Publisher: Splunk
Connector Version: 3.6.1
Product Vendor: CrowdStrike
Product Name: CrowdStrike
Product Version Supported (regex): ".*"
Minimum Product Version: 5.2.0
This app integrates with CrowdStrike OAuth2 authentication standard to implement querying of endpoint security data
The user can add a script file in the configuration parameter [ Script with functions to preprocess containers and artifacts ]. The script must contain a function with the name preprocess_container (to pre-process the containers and the artifacts) or else, it will throw an error.
- Optionally, you can specify an App ID to be used with the Crowdstrike OAuth API used in the on poll action. If one isn't set, it will default to the asset ID.
- It is recommended to have a unique App ID for each connection to the Crowdstrike OAuth API. That is to say, if you are planning on having multiple assets using the Crowdstrike OAuth API at once, you should give them unique App IDs.
- Common points for both manual and scheduled interval polling
- Default parameters of the On Poll action are ignored in the app. i.e. start_time, end_time, container_count, artifact_count
- The app will fetch all the events based on the value specified in the configuration
parameters [Maximum events to get while POLL NOW] (default 2000 if not specified) and
[Maximum events to get while scheduled and interval polling] (default 10,000 if not
specified). For ingestion, the events are fetched after filtering them based on the event
type - DetectionSummaryEvent . The app will exit from the polling cycle in the
below-mentioned 2 cases whichever is earlier.
- If the total DetectionSummaryEvents fetched equals the value provided in the [Maximum events to get while POLL NOW] (for manual polling) or [Maximum events to get while scheduled and interval polling] (for scheduled | interval polling) parameters
- If the total number of continuous blank lines encountered while streaming the data equals the value provided in the [Maximum allowed continuous blank lines] (default 50 if not specified) asset configuration parameter
- The default behavior of the app is that each event will be placed in its container. By checking the configuration parameter [Merge containers for Hostname and Eventname] as well as specifying an interval in the configuration parameter [Merge same containers within specified seconds], all events which are of the same type and on the same host will be put into one container, as long as the time between those two events is less than the interval.
- The [Maximum allowed continuous blank lines] asset configuration parameter will be used to indicate the allowed number of continuous blank lines while fetching DetectionSummaryEvents . For example, of the entire data of the DetectionSummaryEvents, some of the 'DetectionSummaryEvents' exists after 100 continuous blank lines and if you've set the [Maximum allowed continues blank lines] parameter value to 500, it will keep on ingesting all the 'DetectionSummaryEvents' until the code gets 500 continuous blank lines and hence, it will be able to cover the DetectionSummaryEvents successfully even after the 100 blank lines. If you set it to 50, it will break after the 50th blank line is encountered. Hence, it won't be able to ingest the events which exist after the 100 continuous blank lines because the code considers that after the configured value in the [Maximum allowed continuous blank lines] configuration parameter (here 50), there is no data available for the 'DetectionSummaryEvents'.
- Manual Polling
- During manual poll now, the app starts from the first event that it can query up to the value configured in the configuration parameter [Maximum events to get while POLL NOW] and creates artifacts for all the fetched DetectionSummaryEvents. The last queried event's offset ID will not be remembered in Manual POLL NOW and it fetches everything every time from the beginning.
- Scheduled | Interval Polling
- During scheduled | interval polling, the app starts from the first event that it can query up to the value configured in the configuration parameter [Maximum events to get while scheduled and interval polling] and creates artifacts for all the fetched DetectionSummaryEvents. Then, it remembers the last event's offset ID and stores in the state file against the key [last_offset_id]. In the next scheduled poll run, it will start from the stored offset ID in the state file and will fetch the maximum events as configured in the [Maximum events to get while scheduled and interval polling] parameter.
The DetectionSummaryEvent is parsed to extract the following values into an Artifact.
| Artifact Field | Event Field |
|---|---|
| cef.sourceUserName | UserName |
| cef.fileName | FileName |
| cef.filePath | FilePath |
| cef.sourceHostName | ComputerName |
| cef.sourceNtDomain | MachineDomain |
| cef.hash | MD5String |
| cef.hash | SHA1String |
| cef.hash | SHA256STring |
| cef.cs1 | cmdLine |
The app also parses the following sub-events into their own artifacts.
- Documents Accessed
- Executables Written
- Network Access
- Scan Result
- Quarantine Files
- DNS Requests
Each of the sub-events has a CEF key called parentSdi that stands for Parent Source Data Identifier. This is the value of the SDI of the main event that the sub-events were generated from.
This is different from Falcon Sandbox.
- Action - File Reputation, Url reputation
- Report of the resource will be fetched if it has been detonated previously on the CrowdStrike Server otherwise no data found message will be displayed to the user.
- Action - Download Report
- This action will download the resource report based on the provided artifact ID. Currently we support the following Strict IOC CSV, Strict IOC JSON, Strict IOC STIX2.1, Strict IOC MAEC5.0, Broad IOC CSV, Broad IOC JSON, Broad IOC STIX2.1, Broad IOC MAEC5.0, Memory Strings, Icon, Screenshot artifact IDs.
- Action - Detonate File
- This action will upload the given file to the CrowdStrike sandbox and will submit it for analysis with the entered environment details. If the report of the given file is already present with the same environment, it will fetch the result and the file won't be submitted again.
- If the analysis is in progress and reaches the time entered in the detonate_timeout parameter, then this action will return the resource_id of the submitted file using which the submission status can be checked.
- If the submitted file will be analyzed within the entered time in the detonate_timeout parameter, its report will be fetched. Currently these file types are supported .exe, .scr, .pif, .dll, .com, .cpl, etc., .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub, .pdf, Executable JAR, .sct, .lnk, .chm, .hta, .wsf, .js, .vbs, .vbe, .swf, pl, .ps1, .psd1, .psm1, .svg, .py, Linux ELF executables, .eml, .msg.
- Action - Detonate Url
- This action will submit the given URL for analysis with the entered environment details. If the report of the given URL is already present with the same environment, it will fetch the result and the url won't be submitted again.
- If the analysis is in progress and it reaches the time entered in the detonate_timeout parameter, then this action will return the resource_id of the submitted URL using which the status of the submission can be checked. If the analysis status is running then do not re-run the detonate URL action, otherwise, the URL will be again submitted for the analysis.
- If the submitted URL will be analyzed within the entered time in the detonate_timeout parameter, its report will be fetched. Currently 3 domains of URL are supported http, https, and ftp.
- Action - Check Status
- This action will return the status of the given resource_id in case of timeout in detonate file and detonate URL actions.
- Action - List Groups
-
The filter parameter values follow the FQL Syntax .
-
The sort parameter value has to be provided in the format property_name.asc for ascending and property_name.desc for descending order.
-
Action - Query Device
-
Both the filter and sort parameters follow the same concepts as mentioned above for the list groups action.
-
Action - Assign Hosts, Remove Hosts, Quarantine Device, and Unquarantine Device
- The devices will be fetched based on the values provided in both the device_id and hostname parameters.
- If an incorrect value is provided in both the device_id and hostname parameters each, then, the action will fail with an appropriate error message.
- Action - List Session Files, Get Session File
-
To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
-
Action - Run Command
- This action can run the below-mentioned RTR commands on the host:
- cat
- cd
- env
- eventlog
- filehash
- getsid
- ipconfig
- ls
- mount
- netstat
- ps
- reg query
- To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
- Example action run: If "cd C:\some_directory" command needs to be run using this action, valid [device_id] and [session_id] parameters should be provided by the user. The user should select "cd" from the [command] dropdown parameter and provide "C:\some_directory" input in the [data] parameter.
- Action - Run Admin Command
- This action can run the below-mentioned RTR administrator commands on the host:
- cat
- cd
- cp
- encrypt
- env
- eventlog
- filehash
- get
- getsid
- ipconfig
- kill
- ls
- map
- memdump
- mkdir
- mount
- mv
- netstat
- ps
- put
- reg query
- reg set
- reg delete
- reg load
- reg unload
- restart
- rm
- run
- runscript
- shutdown
- unmap
- xmemdump
- zip
- To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
- Example action run: If "cd C:\some_directory" command needs to be run using this action, valid [device_id] and [session_id] parameters should be provided by the user. The user should select "cd" from the [command] dropdown parameter and provide "C:\some_directory" input in the [data] parameter.
The app uses HTTP/HTTPS protocol for communicating with the Crowdstrike Server. Below are the default ports used by Splunk SOAR.
