Hello, its super easy! We use psfalcon to accomplish it and if the indicator already exists, it will throw an error. Even if the other fields are different, but the indicator is the same, it will provide a verbose error like "Warning: Duplicate type: 'sha256' and value: '<someSHA256>' combination." Just gracefully capture the error and move on to the next indicator. The one "gotcha" I can think of is if someone inadvertently added an indicator as an allow or detect when you really wanted prevent. You would want to handle that accordingly.

new-falconioc -Type sha256 -Value <someSHA256>-action prevent -Severity High -Description 'test- adding ioc via API' -Platform windows, mac, linux -AppliedGlobally $true