Custom IOA
Create and manage Custom IOA behavioral detection rules and rule groups.
Custom IOA Rules: READCustom IOA Rules: WRITE
Note
This tool modifies data.
Required scopes: Custom IOA Rules: WRITE
Create a new Custom IOA behavioral detection rule within a rule group.
Before creating a rule:
- Use
falcon_get_ioa_rule_typesto discover available rule types, their IDs, required fields, and valid disposition IDs. - Use
falcon_search_ioa_rule_groupsto find the target rule group ID.
The field_values parameter defines the behavioral criteria the rule will match
against (e.g., process names, file paths, command line patterns using regex).
Example prompts:
- "Add a process creation rule to IOA group abc123 that detects cmd.exe spawned from Word"
Note
This tool modifies data.
Required scopes: Custom IOA Rules: WRITE
Create a new Custom IOA rule group.
Rule groups are containers that hold behavioral detection rules for a specific
platform. After creating a group, use falcon_create_ioa_rule to add detection
rules to it.
Use falcon_get_ioa_platforms to see available platform values.
Example prompts:
- "Create a Windows IOA rule group named 'Suspicious PowerShell Activity'"
Caution
This tool performs destructive operations.
Required scopes: Custom IOA Rules: WRITE
Delete Custom IOA rule groups by ID.
This permanently removes the rule groups and all rules within them.
Use falcon_search_ioa_rule_groups to find rule group IDs.
Example prompts:
- "Delete Custom IOA rule groups abc123 and def456"
Caution
This tool performs destructive operations.
Required scopes: Custom IOA Rules: WRITE
Delete Custom IOA behavioral detection rules from a rule group.
Use falcon_search_ioa_rule_groups to find the rule group ID and
the individual rule IDs (instance IDs) to delete.
Example prompts:
- "Delete rules from IOA group abc123"
Required scopes: Custom IOA Rules: READ
Get all available platforms for Custom IOA rule groups.
Returns details about each available platform (e.g., windows, mac, linux). Use this to discover valid platform values before creating a rule group.
Example prompts:
- "What platforms are available for Custom IOA rule groups?"
Required scopes: Custom IOA Rules: READ
Get all available Custom IOA rule types.
Returns details about each rule type including its name, platform, fields, and supported disposition IDs. Use this to discover valid rule type IDs and required field values before creating a behavioral rule.
Rule types define the category of behavioral detection (e.g., Process Creation, Network Connection, File Creation).
Example prompts:
- "What Custom IOA rule types are available?"
Required scopes: Custom IOA Rules: READ
Search Custom IOA rule groups and return full rule group details including their rules.
Rule groups are containers that hold behavioral detection rules. Each group is associated with a specific platform (windows, mac, or linux).
Example prompts:
- "Find enabled Windows Custom IOA rule groups"
Note
This tool modifies data.
Required scopes: Custom IOA Rules: WRITE
Update an existing Custom IOA behavioral detection rule.
The rulegroup_version is required for optimistic locking to prevent
concurrent modification conflicts. Use falcon_search_ioa_rule_groups to
retrieve the current version and instance ID.
Example prompts:
- "Enable IOA rule instance abc in group xyz"
Note
This tool modifies data.
Required scopes: Custom IOA Rules: WRITE
Update an existing Custom IOA rule group.
You can modify the name, description, and enabled state of a rule group.
The rulegroup_version is required for optimistic locking to prevent
concurrent modification conflicts.
Use falcon_search_ioa_rule_groups to retrieve the current version number.
Example prompts:
- "Disable IOA rule group abc123"
-
falcon://custom-ioa/rule-groups/fql-guide: Contains the guide for thefilterparam of thefalcon_search_ioa_rule_groupstool.