| Service Name | Transport Protocol | Port |
|---|---|---|
| http | tcp | 80 |
| https | tcp | 443 |
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a CrowdStrike asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| url | required | string | Base URL |
| place_holder | optional | ph | Placeholder |
| client_id | required | password | Client ID |
| client_secret | required | password | Client Secret |
| app_id | optional | string | App ID |
| max_events | optional | numeric | Maximum events to get for scheduled and interval polling |
| max_events_poll_now | optional | numeric | Maximum events to get while POLL NOW |
| collate | optional | boolean | Merge containers for hostname and eventname |
| merge_time_interval | optional | numeric | Merge same containers within specified seconds |
| max_crlf | optional | numeric | Maximum allowed continuous blank lines |
| preprocess_script | optional | file | Script with functions to preprocess containers and artifacts |
| detonate_timeout | optional | numeric | Timeout for detonation result in minutes (Default: 15 minutes) |
test connectivity - Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
query device - Fetch the device details based on the provided query
list groups - Fetch the details of the host groups
quarantine device - Block the device
unquarantine device - Unblock the device
assign hosts - Assign one or more hosts to the static host group
remove hosts - Remove one or more hosts from the static host group
create session - Initialize a new session with the Real Time Response cloud
delete session - Deletes a Real Time Response session
list sessions - Lists Real Time Response sessions
run command - Execute an active responder command on a single host
run admin command - Execute an RTR Admin command on a single host
get command details - Retrieve results of an active responder command executed on a single host
list session files - Get a list of files for the specified RTR session
get incident behaviors - Get details on behaviors by providing behavior IDs
update incident - Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
list users - Get information about all users in your Customer ID
get user roles - Gets the roles that are assigned to the user
list roles - Get information about all user roles from your Customer ID
get role - Get information about all user roles from your Customer ID
list crowdscores - Query environment wide CrowdScore and return the entity data
get incident details - Get details on incidents by providing incident IDs
list incident behaviors - Search for behaviors by providing an FQL filter, sorting, and paging details
list incidents - Search for incidents by providing an FQL filter, sorting, and paging details
get session file - Get RTR extracted file contents for the specified session and sha256 and add it to the vault
set status - Set the state of a detection in Crowdstrike Host
get system info - Get details of a device, given the device ID
get process detail - Retrieve the details of a process that is running or that previously ran, given a process ID
hunt file - Hunt for a file on the network by querying for the hash
hunt domain - Get a list of device IDs on which the domain was matched
upload put file - Upload a new put-file to use for the RTR `put` command
get indicator - Get the full definition of one or more indicators that are being watched
list custom indicators - Queries for custom indicators in your customer account
list put files - Queries for files uploaded to Crowdstrike for use with the RTR `put` command
on poll - Callback action for the on_poll ingest functionality
list processes - List processes that have recently used the IOC on a particular device
upload indicator - Upload indicator that you want CrowdStrike to watch
delete indicator - Delete an indicator that is being watched
update indicator - Update an indicator that has been uploaded
file reputation - Queries CrowdStrike for the file info
url reputation - Queries CrowdStrike for the url info
download report - To download the report of the provided artifact id
detonate file - Upload a file to CrowdStrike and retrieve the analysis results
detonate url - Upload an url to CrowdStrike and retrieve the analysis results
check status - To check detonation status of the provided resource id
get device scroll - Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
get zta data - Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)
Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
Type: test
Read only: True
No parameters are required for this action
No Output
Fetch the device details based on the provided query
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| limit | optional | Maximum devices to be fetched | numeric | |
| offset | optional | Starting index of overall result set from which to return ids. (Defaults to 0) | numeric | |
| filter | optional | Filter expression used to limit the fetched devices (FQL Syntax) | string | |
| sort | optional | Property to sort by | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.offset | numeric | |
| action_result.parameter.sort | string | |
| action_result.data.*.agent_load_flags | string | |
| action_result.data.*.agent_local_time | string | |
| action_result.data.*.agent_version | string | |
| action_result.data.*.bios_manufacturer | string | |
| action_result.data.*.bios_version | string | |
| action_result.data.*.build_number | string | |
| action_result.data.*.cid | string | md5 |
| action_result.data.*.config_id_base | string | |
| action_result.data.*.config_id_build | string | |
| action_result.data.*.config_id_platform | string | |
| action_result.data.*.cpu_signature | string | |
| action_result.data.*.device_id | string | crowdstrike device id |
| action_result.data.*.device_policies.device_control.applied | boolean | |
| action_result.data.*.device_policies.device_control.applied_date | string | |
| action_result.data.*.device_policies.device_control.assigned_date | string | |
| action_result.data.*.device_policies.device_control.policy_id | string | md5 |
| action_result.data.*.device_policies.device_control.policy_type | string | |
| action_result.data.*.device_policies.firewall.applied | boolean | |
| action_result.data.*.device_policies.firewall.applied_date | string | |
| action_result.data.*.device_policies.firewall.assigned_date | string | |
| action_result.data.*.device_policies.firewall.policy_id | string | |
| action_result.data.*.device_policies.firewall.policy_type | string | |
| action_result.data.*.device_policies.firewall.rule_set_id | string | |
| action_result.data.*.device_policies.global_config.applied | boolean | |
| action_result.data.*.device_policies.global_config.applied_date | string | |
| action_result.data.*.device_policies.global_config.assigned_date | string | |
| action_result.data.*.device_policies.global_config.policy_id | string | md5 |
| action_result.data.*.device_policies.global_config.policy_type | string | |
| action_result.data.*.device_policies.global_config.settings_hash | string | |
| action_result.data.*.device_policies.prevention.applied | boolean | |
| action_result.data.*.device_policies.prevention.applied_date | string | |
| action_result.data.*.device_policies.prevention.assigned_date | string | |
| action_result.data.*.device_policies.prevention.policy_id | string | md5 |
| action_result.data.*.device_policies.prevention.policy_type | string | |
| action_result.data.*.device_policies.prevention.settings_hash | string | |
| action_result.data.*.device_policies.remote_response.applied | boolean | |
| action_result.data.*.device_policies.remote_response.applied_date | string | |
| action_result.data.*.device_policies.remote_response.assigned_date | string | |
| action_result.data.*.device_policies.remote_response.policy_id | string | md5 |
| action_result.data.*.device_policies.remote_response.policy_type | string | |
| action_result.data.*.device_policies.remote_response.settings_hash | string | |
| action_result.data.*.device_policies.sensor_update.applied | boolean | |
| action_result.data.*.device_policies.sensor_update.applied_date | string | |
| action_result.data.*.device_policies.sensor_update.assigned_date | string | |
| action_result.data.*.device_policies.sensor_update.policy_id | string | md5 |
| action_result.data.*.device_policies.sensor_update.policy_type | string | |
| action_result.data.*.device_policies.sensor_update.settings_hash | string | |
| action_result.data.*.device_policies.sensor_update.uninstall_protection | string | |
| action_result.data.*.external_ip | string | ip |
| action_result.data.*.first_seen | string | |
| action_result.data.*.group_hash | string | sha256 |
| action_result.data.*.groups | string | md5 |
| action_result.data.*.hostname | string | host name |
| action_result.data.*.instance_id | string | |
| action_result.data.*.last_seen | string | |
| action_result.data.*.local_ip | string | ip |
| action_result.data.*.mac_address | string | |
| action_result.data.*.machine_domain | string | domain |
| action_result.data.*.major_version | string | |
| action_result.data.*.meta.version | string | |
| action_result.data.*.minor_version | string | |
| action_result.data.*.modified_timestamp | string | |
| action_result.data.*.os_version | string | |
| action_result.data.*.platform_id | string | |
| action_result.data.*.platform_name | string | |
| action_result.data.*.pointer_size | string | |
| action_result.data.*.policies.*.applied | boolean | |
| action_result.data.*.policies.*.applied_date | string | |
| action_result.data.*.policies.*.assigned_date | string | |
| action_result.data.*.policies.*.policy_id | string | md5 |
| action_result.data.*.policies.*.policy_type | string | |
| action_result.data.*.policies.*.settings_hash | string | |
| action_result.data.*.product_type | string | |
| action_result.data.*.product_type_desc | string | |
| action_result.data.*.provision_status | string | |
| action_result.data.*.reduced_functionality_mode | string | |
| action_result.data.*.serial_number | string | |
| action_result.data.*.service_pack_major | string | |
| action_result.data.*.service_pack_minor | string | |
| action_result.data.*.service_provider | string | |
| action_result.data.*.service_provider_account_id | string | |
| action_result.data.*.site_name | string | |
| action_result.data.*.slow_changing_modified_timestamp | string | |
| action_result.data.*.status | string | |
| action_result.data.*.system_manufacturer | string | |
| action_result.data.*.system_product_name | string | |
| action_result.data.*.zone_group | string | |
| action_result.summary.total_devices | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Fetch the details of the host groups
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| limit | optional | Maximum host groups to be fetched | numeric | |
| filter | optional | Filter expression used to limit the fetched host groups (FQL Syntax) | string | |
| sort | optional | Property to sort by | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.sort | string | |
| action_result.data.*.assignment_rule | string | |
| action_result.data.*.created_by | string | email |
| action_result.data.*.created_timestamp | string | |
| action_result.data.*.description | string | |
| action_result.data.*.group_type | string | |
| action_result.data.*.id | string | crowdstrike host group id |
| action_result.data.*.modified_by | string | email |
| action_result.data.*.modified_timestamp | string | |
| action_result.data.*.name | string | |
| action_result.summary.total_host_group | numeric | |
| action_result.summary.total_host_groups | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Block the device
Type: contain
Read only: False
This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in the user's containment policy.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | optional | Comma-separated list of device IDs | string | crowdstrike device id |
| hostname | optional | Comma-separated list of hostnames | string | host name |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.device_id | string | crowdstrike device id |
| action_result.parameter.hostname | string | host name |
| action_result.data.*.id | string | crowdstrike device id |
| action_result.data.*.path | string | |
| action_result.summary.total_quarantined_device | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Unblock the device
Type: correct
Read only: False
This action lifts containment on the host, which returns its network communications to normal.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | optional | Comma-separated list of device IDs | string | crowdstrike device id |
| hostname | optional | Comma-separated list of hostnames | string | host name |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.device_id | string | crowdstrike device id |
| action_result.parameter.hostname | string | host name |
| action_result.data.*.id | string | crowdstrike device id |
| action_result.data.*.path | string | |
| action_result.summary.total_unquarantined_device | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Assign one or more hosts to the static host group
Type: correct
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | optional | Comma-separated list of device IDs | string | crowdstrike device id |
