Help with deleting IOCs

[Qbert777]

I have a script that has been running on a cronjob without issue up until a couple of weeks ago when it started returning the following error:

[{'code': 400, 'message': 'Either IDs or the FQL filter must be provided, not both'}]

It uses the Uber class 'indicator.delete.v1' with param'filter':'expired:true'. I also tried using the filter 'filter':f"expiration<'{today}'" as in the code snippet below but getting the same error. Using falconpy ver 0.5.6.

Any ideas or suggestions are much appreciated.
Thanks.

from falconpy.api_complete import APIHarness
import datetime as dt

falcon_client_id = "[REDACTED]"
falcon_client_secret = "[REDACTED]"

falcon = APIHarness(creds={
                    'client_id': falcon_client_id,
                    'client_secret': falcon_client_secret
                    }
)

today = dt.datetime.today().strftime('%Y-%m-%d')

PARAMS = {
    'filter':f"expiration<'{today}'",
    'comment':'Delete expired IOCs'
}

response = falcon.command('indicator.delete.v1', parameters=PARAMS)
print(response)
falcon.deauthenticate()

[jshcodes]

Hi @Qbert777 -

This is the second report that is pointing out an issue (#311) with this functionality. (This may also be specific to the Uber class.) We're looking into this now.

[jshcodes]

Converting discussion to an issue.

[jshcodes]

Regarding the expiration filter, you need a colon in the filter string.

So this:

PARAMS = {
    'filter':f"expiration<'{today}'",
    'comment':'Delete expired IOCs'
}

Should be this:

PARAMS = {
    'filter':f"expiration:<'{today}'",
    'comment':'Delete expired IOCs'
}

If you try this using a Service Class, the delete should work.

from falconpy.ioc import IOC
import datetime as dt

falcon_client_id = "[REDACTED]"
falcon_client_secret = "[REDACTED]"

falcon = IOC(creds={
                    'client_id': falcon_client_id,
                    'client_secret': falcon_client_secret
                    })
today = dt.datetime.today().strftime('%Y-%m-%d')

response = falcon.indicator_delete(filter=f"expiration:<='{today}'", comment="Delete expired IOCs")
print(response)

This does not speak to the Uber class usage issue though, which we are now looking into and tracking as a bug. (#314)

[jshcodes]

We're testing a fix for the Uber class issue now.

[Qbert777]

Thanks for the quick response! I had to add '_v1' to this line in your code for it to work:
response = falcon.indicator_delete(filter=f"expiration:<='{today}'", comment="Delete expired IOCs")
changed to:
response = falcon.indicator_delete_v1(filter=f"expiration:<='{today}'", comment="Delete expired IOCs")

Strange that the filter "expired:true" returned 200 but it didn't work. Do you have to wrap true in quotes like this "expired:'true'"? Can't try now since I've already deleted my expired IOCs. I will try again tomorrow.

Thanks again.

[jshcodes]

Thanks for the quick response! I had to add '_v1' to this line in your code for it to work:
response = falcon.indicator_delete(filter=f"expiration:<='{today}'", comment="Delete expired IOCs")
changed to:
response = falcon.indicator_delete_v1(filter=f"expiration:<='{today}'", comment="Delete expired IOCs")

This is my bad. With your still being on v0.5.6, you don't have access to the PEP8 versions of this call. (The version you used, which is based off of operation ID, will always work / be supported.) Starting with v0.6.1, you will be able to use both statements as shown above.

Strange that the filter "expired:true" returned 200 but it didn't work. Do you have to wrap true in quotes like this "expired:'true'"? Can't try now since I've already deleted my expired IOCs. I will try again tomorrow.

I did my testing using the Service Class and an expiration date. From what I see of your code above, I don't believe you will need to change it. (ie. "expired: true" should be OK, let us know if your testing doesn't show this. You will need to use the updated code that is being tested now if you decide to go back to the Uber class.) Hoping to have this update ready for the release tomorrow so you can grab it right away.

[jshcodes]

Hi @Qbert777 - The bleeding-edge version for the Uber class fix has been released.

This will push to the production package index first thing in the morning, so you should be able to update to the latest version (v0.6.2) and test using either the Uber or Service class as per your preference.

Thanks for reporting this! 😄

[Qbert777]

Needed a few days to let some IOCs expire before I could test with v0.6.2. Now working as expected with Uber class using 'filter':f"expiration<'{today}'". Using 'filter':'expired:true' returns 200 status code but doesn't actually delete the expired IOCs. The strange thing is used to work up until a few weeks ago. Since this filter also doesn't work on the CS Swagger API page it's not a falconpy issue. I've got a CS support ticket open, just an FYI. Thanks for the quick response and fix!

[jshcodes]

Excellent! Happy to help. 😁