': indicators
}
response = cs.command(
    "indicator_create_v1",
    ignore_warnings=True,
    retrodetects=False,
    body=body
)

The body value looks like this (I deleted the hash value.)

{'comment': 'crowdstrikeEDR', 'indicators': [{'action': 'detect', 'applied_globally': True, 'platforms': ['mac', 'windows', 'linux'], 'severity': 'High', 'source': 'v2', 'type': 'SHA256', 'value': ''}, {'action': 'detect', 'applied_globally': True, 'platforms': ['mac', 'windows', 'linux'], 'severity': 'High', 'source': 'v2', 'type': 'SHA256', 'value': ''}, {'action': 'detect', 'applied_globally': True, 'platforms': ['mac', 'windows', 'linux'], 'severity': 'High', 'source': 'v2', 'type': 'SHA256', 'value': ''}, {'action': 'detect', 'applied_globally': True, 'platforms': ['mac', 'windows', 'linux'], 'severity': 'High', 'source': 'v2', 'type': 'SHA256', 'value': ''}, {'action': 'detect', 'applied_globally': True, 'platforms': ['mac', 'windows', 'linux'], 'severity': 'High', 'source': 'v2', 'type': 'SHA256', 'value': ''}]}

This is the result of running

Status Code : 400
One or more indicators have a warning or invalid input

0 replies

uyggnodoow · 2024-06-14T04:14:24Z

uyggnodoow
Jun 14, 2024
Author

Hello @jshcodes

I solved the problem. The cause was adding duplicate hash values.

Thank you.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is indicator_create_v1 function support bulk create ? #1173

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 4 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Is indicator_create_v1 function support bulk create ? #1173

uyggnodoow May 27, 2024

Replies: 4 comments

jshcodes Jun 7, 2024 Maintainer

uyggnodoow Jun 10, 2024 Author

uyggnodoow Jun 10, 2024 Author

uyggnodoow Jun 14, 2024 Author

uyggnodoow
May 27, 2024

jshcodes
Jun 7, 2024
Maintainer

uyggnodoow
Jun 10, 2024
Author

uyggnodoow
Jun 10, 2024
Author

uyggnodoow
Jun 14, 2024
Author