| hostname | optional | Comma separated list of hostnames | string | host name |
| host_group_id | required | Static host group ID | string | crowdstrike host group id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.device_id | string | crowdstrike device id |
| action_result.parameter.host_group_id | string | crowdstrike host group id |
| action_result.parameter.hostname | string | host name |
| action_result.data.*.assignment_rule | string | |
| action_result.data.*.created_by | string | |
| action_result.data.*.created_timestamp | string | |
| action_result.data.*.description | string | |
| action_result.data.*.group_type | string | |
| action_result.data.*.id | string | crowdstrike host group id |
| action_result.data.*.modified_by | string | |
| action_result.data.*.modified_timestamp | string | |
| action_result.data.*.name | string | |
| action_result.summary.total_assigned_device | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Remove one or more hosts from the static host group
Type: contain
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | optional | Comma-separated list of device IDs | string | crowdstrike device id |
| hostname | optional | Comma-separated list of hostnames | string | host name |
| host_group_id | required | Static host group ID | string | crowdstrike host group id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.device_id | string | crowdstrike device id |
| action_result.parameter.host_group_id | string | crowdstrike host group id |
| action_result.parameter.hostname | string | host name |
| action_result.data.*.assignment_rule | string | |
| action_result.data.*.created_by | string | |
| action_result.data.*.created_timestamp | string | |
| action_result.data.*.description | string | |
| action_result.data.*.group_type | string | |
| action_result.data.*.id | string | crowdstrike host group id |
| action_result.data.*.modified_by | string | |
| action_result.data.*.modified_timestamp | string | |
| action_result.data.*.name | string | |
| action_result.summary.total_removed_device | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Initialize a new session with the Real Time Response cloud
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | required | Device ID for session to be created | string | crowdstrike device id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.device_id | string | crowdstrike device id |
| action_result.data.*.errors | string | |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.resources.*.created_at | string | |
| action_result.data.*.resources.*.existing_aid_sessions | numeric | |
| action_result.data.*.resources.*.offline_queued | boolean | |
| action_result.data.*.resources.*.pwd | string | file path |
| action_result.data.*.resources.*.scripts.*.args.*.arg_name | string | |
| action_result.data.*.resources.*.scripts.*.args.*.arg_type | string | |
| action_result.data.*.resources.*.scripts.*.args.*.command_level | string | |
| action_result.data.*.resources.*.scripts.*.args.*.created_at | string | |
| action_result.data.*.resources.*.scripts.*.args.*.data_type | string | |
| action_result.data.*.resources.*.scripts.*.args.*.default_value | string | |
| action_result.data.*.resources.*.scripts.*.args.*.description | string | |
| action_result.data.*.resources.*.scripts.*.args.*.encoding | string | |
| action_result.data.*.resources.*.scripts.*.args.*.id | numeric | |
| action_result.data.*.resources.*.scripts.*.args.*.options | string | |
| action_result.data.*.resources.*.scripts.*.args.*.required | boolean | |
| action_result.data.*.resources.*.scripts.*.args.*.requires_value | boolean | |
| action_result.data.*.resources.*.scripts.*.args.*.script_id | numeric | |
| action_result.data.*.resources.*.scripts.*.args.*.sequence | numeric | |
| action_result.data.*.resources.*.scripts.*.args.*.updated_at | string | |
| action_result.data.*.resources.*.scripts.*.command | string | |
| action_result.data.*.resources.*.scripts.*.description | string | |
| action_result.data.*.resources.*.scripts.*.examples | string | file path |
| action_result.data.*.resources.*.scripts.*.internal_only | boolean | |
| action_result.data.*.resources.*.scripts.*.runnable | boolean | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.arg_name | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.arg_type | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.command_level | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.created_at | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.data_type | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.default_value | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.description | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.encoding | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.id | numeric | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.options | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.required | boolean | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.requires_value | boolean | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.script_id | numeric | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.sequence | numeric | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.updated_at | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.command | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.description | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.examples | string | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.internal_only | boolean | |
| action_result.data.*.resources.*.scripts.*.sub_commands.*.runnable | boolean | |
| action_result.data.*.resources.*.session_id | string | crowdstrike rtr session id |
| action_result.summary.session_id | string | crowdstrike rtr session id |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Deletes a Real Time Response session
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| session_id | required | RTR Session ID | string | crowdstrike rtr session id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.session_id | string | crowdstrike rtr session id |
| action_result.data | string | |
| action_result.summary.results | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Lists Real Time Response sessions
Type: investigate
Read only: True
This action supports filtering in order to retrieve a particular session.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| limit | optional | Maximum RTR sessions to be fetched | numeric | |
| filter | optional | Filter expression used to limit the fetched RTR sessions (FQL Syntax) | string | |
| sort | optional | Property to sort by | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.sort | string | |
| action_result.data.*.cid | string | md5 |
| action_result.data.*.cloud_request_ids | string | |
| action_result.data.*.commands | string | |
| action_result.data.*.commands_queued | boolean | |
| action_result.data.*.created_at | string | |
| action_result.data.*.deleted_at | string | |
| action_result.data.*.device_details | string | |
| action_result.data.*.device_id | string | md5 crowdstrike device id |
| action_result.data.*.duration | numeric | |
| action_result.data.*.hostname | string | host name |
| action_result.data.*.id | string | crowdstrike rtr session id |
| action_result.data.*.logs.*.base_command | string | |
| action_result.data.*.logs.*.cloud_request_id | string | |
| action_result.data.*.logs.*.command_string | string | |
| action_result.data.*.logs.*.created_at | string | |
| action_result.data.*.logs.*.current_directory | string | |
| action_result.data.*.logs.*.id | numeric | |
| action_result.data.*.logs.*.session_id | string | |
| action_result.data.*.logs.*.updated_at | string | |
| action_result.data.*.offline_queued | boolean | |
| action_result.data.*.origin | string | |
| action_result.data.*.platform_id | numeric | |
| action_result.data.*.platform_name | string | |
| action_result.data.*.pwd | string | |
| action_result.data.*.updated_at | string | |
| action_result.data.*.user_id | string | |
| action_result.data.*.user_uuid | string | |
| action_result.summary.total_sessions | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Execute an active responder command on a single host
Type: generic
Read only: False
The API works by first creating a cloud request to execute the command, then the results need to be retrieved using a GET with the cloud_request_id. The action will attempt to retrieve the results, but in the event that a timeout occurs, execute a 'get command details' action.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | required | Device ID | string | crowdstrike device id |
| session_id | required | RTR Session ID | string | crowdstrike rtr session id |
| command | required | RTR command to execute on host | string | |
| data | optional | Data/Arguments for the command | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.command | string | |
| action_result.parameter.data | string | |
| action_result.parameter.device_id | string | crowdstrike device id |
| action_result.parameter.session_id | string | crowdstrike rtr session id |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.resources.*.base_command | string | |
| action_result.data.*.resources.*.complete | boolean | |
| action_result.data.*.resources.*.session_id | string | |
| action_result.data.*.resources.*.stderr | string | |
| action_result.data.*.resources.*.stdout | string | |
| action_result.data.*.resources.*.task_id | string | |
| action_result.summary.cloud_request_id | string | crowdstrike cloud request id |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Execute an RTR Admin command on a single host
Type: generic
Read only: False
This action requires a token with RTR Admin permissions.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | required | Device ID | string | crowdstrike device id |
| session_id | required | RTR Session ID | string | crowdstrike rtr session id |
| command | required | RTR Admin command to execute on host | string | |
| data | optional | Data/Arguments for the command | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.command | string | |
| action_result.parameter.data | string | |
| action_result.parameter.device_id | string | crowdstrike device id |
| action_result.parameter.session_id | string | crowdstrike rtr session id |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.resources.*.base_command | string | |
| action_result.data.*.resources.*.complete | boolean | |
| action_result.data.*.resources.*.session_id | string | |
| action_result.data.*.resources.*.stderr | string | |
| action_result.data.*.resources.*.stdout | string | |
| action_result.data.*.resources.*.task_id | string | |
| action_result.summary.cloud_request_id | string | crowdstrike cloud request id |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Retrieve results of an active responder command executed on a single host
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| cloud_request_id | required | Cloud Request ID for Command | string | crowdstrike cloud request id |
| timeout_seconds | optional | Time (in seconds; default is 60) to wait before timing out poll for results | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.cloud_request_id | string | crowdstrike cloud request id |
| action_result.parameter.timeout_seconds | numeric | |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.resources.*.base_command | string | |
| action_result.data.*.resources.*.complete | boolean | |
| action_result.data.*.resources.*.session_id | string | |
| action_result.data.*.resources.*.stderr | string | |
| action_result.data.*.resources.*.stdout | string | |
| action_result.data.*.resources.*.task_id | string | |
| action_result.summary.results | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get a list of files for the specified RTR session
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| session_id | required | RTR Session ID | string | crowdstrike rtr session id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.session_id | string | crowdstrike rtr session id |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.resources.*.cloud_request_id | string | |
| action_result.data.*.resources.*.created_at | string | |
| action_result.data.*.resources.*.deleted_at | string | |
| action_result.data.*.resources.*.id | numeric | |
| action_result.data.*.resources.*.name | string | file name |
| action_result.data.*.resources.*.session_id | string | crowdstrike rtr session id |
| action_result.data.*.resources.*.sha256 | string | sha256 |
| action_result.data.*.resources.*.size | numeric | |
| action_result.data.*.resources.*.updated_at | string | |
| action_result.summary.total_files | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get details on behaviors by providing behavior IDs
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ids | required | List of behavior IDs. Comma separated list allowed | string | crowdstrike incidentbehavior id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.ids | string | crowdstrike incidentbehavior id |
| action_result.data.*.aid | string | |
| action_result.data.*.behavior_id | string | crowdstrike incidentbehavior id |
| action_result.data.*.cid | string | |
| action_result.data.*.cmdline | string | |
| action_result.data.*.compound_tto | string | |
| action_result.data.*.detection_ids | string | crowdstrike detection id |
| action_result.data.*.display_name | string | |
| action_result.data.*.domain | string | |
| action_result.data.*.errors.*.code | numeric | |
| action_result.data.*.errors.*.message | string | |
| action_result.data.*.filepath | string | |
| action_result.data.*.incident_id | string | crowdstrike incident id |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.objective | string | |
| action_result.data.*.pattern_disposition | numeric | |
| action_result.data.*.pattern_disposition_details.bootup_safeguard_enabled | boolean | |
| action_result.data.*.pattern_disposition_details.critical_process_disabled | boolean | |
| action_result.data.*.pattern_disposition_details.detect | boolean | |
| action_result.data.*.pattern_disposition_details.fs_operation_blocked | boolean | |
| action_result.data.*.pattern_disposition_details.handle_operation_downgraded | boolean | |
| action_result.data.*.pattern_disposition_details.inddet_mask | boolean | |
| action_result.data.*.pattern_disposition_details.indicator | boolean | |
| action_result.data.*.pattern_disposition_details.kill_parent | boolean | |
| action_result.data.*.pattern_disposition_details.kill_process | boolean | |
| action_result.data.*.pattern_disposition_details.kill_subprocess | boolean | |
| action_result.data.*.pattern_disposition_details.operation_blocked | boolean | |
| action_result.data.*.pattern_disposition_details.policy_disabled | boolean | |
| action_result.data.*.pattern_disposition_details.process_blocked | boolean | |
| action_result.data.*.pattern_disposition_details.quarantine_file | boolean | |
| action_result.data.*.pattern_disposition_details.quarantine_machine | boolean | |
| action_result.data.*.pattern_disposition_details.registry_operation_blocked | boolean | |
| action_result.data.*.pattern_disposition_details.rooting | boolean | |
| action_result.data.*.pattern_disposition_details.sensor_only | boolean | |
| action_result.data.*.pattern_id | numeric | |
| action_result.data.*.sha256 | string | |
| action_result.data.*.tactic | string | |
| action_result.data.*.tactic_id | string | |
| action_result.data.*.technique | string | |
| action_result.data.*.technique_id | string | |
| action_result.data.*.template_instance_id | numeric | |
| action_result.data.*.timestamp | string | |
| action_result.data.*.user_name | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ids | required | List of incident IDs. Comma separated list allowed | string | crowdstrike incident id |
| add_tag | optional | Adds the associated tag to all the incident(s) of the ids list. See example values for the defined list | string | |
| delete_tag | optional | Deletes the matching tag from all the incident(s) in the ids list. See example values for the defined list | string | |
| update_name | optional | Updates the name of all the incident(s) in the ids list | string | |
| update_description | optional | Updates the description of all the incident(s) listed in the ids | string | |
| update_status | optional | Updates the status of all the incident(s) in the ids list | string | |
| add_comment | optional | Adds a comment for all the incident(s) in the ids list | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.add_comment | string | |
| action_result.parameter.add_tag | string | |
| action_result.parameter.delete_tag | string | |
| action_result.parameter.ids | string | crowdstrike incident id |
| action_result.parameter.update_description | string | |
| action_result.parameter.update_name | string | |
| action_result.parameter.update_status | string | |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get information about all users in your Customer ID
Type: investigate
Read only: True
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.resources.*.customer | string | crowdstrike customer id |
| action_result.data.*.resources.*.firstName | string | |
| action_result.data.*.resources.*.lastName | string | |
| action_result.data.*.resources.*.uid | string | crowdstrike user id |
| action_result.data.*.resources.*.uuid | string | crowdstrike unique user id |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Gets the roles that are assigned to the user
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_uuid | required | Users Unqiue ID to get the roles for | string | crowdstrike unique user id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.user_uuid | string | crowdstrike unique user id |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.resources | string | crowdstrike user role id |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get information about all user roles from your Customer ID
Type: investigate
Read only: True
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.resources.*.description | string | |
| action_result.data.*.resources.*.display_name | string | |
| action_result.data.*.resources.*.id | string | crowdstrike user role id |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get information about all user roles from your Customer ID
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| role_id | required | Role ID to get information about. Comma separated list allowed | string | crowdstrike user role id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.role_id | string | crowdstrike user role id |
| action_result.data.*.description | string | |
| action_result.data.*.display_name | string | |
| action_result.data.*.errors.*.code | numeric | |
| action_result.data.*.errors.*.message | string | |
| action_result.data.*.id | string | crowdstrike user role id |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Query environment wide CrowdScore and return the entity data
Type: investigate
Read only: True
This action fetches crowdscores using pagination logic.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| filter | optional | Optional filter and sort criteria in the form of an FQL query | string | |
| sort | optional | Sort the results by a specific field and direction. (Example: assigned_to.asc) | string | |
| offset | optional | Starting index of overall result set from which to return ids. (Defaults to 0) | numeric | |
| limit | optional | Limit the number of results to return. (Defaults to 50, Max 500) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.offset | numeric | |
| action_result.parameter.sort | string | |
| action_result.data.*.adjusted_score | numeric | |
| action_result.data.*.cid | string | |
| action_result.data.*.errors.*.code | numeric | |
| action_result.data.*.errors.*.message | string | |
| action_result.data.*.id | string | crowdstrike crowdscore id |
| action_result.data.*.meta.pagination.limit | numeric | |
| action_result.data.*.meta.pagination.offset | numeric | |
| action_result.data.*.meta.pagination.total | numeric | |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.pagination.*.limit | numeric | |
| action_result.data.*.pagination.*.offset | numeric | |
| action_result.data.*.pagination.*.total | numeric | |
| action_result.data.*.resources.*.cid | string | |
| action_result.data.*.score | numeric | |
| action_result.data.*.timestamp | string | |
| action_result.summary.total_crowdscores | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get details on incidents by providing incident IDs
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ids | required | List of incident IDs. Comma separated list allowed | string | crowdstrike incident id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.ids | string | crowdstrike incident id |
| action_result.data.*.assigned_to | string | |
| action_result.data.*.assigned_to_name | string | |
| action_result.data.*.cid | string | |
| action_result.data.*.created | string | |
| action_result.data.*.description | string | |
| action_result.data.*.end | string | |
| action_result.data.*.errors.*.code | numeric | |
| action_result.data.*.errors.*.message | string | |
| action_result.data.*.fine_score | numeric | |
| action_result.data.*.host_ids | string | crowdstrike device id |
| action_result.data.*.hosts.*.agent_load_flags | string | |
| action_result.data.*.hosts.*.agent_local_time | string | |
| action_result.data.*.hosts.*.agent_version | string | |
| action_result.data.*.hosts.*.bios_manufacturer | string | |
| action_result.data.*.hosts.*.bios_version | string | |
| action_result.data.*.hosts.*.cid | string | |
| action_result.data.*.hosts.*.config_id_base | string | |
| action_result.data.*.hosts.*.config_id_build | string | |
| action_result.data.*.hosts.*.config_id_platform | string | |
| action_result.data.*.hosts.*.device_id | string | crowdstrike device id |
| action_result.data.*.hosts.*.external_ip | string | |
| action_result.data.*.hosts.*.first_seen | string | |
| action_result.data.*.hosts.*.hostname | string | |
| action_result.data.*.hosts.*.last_seen | string | |
| action_result.data.*.hosts.*.local_ip | string | |
| action_result.data.*.hosts.*.mac_address | string | |
| action_result.data.*.hosts.*.machine_domain | string | |
| action_result.data.*.hosts.*.major_version | string | |
| action_result.data.*.hosts.*.minor_version | string | |
| action_result.data.*.hosts.*.modified_timestamp | string | |
| action_result.data.*.hosts.*.os_version | string | |
| action_result.data.*.hosts.*.ou | string | |
| action_result.data.*.hosts.*.platform_id | string | |
| action_result.data.*.hosts.*.platform_name | string | |
| action_result.data.*.hosts.*.product_type | string | |
| action_result.data.*.hosts.*.product_type_desc | string | |
| action_result.data.*.hosts.*.site_name | string | |
| action_result.data.*.hosts.*.status | string | |
| action_result.data.*.hosts.*.system_manufacturer | string | |
| action_result.data.*.hosts.*.system_product_name | string | |
| action_result.data.*.incident_id | string | crowdstrike incident id |
| action_result.data.*.incident_type | numeric | |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.modified_timestamp | string | |
| action_result.data.*.name | string | |
| action_result.data.*.start | string | |
| action_result.data.*.state | string | |
| action_result.data.*.status | numeric | |
| action_result.data.*.tags | string | |
| action_result.data.*.users | string | |
| action_result.summary.total_incidents | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Search for behaviors by providing an FQL filter, sorting, and paging details
Type: investigate
Read only: True
This action fetches incident behaviors using pagination logic.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| filter | optional | Optional filter and sort criteria in the form of an FQL query | string | |
| sort | optional | Sort the results by a specific field and direction. (Example: assigned_to.asc) | string | |
| offset | optional | Starting index of overall result set from which to return ids. (Defaults to 0) | numeric | |
| limit | optional | Limit the number of results to return. (Defaults to 50, Max 500) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.offset | numeric | |
| action_result.parameter.sort | string | |
| action_result.data.* | string | crowdstrike incidentbehavior id |
| action_result.data.*.errors.*.code | numeric | |
| action_result.data.*.errors.*.message | string | |
| action_result.data.*.meta.pagination.limit | numeric | |
| action_result.data.*.meta.pagination.offset | numeric | |
| action_result.data.*.meta.pagination.total | numeric | |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.pagination.*.limit | numeric | |
| action_result.data.*.pagination.*.offset | numeric | |
| action_result.data.*.pagination.*.total | numeric | |
| action_result.summary.total_incident_behaviors | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Search for incidents by providing an FQL filter, sorting, and paging details
Type: investigate
Read only: True
This action fetches incidents using pagination logic.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| filter | optional | Optional filter and sort criteria in the form of an FQL query | string | |
| sort | optional | Sort the results by a specific field and direction. (Example: assigned_to.asc) | string | |
| offset | optional | Starting index of overall result set from which to return ids. (Defaults to 0) | numeric | |
| limit | optional | Limit the number of results to return. (Defaults to 50, Max 500) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.offset | numeric | |
| action_result.parameter.sort | string | |
| action_result.data.* | string | crowdstrike incident id |
| action_result.data.* | string | crowdstrike incident id |
| action_result.data.*.errors.*.code | numeric | |
| action_result.data.*.errors.*.message | string | |
| action_result.data.*.meta.pagination.limit | numeric | |
| action_result.data.*.meta.pagination.offset | numeric | |
| action_result.data.*.meta.pagination.total | numeric | |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.pagination.*.limit | numeric | |
| action_result.data.*.pagination.*.offset | numeric | |
| action_result.data.*.pagination.*.total | numeric | |
| action_result.summary.total_incidents | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get RTR extracted file contents for the specified session and sha256 and add it to the vault
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| session_id | required | RTR Session ID | string | crowdstrike rtr session id |
| file_hash | required | SHA256 hash to retrieve | string | sha256 |
| file_name | optional | Filename to use for the archive name and the file within the archive | string | filename |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.file_hash | string | sha256 |
| action_result.parameter.file_name | string | filename |
| action_result.parameter.session_id | string | crowdstrike rtr session id |
| action_result.data.*.container | string | |
| action_result.data.*.container_id | numeric | |
| action_result.data.*.create_time | string | |
| action_result.data.*.created_via | string | |
| action_result.data.*.hash | string | sha1 |
| action_result.data.*.id | numeric | |
| action_result.data.*.metadata.md5 | string | |
| action_result.data.*.metadata.sha1 | string | |
| action_result.data.*.metadata.sha256 | string | |
| action_result.data.*.mime_type | string | |
| action_result.data.*.name | string | |
| action_result.data.*.path | string | |
| action_result.data.*.size | numeric | |
| action_result.data.*.task | string | |
| action_result.data.*.user | string | |
| action_result.data.*.vault_document | numeric | |
| action_result.data.*.vault_id | string | sha1 vault id |
| action_result.summary.vault_id | string | sha1 vault id |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Set the state of a detection in Crowdstrike Host
Type: generic
Read only: False
The detection id can be obtained from the Crowdstrike UI and its state can be set.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Detection ID to set the state of | string | crowdstrike detection id |
| state | required | State to set | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.id | string | crowdstrike detection id |
| action_result.parameter.state | string | |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get details of a device, given the device ID
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Device ID from previous Crowdstrike IOC search | string | crowdstrike device id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.id | string | crowdstrike device id |
| action_result.data.*.agent_load_flags | string | |
| action_result.data.*.agent_local_time | string | |
| action_result.data.*.agent_version | string | |
| action_result.data.*.bios_manufacturer | string | |
| action_result.data.*.bios_version | string | |
| action_result.data.*.build_number | string | |
| action_result.data.*.cid | string | md5 |
| action_result.data.*.config_id_base | string | |
| action_result.data.*.config_id_build | string | |
| action_result.data.*.config_id_platform | string | |
| action_result.data.*.cpu_signature | string | |
| action_result.data.*.device_id | string | crowdstrike device id |
| action_result.data.*.device_policies.device_control.applied | boolean | |
| action_result.data.*.device_policies.device_control.applied_date | string | |
| action_result.data.*.device_policies.device_control.assigned_date | string | |
| action_result.data.*.device_policies.device_control.policy_id | string | |
| action_result.data.*.device_policies.device_control.policy_type | string | |
| action_result.data.*.device_policies.firewall.applied | boolean | |
| action_result.data.*.device_policies.firewall.applied_date | string | |
| action_result.data.*.device_policies.firewall.assigned_date | string | |
| action_result.data.*.device_policies.firewall.policy_id | string | |
| action_result.data.*.device_policies.firewall.policy_type | string | |
| action_result.data.*.device_policies.firewall.rule_set_id | string | |
| action_result.data.*.device_policies.global_config.applied | boolean | |
| action_result.data.*.device_policies.global_config.applied_date | string | |
| action_result.data.*.device_policies.global_config.assigned_date | string | |
| action_result.data.*.device_policies.global_config.policy_id | string | |
| action_result.data.*.device_policies.global_config.policy_type | string | |
| action_result.data.*.device_policies.global_config.settings_hash | string | |
| action_result.data.*.device_policies.prevention.applied | boolean | |
| action_result.data.*.device_policies.prevention.applied_date | string | |
| action_result.data.*.device_policies.prevention.assigned_date | string | |
| action_result.data.*.device_policies.prevention.policy_id | string | md5 |
| action_result.data.*.device_policies.prevention.policy_type | string | |
| action_result.data.*.device_policies.prevention.settings_hash | string | |
| action_result.data.*.device_policies.remote_response.applied | boolean | |
| action_result.data.*.device_policies.remote_response.applied_date | string | |
| action_result.data.*.device_policies.remote_response.assigned_date | string | |
| action_result.data.*.device_policies.remote_response.policy_id | string | |
| action_result.data.*.device_policies.remote_response.policy_type | string | |
| action_result.data.*.device_policies.remote_response.settings_hash | string | |
| action_result.data.*.device_policies.sensor_update.applied | boolean | |
| action_result.data.*.device_policies.sensor_update.applied_date | string | |
| action_result.data.*.device_policies.sensor_update.assigned_date | string | |
| action_result.data.*.device_policies.sensor_update.policy_id | string | md5 |
| action_result.data.*.device_policies.sensor_update.policy_type | string | |
| action_result.data.*.device_policies.sensor_update.settings_hash | string | |
| action_result.data.*.device_policies.sensor_update.uninstall_protection | string | |
| action_result.data.*.external_ip | string | ip |
| action_result.data.*.first_seen | string | |
| action_result.data.*.group_hash | string | sha256 |
| action_result.data.*.groups | string | md5 |
| action_result.data.*.hostname | string | host name |
| action_result.data.*.instance_id | string | |
| action_result.data.*.last_seen | string | |
| action_result.data.*.local_ip | string | |
| action_result.data.*.mac_address | string | |
| action_result.data.*.machine_domain | string | domain |
| action_result.data.*.major_version | string | |
| action_result.data.*.meta.version | string | |
| action_result.data.*.minor_version | string | |
| action_result.data.*.modified_timestamp | string | |
| action_result.data.*.os_version | string | |
| action_result.data.*.ou | string | |
| action_result.data.*.platform_id | string | |
| action_result.data.*.platform_name | string | |
| action_result.data.*.pointer_size | string | |
| action_result.data.*.policies.*.applied | boolean | |
| action_result.data.*.policies.*.applied_date | string | |
| action_result.data.*.policies.*.assigned_date | string | |
| action_result.data.*.policies.*.policy_id | string | md5 |
| action_result.data.*.policies.*.policy_type | string | |
| action_result.data.*.policies.*.settings_hash | string | |
| action_result.data.*.product_type | string | |
| action_result.data.*.product_type_desc | string | |
| action_result.data.*.provision_status | string | |
| action_result.data.*.reduced_functionality_mode | string | |
| action_result.data.*.release_group | string | |
| action_result.data.*.serial_number | string | |
| action_result.data.*.service_pack_major | string | |
| action_result.data.*.service_pack_minor | string | |
| action_result.data.*.service_provider | string | |
| action_result.data.*.service_provider_account_id | string | |
| action_result.data.*.site_name | string | |
| action_result.data.*.slow_changing_modified_timestamp | string | |
| action_result.data.*.status | string | |
| action_result.data.*.system_manufacturer | string | |
| action_result.data.*.system_product_name | string | |
| action_result.data.*.zone_group | string | |
| action_result.summary.hostname | string | host name |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Retrieve the details of a process that is running or that previously ran, given a process ID
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| falcon_process_id | required | Process ID from previous Falcon IOC search | string | falcon process id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.falcon_process_id | string | falcon process id |
| action_result.data.*.command_line | string | |
| action_result.data.*.device_id | string | crowdstrike device id |
| action_result.data.*.file_name | string | file name |
| action_result.data.*.process_id | string | pid |
| action_result.data.*.process_id_local | string | pid |
| action_result.data.*.start_timestamp | string | |
| action_result.data.*.start_timestamp_raw | string | |
| action_result.data.*.stop_timestamp | string | |
| action_result.data.*.stop_timestamp_raw | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Hunt for a file on the network by querying for the hash
Type: investigate
Read only: True
In case of count_only set to true, keep the limit value larger to fetch count of all the devices.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hash | required | File hash to search | string | hash sha256 sha1 md5 |
| count_only | optional | Get endpoint count only | boolean | |
| limit | optional | Maximum device IDs to be fetched (defaults to 100) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.count_only | boolean | |
| action_result.parameter.hash | string | hash sha256 sha1 md5 |
| action_result.parameter.limit | numeric | |
| action_result.data.*.device_id | string | crowdstrike device id |
| action_result.summary.device_count | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get a list of device IDs on which the domain was matched
Type: investigate
Read only: True
In case of count_only set to true, keep the limit value larger to fetch count of all the devices.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| domain | required | Domain to search | string | domain |
| count_only | optional | Get endpoint count only | boolean | |
| limit | optional | Maximum device IDs to be fetched (defaults to 100) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.count_only | boolean | |
| action_result.parameter.domain | string | domain |
| action_result.parameter.limit | numeric | |
| action_result.data.*.device_id | string | crowdstrike device id |
| action_result.summary.device_count | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Upload a new put-file to use for the RTR `put` command
Type: generic
Read only: False
This action requires a token with RTR Admin permissions.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| vault_id | required | Vault ID of file to upload | string | vault id |
| description | required | File description | string | |
| file_name | optional | Filename to use (if different than actual file name) | string | filename |
| comment | optional | Comment for the audit log | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.comment | string | |
| action_result.parameter.description | string | |
| action_result.parameter.file_name | string | filename |
| action_result.parameter.vault_id | string | vault id |
| action_result.data.*.meta.powered_by | string | |
| action_result.data.*.meta.query_time | numeric | |
| action_result.data.*.meta.trace_id | string | |
| action_result.data.*.meta.writes.resources_affected | numeric | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get the full definition of one or more indicators that are being watched
Type: investigate
Read only: True
In this action, either 'indicator_value' and 'indicator_type' or 'resource_id' should be provided. The priority of 'resource_id' is higher. If all the parameters are provided then the indicator will be fetched based on the 'resource_id'.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| indicator_value | optional | String representation of the indicator | string | domain md5 sha256 ip ipv6 |
| indicator_type | optional | The type of the indicator | string | crowdstrike indicator type |
| resource_id | optional | The resource id of the indicator | string | crowdstrike indicator id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.indicator_type | string | crowdstrike indicator type |
| action_result.parameter.indicator_value | string | domain md5 sha256 ip ipv6 |
| action_result.parameter.resource_id | string | crowdstrike indicator id |
| action_result.data.*.action | string | crowdstrike indicator action |
| action_result.data.*.applied_globally | boolean | |
| action_result.data.*.created_by | string | |
| action_result.data.*.created_on | string | date |
| action_result.data.*.created_timestamp | string | date |
| action_result.data.*.deleted | boolean | |
| action_result.data.*.description | string | |
| action_result.data.*.expiration | string | date |
| action_result.data.*.expiration_timestamp | string | date |
| action_result.data.*.expired | boolean | |
| action_result.data.*.from_parent | boolean | |
| action_result.data.*.host_groups.* | string | crowdstrike host group id |
| action_result.data.*.id | string | crowdstrike indicator id |
| action_result.data.*.metadata.av_hits | numeric | |
| action_result.data.*.metadata.filename | string | |
| action_result.data.*.metadata.signed | boolean | |
| action_result.data.*.modified_by | string | |
| action_result.data.*.modified_on | string | |
| action_result.data.*.modified_timestamp | string | date |
| action_result.data.*.platforms.* | string | crowdstrike indicator platforms |
| action_result.data.*.severity | string | severity |
| action_result.data.*.source | string | |
| action_result.data.*.tags | string | |
| action_result.data.*.type | string | crowdstrike indicator type |
| action_result.data.*.value | string | ip ipv6 md5 sha256 domain |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Queries for custom indicators in your customer account
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| indicator_value | optional | String representation of the indicator | string | ip ipv6 md5 sha256 domain |
| indicator_type | optional | The type of the indicator | string | crowdstrike indicator type |
| action | optional | Enforcement policy | string | crowdstrike indicator action |
| source | optional | The source of indicators | string | |
| from_expiration | optional | The earliest indicator expiration date (RFC3339) | string | date |
| to_expiration | optional | The latest indicator expiration date (RFC3339) | string | date |
| limit | optional | The limit of indicator to be fetched (defaults to 100) | numeric | |
| sort | optional | Property to sort by | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.from_expiration | string | date |
| action_result.parameter.indicator_type | string | crowdstrike indicator type |
| action_result.parameter.indicator_value | string | ip ipv6 md5 sha256 domain |
| action_result.parameter.limit | numeric | |
| action_result.parameter.ph | string | |
| action_result.parameter.action | string | crowdstrike indicator action |
| action_result.parameter.sort | string | |
| action_result.parameter.source | string | |
| action_result.parameter.to_expiration | string | date |
| action_result.data.*.domain | string | domain |
| action_result.data.*.domain.*.action | string | crowdstrike indicator action |
| action_result.data.*.domain.*.applied_globally | boolean | |
| action_result.data.*.domain.*.created_by | string | md5 |
| action_result.data.*.domain.*.created_on | string | date |
| action_result.data.*.domain.*.created_timestamp | string | date |
| action_result.data.*.domain.*.deleted | boolean | |
| action_result.data.*.domain.*.description | string | |
| action_result.data.*.domain.*.expiration | string | date |
| action_result.data.*.domain.*.expiration_timestamp | string | date |
| action_result.data.*.domain.*.expired | boolean | |
| action_result.data.*.domain.*.from_parent | boolean | |
| action_result.data.*.domain.*.host_groups.* | string | crowdstrike host group id |
| action_result.data.*.domain.*.id | string | crowdstrike indicator id |
| action_result.data.*.domain.*.modified_by | string | md5 |
| action_result.data.*.domain.*.modified_on | string | |
| action_result.data.*.domain.*.modified_timestamp | string | date |
| action_result.data.*.domain.*.platforms.* | string | crowdstrike indicator platforms |
| action_result.data.*.domain.*.severity | string | severity |
| action_result.data.*.domain.*.source | string | |
| action_result.data.*.domain.*.tags | string | |
| action_result.data.*.domain.*.type | string | crowdstrike indicator type |
| action_result.data.*.domain.*.value | string | domain |
| action_result.data.*.ipv4 | string | ip |
| action_result.data.*.ipv4.*.action | string | crowdstrike indicator action |
| action_result.data.*.ipv4.*.applied_globally | boolean | |
| action_result.data.*.ipv4.*.created_by | string | md5 |
| action_result.data.*.ipv4.*.created_on | string | date |
| action_result.data.*.ipv4.*.created_timestamp | string | date |
| action_result.data.*.ipv4.*.deleted | boolean | |
| action_result.data.*.ipv4.*.description | string | |
| action_result.data.*.ipv4.*.expiration | string | date |
| action_result.data.*.ipv4.*.expiration_timestamp | string | date |
| action_result.data.*.ipv4.*.expired | boolean | |
| action_result.data.*.ipv4.*.from_parent | boolean | |
| action_result.data.*.ipv4.*.host_groups.* | string | crowdstrike host group id |
| action_result.data.*.ipv4.*.id | string | crowdstrike indicator id |
| action_result.data.*.ipv4.*.modified_by | string | md5 |
| action_result.data.*.ipv4.*.modified_on | string | |
| action_result.data.*.ipv4.*.modified_timestamp | string | date |
| action_result.data.*.ipv4.*.platforms.* | string | crowdstrike indicator platforms |
| action_result.data.*.ipv4.*.severity | string | severity |
| action_result.data.*.ipv4.*.source | string | |
| action_result.data.*.ipv4.*.tags | string | |
| action_result.data.*.ipv4.*.type | string | crowdstrike indicator type |
| action_result.data.*.ipv4.*.value | string | ip |
| action_result.data.*.ipv6 | string | ipv6 |
| action_result.data.*.ipv6.*.action | string | crowdstrike indicator action |
| action_result.data.*.ipv6.*.applied_globally | boolean | |
| action_result.data.*.ipv6.*.created_by | string | md5 |
| action_result.data.*.ipv6.*.created_on | string | date |
| action_result.data.*.ipv6.*.created_timestamp | string | date |
| action_result.data.*.ipv6.*.deleted | boolean | |
| action_result.data.*.ipv6.*.description | string | |
| action_result.data.*.ipv6.*.expiration | string | date |
| action_result.data.*.ipv6.*.expiration_timestamp | string | date |
| action_result.data.*.ipv6.*.expired | boolean | |
| action_result.data.*.ipv6.*.from_parent | boolean | |
| action_result.data.*.ipv6.*.host_groups.* | string | crowdstrike host group id |
| action_result.data.*.ipv6.*.id | string | crowdstrike indicator id |
| action_result.data.*.ipv6.*.modified_by | string | md5 |
| action_result.data.*.ipv6.*.modified_on | string | |
| action_result.data.*.ipv6.*.modified_timestamp | string | date |
| action_result.data.*.ipv6.*.platforms.* | string | crowdstrike indicator platforms |
| action_result.data.*.ipv6.*.severity | string | severity |
| action_result.data.*.ipv6.*.source | string | |
| action_result.data.*.ipv6.*.tags | string | |
| action_result.data.*.ipv6.*.type | string | crowdstrike indicator type |
| action_result.data.*.ipv6.*.value | string | ipv6 |
| action_result.data.*.md5 | string | md5 |
| action_result.data.*.md5.*.action | string | crowdstrike indicator action |
| action_result.data.*.md5.*.applied_globally | boolean | |
| action_result.data.*.md5.*.created_by | string | md5 |
| action_result.data.*.md5.*.created_on | string | date |
| action_result.data.*.md5.*.created_timestamp | string | date |
| action_result.data.*.md5.*.deleted | boolean | |
| action_result.data.*.md5.*.description | string | |
| action_result.data.*.md5.*.expiration | string | date |
| action_result.data.*.md5.*.expiration_timestamp | string | date |
| action_result.data.*.md5.*.expired | boolean | |
| action_result.data.*.md5.*.from_parent | boolean | |
| action_result.data.*.md5.*.host_groups.* | string | crowdstrike host group id |
| action_result.data.*.md5.*.id | string | crowdstrike indicator id |
| action_result.data.*.md5.*.metadata.av_hits | numeric | |
| action_result.data.*.md5.*.metadata.filename | string | |
| action_result.data.*.md5.*.metadata.signed | boolean | |
| action_result.data.*.md5.*.modified_by | string | md5 |
| action_result.data.*.md5.*.modified_on | string | |
| action_result.data.*.md5.*.modified_timestamp | string | date |
| action_result.data.*.md5.*.platforms.* | string | crowdstrike indicator platforms |
| action_result.data.*.md5.*.severity | string | severity |
| action_result.data.*.md5.*.source | string | |
| action_result.data.*.md5.*.tags | string | |
| action_result.data.*.md5.*.type | string | crowdstrike indicator type |
| action_result.data.*.md5.*.value | string | md5 |
| action_result.data.*.sha256 | string | sha256 |
| action_result.data.*.sha256.*.action | string | crowdstrike indicator action |
| action_result.data.*.sha256.*.applied_globally | boolean | |
| action_result.data.*.sha256.*.created_by | string | md5 |
| action_result.data.*.sha256.*.created_on | string | date |
| action_result.data.*.sha256.*.created_timestamp | string | date |
| action_result.data.*.sha256.*.deleted | boolean | |
| action_result.data.*.sha256.*.description | string | |
| action_result.data.*.sha256.*.expiration | string | date |
| action_result.data.*.sha256.*.expiration_timestamp | string | date |
| action_result.data.*.sha256.*.expired | boolean | |
| action_result.data.*.sha256.*.from_parent | boolean | |
| action_result.data.*.sha256.*.host_groups.* | string | crowdstrike host group id |
| action_result.data.*.sha256.*.id | string | crowdstrike indicator id |
| action_result.data.*.sha256.*.metadata.av_hits | numeric | |
| action_result.data.*.sha256.*.metadata.filename | string | |
| action_result.data.*.sha256.*.metadata.signed | boolean | |
| action_result.data.*.sha256.*.modified_by | string | md5 |
| action_result.data.*.sha256.*.modified_on | string | |
| action_result.data.*.sha256.*.modified_timestamp | string | date |
| action_result.data.*.sha256.*.platforms.* | string | crowdstrike indicator platforms |
| action_result.data.*.sha256.*.severity | string | severity |
| action_result.data.*.sha256.*.source | string | |
| action_result.data.*.sha256.*.tags | string | |
| action_result.data.*.sha256.*.type | string | crowdstrike indicator type |
| action_result.data.*.sha256.*.value | string | sha256 |
| action_result.summary.alerts_found | numeric | |
| action_result.summary.total_domain | numeric | |
| action_result.summary.total_ipv4 | numeric | |
| action_result.summary.total_ipv6 | numeric | |
| action_result.summary.total_md5 | numeric | |
| action_result.summary.total_sha256 | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Queries for files uploaded to Crowdstrike for use with the RTR `put` command
Type: investigate
Read only: True
For additional information on FQL syntax see: https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| filter | optional | FQL query to filter results | string | |
| offset | optional | Starting index of overall result set | string | |
| limit | optional | Number of files to return | numeric | |
| sort | optional | Sort results | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.offset | string | |
| action_result.parameter.sort | string | |
| action_result.data.*.comments_for_audit_log | string | |
| action_result.data.*.created_by | string | |
| action_result.data.*.created_by_uuid | string | |
| action_result.data.*.created_timestamp | string | |
| action_result.data.*.description | string | |
| action_result.data.*.file_type | string | |
| action_result.data.*.id | string | |
| action_result.data.*.modified_by | string | |
| action_result.data.*.modified_timestamp | string | |
| action_result.data.*.name | string | |
| action_result.data.*.permission_type | string | |
| action_result.data.*.run_attempt_count | numeric | |
| action_result.data.*.run_success_count | numeric | |
| action_result.data.*.sha256 | string | sha256 |
| action_result.data.*.size | numeric | |
| action_result.summary.total_files | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Callback action for the on_poll ingest functionality
Type: ingest
Read only: True
This action remembers the last event ID that was queried for. The next ingestion carried out will query for later event IDs. This way, the same events are not queried for in every run. However, in the case of 'POLL NOW' queried event IDs will not be remembered.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| start_time | optional | Parameter ignored in this app | numeric | |
| end_time | optional | Parameter ignored in this app | numeric | |
| container_count | optional | Parameter ignored in this app | numeric | |
| artifact_count | optional | Parameter ignored in this app | numeric |
No Output
List processes that have recently used the IOC on a particular device
Type: investigate
Read only: True
Given a file hash or domain, the action will list all the processes that have either recently connected to the domain or interacted with the file that matches the supplied hash. Use the query device actions to get the device id to run the action on.In case of count_only set to true, keep the limit value larger to fetch count of all the devices.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ioc | required | File Hash or Domain to use for searching | string | hash sha256 sha1 md5 domain |
| id | required | Crowdstrike Device ID to search on | string | crowdstrike device id |
| limit | optional | Maximum processes to be fetched (defaults to 100) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.id | string | crowdstrike device id |
| action_result.parameter.ioc | string | hash sha256 sha1 md5 domain |
| action_result.parameter.limit | numeric | |
| action_result.data.*.falcon_process_id | string | falcon process id |
| action_result.summary.process_count | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Upload indicator that you want CrowdStrike to watch
Type: contain
Read only: False
Valid values for the action parameter are:
- no_action
Save the indicator for future use, but take no action. No severity required. - allow
Applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided. - prevent_no_ui
Applies to hashes only. Block and detect the indicator, but hide it from Activity > Detections. Has a default severity value. - prevent
Applies to hashes only. Block the indicator and show it as a detection at the selected severity. - detect
Enable detections for the indicator at the selected severity.
- Comma separated host group IDs for specific groups
- Leave it blank for all the host groups
The CrowdStrike API accepts the standard timestamp format in the expiration parameter. In this action, the number of days provided in the expiration parameter is internally converted into the timestamp format to match the API format.
If the indicator with the same type and value is created again, the action will fail as duplicate type-value combination is not allowed.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ioc | required | Input domain, ip, or hash ioc | string | sha256 md5 domain ip ipv6 |
| action | required | Action to take when a host observes the custom IOC | string | crowdstrike indicator action |
| platforms | required | Comma separated list of platforms | string | crowdstrike indicator platforms |
| expiration | optional | Alert lifetime in days | numeric | |
| source | optional | Indicator originating source | string | |
| description | optional | Indicator description | string | |
| tags | optional | Comma separated list of tags | string | |
| severity | optional | Severity level | string | severity |
| host_groups | optional | Comma separated list of host group IDs | string | crowdstrike host group id |
| filename | optional | Metadata filename | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.action | string | crowdstrike indicator action |
| action_result.parameter.description | string | |
| action_result.parameter.expiration | numeric | |
| action_result.parameter.filename | string | |
| action_result.parameter.host_groups | string | crowdstrike host group id |
| action_result.parameter.ioc | string | sha256 md5 domain ip ipv6 |
| action_result.parameter.platforms | string | crowdstrike indicator platforms |
| action_result.parameter.severity | string | severity |
| action_result.parameter.source | string | |
| action_result.parameter.tags | string | |
| action_result.data.*.action | string | crowdstrike indicator action |
| action_result.data.*.applied_globally | boolean | |
| action_result.data.*.created_by | string | md5 |
| action_result.data.*.created_on | string | date |
| action_result.data.*.created_timestamp | string | date |
| action_result.data.*.deleted | boolean | |
| action_result.data.*.description | string | |
| action_result.data.*.expiration | string | date |
| action_result.data.*.expiration_timestamp | string | date |
| action_result.data.*.expired | boolean | |
| action_result.data.*.from_parent | boolean | |
| action_result.data.*.host_groups.* | string | crowdstrike host group id |
| action_result.data.*.id | string | crowdstrike indicator id |
| action_result.data.*.metadata.av_hits | numeric | |
| action_result.data.*.metadata.filename | string | |
| action_result.data.*.metadata.signed | boolean | |
| action_result.data.*.modified_by | string | md5 |
| action_result.data.*.modified_on | string | |
| action_result.data.*.modified_timestamp | string | date |
| action_result.data.*.platforms.* | string | crowdstrike indicator platforms |
| action_result.data.*.severity | string | severity |
| action_result.data.*.source | string | |
| action_result.data.*.tags | string | |
| action_result.data.*.type | string | crowdstrike indicator type |
| action_result.data.*.value | string | ip ipv6 md5 sha256 domain |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Delete an indicator that is being watched
Type: correct
Read only: False
In this action, either 'ioc' or 'resource_id' should be provided. The priority of 'resource_id' is higher. If both the parameters are provided then the indicator will be deleted based on the 'resource_id'. The CrowdStrike API returns success for the 'resource_id' of the already deleted indicator.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ioc | optional | Hash, ip or domain IOC from previous upload | string | ip ipv6 md5 sha256 domain |
| resource_id | optional | The resource id of the indicator | string | crowdstrike indicator id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.ioc | string | ip ipv6 md5 sha256 domain |
| action_result.parameter.resource_id | string | crowdstrike indicator id |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Update an indicator that has been uploaded
Type: generic
Read only: False
Valid values for the host groups parameter are:
- Comma separated host group IDs for specific groups
- The value 'all' for all the host groups
- Leave it blank if there is no change
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ioc | required | Hash, ip or domain IOC to update | string | ip md5 sha256 domain |
| action | optional | Action to take when a host observes the custom IOC | string | crowdstrike indicator action |
| platforms | optional | Comma separated list of platforms | string | crowdstrike indicator platforms |
| expiration | optional | Alert lifetime in days | numeric | |
| source | optional | Indicator originating source | string | |
| description | optional | Indicator description | string | |
| tags | optional | Comma separated list of tags | string | |
| severity | optional | Severity level | string | severity |
| host_groups | optional | Comma separated list of host group IDs | string | crowdstrike host group id |
| filename | optional | Metadata filename | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.action | string | crowdstrike indicator action |
| action_result.parameter.description | string | |
| action_result.parameter.expiration | numeric | |
| action_result.parameter.filename | string | |
| action_result.parameter.host_groups | string | crowdstrike host group id |
| action_result.parameter.ioc | string | ip md5 sha256 domain |
| action_result.parameter.platforms | string | crowdstrike indicator platforms |
| action_result.parameter.severity | string | severity |
| action_result.parameter.source | string | |
| action_result.parameter.tags | string | |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Queries CrowdStrike for the file info
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| vault_id | required | Vault ID of file | string | vault id |
| limit | optional | Maximum reports to be fetched | numeric | |
| sort | optional | Property to sort by | string | |
| offset | optional | Starting index of overall result set from which to return ids (defaults to 0) | numeric | |
| detail_report | optional | Get the detailed report | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.detail_report | boolean | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.offset | numeric | |
| action_result.parameter.sort | string | |
| action_result.parameter.vault_id | string | vault id |
| action_result.data.*.cid | string | |
| action_result.data.*.created_timestamp | string | |
| action_result.data.*.id | string | crowdstrike resource id |
| action_result.data.*.ioc_report_broad_csv_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_json_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_maec_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_stix_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_csv_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_json_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_maec_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_stix_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.malquery.*.input | string | |
| action_result.data.*.malquery.*.resources.*.file_size | numeric | |
| action_result.data.*.malquery.*.resources.*.file_type | string | |
| action_result.data.*.malquery.*.resources.*.first_seen_timestamp | string | |
| action_result.data.*.malquery.*.resources.*.label | string | |
| action_result.data.*.malquery.*.resources.*.md5 | string | md5 |
| action_result.data.*.malquery.*.resources.*.sha1 | string | sha1 |
| action_result.data.*.malquery.*.resources.*.sha256 | string | sha256 |
| action_result.data.*.malquery.*.type | string | |
| action_result.data.*.malquery.*.verdict | string | |
| action_result.data.*.origin | string | |
| action_result.data.*.sandbox.*.architecture | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.address | string | ip |
| action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid | numeric | |
| action_result.data.*.sandbox.*.contacted_hosts.*.country | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.port | numeric | port |
| action_result.data.*.sandbox.*.contacted_hosts.*.protocol | string | |
| action_result.data.*.sandbox.*.dns_requests.*.address | string | ip |
| action_result.data.*.sandbox.*.dns_requests.*.country | string | |
| action_result.data.*.sandbox.*.dns_requests.*.domain | string | domain ip |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp | string | date |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_name | string | |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers | string | |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_organization | string | |
| action_result.data.*.sandbox.*.environment | numeric | |
| action_result.data.*.sandbox.*.environment_description | string | crowdstrike environment |
| action_result.data.*.sandbox.*.environment_id | numeric | |
| action_result.data.*.sandbox.*.error_message | string | |
| action_result.data.*.sandbox.*.error_origin | string | |
| action_result.data.*.sandbox.*.error_type | string | |
| action_result.data.*.sandbox.*.extracted_files.*.description | string | |
| action_result.data.*.sandbox.*.extracted_files.*.file_path | string | |
| action_result.data.*.sandbox.*.extracted_files.*.file_size | numeric | |
| action_result.data.*.sandbox.*.extracted_files.*.md5 | string | md5 |
| action_result.data.*.sandbox.*.extracted_files.*.name | string | |
| action_result.data.*.sandbox.*.extracted_files.*.runtime_process | string | |
| action_result.data.*.sandbox.*.extracted_files.*.sha1 | string | sha1 |
| action_result.data.*.sandbox.*.extracted_files.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.process | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.source | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.type | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.value | string | |
| action_result.data.*.sandbox.*.file_imports.*.module | string | |
| action_result.data.*.sandbox.*.file_size | numeric | |
| action_result.data.*.sandbox.*.file_type | string | |
| action_result.data.*.sandbox.*.http_requests.*.header | string | |
| action_result.data.*.sandbox.*.http_requests.*.host | string | domain ip |
| action_result.data.*.sandbox.*.http_requests.*.host_ip | string | ip |
| action_result.data.*.sandbox.*.http_requests.*.host_port | numeric | port |
| action_result.data.*.sandbox.*.http_requests.*.method | string | |
| action_result.data.*.sandbox.*.http_requests.*.url | string | |
| action_result.data.*.sandbox.*.incidents.*.name | string | |
| action_result.data.*.sandbox.*.memory_strings_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.mitre_attacks.*.attack_id | string | |
| action_result.data.*.sandbox.*.mitre_attacks.*.tactic | string | |
| action_result.data.*.sandbox.*.mitre_attacks.*.technique | string | |
| action_result.data.*.sandbox.*.network_settings | string | |
| action_result.data.*.sandbox.*.packer | string | |
| action_result.data.*.sandbox.*.pcap_report_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.processes.*.command_line | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.type | string | |
| action_result.data.*.sandbox.*.processes.*.handles.*.id | numeric | |
| action_result.data.*.sandbox.*.processes.*.handles.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.handles.*.type | string | |
| action_result.data.*.sandbox.*.processes.*.icon_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.processes.*.name | string | |
| action_result.data.*.sandbox.*.processes.*.normalized_path | string | |
| action_result.data.*.sandbox.*.processes.*.parent_uid | string | |
| action_result.data.*.sandbox.*.processes.*.pid | numeric | |
| action_result.data.*.sandbox.*.processes.*.process_flags.*.name | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.key | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.operation | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.value | string | |
| action_result.data.*.sandbox.*.processes.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.processes.*.uid | string | |
| action_result.data.*.sandbox.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.signatures.*.attack_id | string | |
| action_result.data.*.sandbox.*.signatures.*.category | string | |
| action_result.data.*.sandbox.*.signatures.*.description | string | |
| action_result.data.*.sandbox.*.signatures.*.identifier | string | |
| action_result.data.*.sandbox.*.signatures.*.name | string | |
| action_result.data.*.sandbox.*.signatures.*.origin | string | |
| action_result.data.*.sandbox.*.signatures.*.relevance | numeric | |
| action_result.data.*.sandbox.*.signatures.*.threat_level | numeric | |
| action_result.data.*.sandbox.*.signatures.*.threat_level_human | string | |
| action_result.data.*.sandbox.*.signatures.*.type | numeric | |
| action_result.data.*.sandbox.*.submission_type | string | |
| action_result.data.*.sandbox.*.submit_name | string | |
| action_result.data.*.sandbox.*.threat_score | numeric | |
| action_result.data.*.sandbox.*.verdict | string | |
| action_result.data.*.sandbox.*.version_info.*.id | string | |
| action_result.data.*.sandbox.*.version_info.*.value | string | |
| action_result.data.*.sandbox.*.windows_version_bitness | numeric | |
| action_result.data.*.sandbox.*.windows_version_edition | string | |
| action_result.data.*.sandbox.*.windows_version_name | string | |
| action_result.data.*.sandbox.*.windows_version_service_pack | string | |
| action_result.data.*.sandbox.*.windows_version_version | string | |
| action_result.data.*.threat_graph.indicators.*.customer_prevalence | string | |
| action_result.data.*.threat_graph.indicators.*.global_prevalence | string | |
| action_result.data.*.threat_graph.indicators.*.type | string | |
| action_result.data.*.threat_graph.indicators.*.value | string | |
| action_result.data.*.user_id | string | |
| action_result.data.*.user_name | string | |
| action_result.data.*.user_uuid | string | |
| action_result.data.*.verdict | string | |
| action_result.summary.total_reports | numeric | |
| action_result.summary.verdict | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Queries CrowdStrike for the url info
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to query | string | url |
| limit | optional | Maximum reports to be fetched | numeric | |
| sort | optional | Property to sort by | string | |
| offset | optional | Starting index of overall result set from which to return ids (defaults to 0) | numeric | |
| detail_report | optional | Get the detailed report | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.detail_report | boolean | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.offset | numeric | |
| action_result.parameter.sort | string | |
| action_result.parameter.url | string | url |
| action_result.data.*.cid | string | |
| action_result.data.*.created_timestamp | string | |
| action_result.data.*.id | string | crowdstrike resource id |
| action_result.data.*.ioc_report_broad_csv_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_json_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_maec_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_stix_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_csv_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_json_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_maec_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_stix_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.malquery.*.input | string | |
| action_result.data.*.malquery.*.resources.*.file_size | numeric | |
| action_result.data.*.malquery.*.resources.*.file_type | string | |
| action_result.data.*.malquery.*.resources.*.first_seen_timestamp | string | date |
| action_result.data.*.malquery.*.resources.*.label | string | |
| action_result.data.*.malquery.*.resources.*.md5 | string | md5 |
| action_result.data.*.malquery.*.resources.*.sha1 | string | sha1 |
| action_result.data.*.malquery.*.resources.*.sha256 | string | sha256 |
| action_result.data.*.malquery.*.type | string | |
| action_result.data.*.malquery.*.verdict | string | |
| action_result.data.*.origin | string | |
| action_result.data.*.sandbox.*.architecture | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.address | string | ip |
| action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid | numeric | |
| action_result.data.*.sandbox.*.contacted_hosts.*.country | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.port | numeric | port |
| action_result.data.*.sandbox.*.contacted_hosts.*.protocol | string | |
| action_result.data.*.sandbox.*.dns_requests.*.address | string | |
| action_result.data.*.sandbox.*.dns_requests.*.country | string | |
| action_result.data.*.sandbox.*.dns_requests.*.domain | string | domain ip |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp | string | date |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_name | string | |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers | string | |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_organization | string | |
| action_result.data.*.sandbox.*.environment | numeric | |
| action_result.data.*.sandbox.*.environment_description | string | crowdstrike environment |
| action_result.data.*.sandbox.*.environment_id | numeric | |
| action_result.data.*.sandbox.*.error_message | string | |
| action_result.data.*.sandbox.*.error_origin | string | |
| action_result.data.*.sandbox.*.error_type | string | |
| action_result.data.*.sandbox.*.extracted_files.*.description | string | |
| action_result.data.*.sandbox.*.extracted_files.*.file_path | string | |
| action_result.data.*.sandbox.*.extracted_files.*.file_size | numeric | |
| action_result.data.*.sandbox.*.extracted_files.*.md5 | string | md5 |
| action_result.data.*.sandbox.*.extracted_files.*.name | string | |
| action_result.data.*.sandbox.*.extracted_files.*.runtime_process | string | |
| action_result.data.*.sandbox.*.extracted_files.*.sha1 | string | sha1 |
| action_result.data.*.sandbox.*.extracted_files.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.process | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.source | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.type | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.value | string | |
| action_result.data.*.sandbox.*.file_type | string | |
| action_result.data.*.sandbox.*.http_requests.*.header | string | |
| action_result.data.*.sandbox.*.http_requests.*.host | string | |
| action_result.data.*.sandbox.*.http_requests.*.host_ip | string | ip |
| action_result.data.*.sandbox.*.http_requests.*.host_port | numeric | port |
| action_result.data.*.sandbox.*.http_requests.*.method | string | |
| action_result.data.*.sandbox.*.http_requests.*.url | string | |
| action_result.data.*.sandbox.*.incidents.*.name | string | |
| action_result.data.*.sandbox.*.memory_strings_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.mitre_attacks.*.attack_id | string | |
| action_result.data.*.sandbox.*.mitre_attacks.*.tactic | string | |
| action_result.data.*.sandbox.*.mitre_attacks.*.technique | string | |
| action_result.data.*.sandbox.*.network_settings | string | |
| action_result.data.*.sandbox.*.pcap_report_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.processes.*.command_line | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.type | string | |
| action_result.data.*.sandbox.*.processes.*.handles.*.id | numeric | |
| action_result.data.*.sandbox.*.processes.*.handles.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.handles.*.type | string | |
| action_result.data.*.sandbox.*.processes.*.icon_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.processes.*.name | string | |
| action_result.data.*.sandbox.*.processes.*.normalized_path | string | |
| action_result.data.*.sandbox.*.processes.*.parent_uid | string | |
| action_result.data.*.sandbox.*.processes.*.pid | numeric | |
| action_result.data.*.sandbox.*.processes.*.process_flags.*.name | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.key | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.operation | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.value | string | |
| action_result.data.*.sandbox.*.processes.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.processes.*.uid | string | |
| action_result.data.*.sandbox.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.signatures.*.attack_id | string | |
| action_result.data.*.sandbox.*.signatures.*.category | string | |
| action_result.data.*.sandbox.*.signatures.*.description | string | |
| action_result.data.*.sandbox.*.signatures.*.identifier | string | |
| action_result.data.*.sandbox.*.signatures.*.name | string | |
| action_result.data.*.sandbox.*.signatures.*.origin | string | |
| action_result.data.*.sandbox.*.signatures.*.relevance | numeric | |
| action_result.data.*.sandbox.*.signatures.*.threat_level | numeric | |
| action_result.data.*.sandbox.*.signatures.*.threat_level_human | string | |
| action_result.data.*.sandbox.*.signatures.*.type | numeric | |
| action_result.data.*.sandbox.*.submission_type | string | |
| action_result.data.*.sandbox.*.submit_name | string | |
| action_result.data.*.sandbox.*.submit_url | string | |
| action_result.data.*.sandbox.*.suricata_alerts.*.category | string | |
| action_result.data.*.sandbox.*.suricata_alerts.*.description | string | |
| action_result.data.*.sandbox.*.suricata_alerts.*.destination_ip | string | |
| action_result.data.*.sandbox.*.suricata_alerts.*.destination_port | numeric | port |
| action_result.data.*.sandbox.*.suricata_alerts.*.protocol | string | |
| action_result.data.*.sandbox.*.suricata_alerts.*.sid | string | |
| action_result.data.*.sandbox.*.threat_score | numeric | |
| action_result.data.*.sandbox.*.verdict | string | |
| action_result.data.*.sandbox.*.windows_version_bitness | numeric | |
| action_result.data.*.sandbox.*.windows_version_edition | string | |
| action_result.data.*.sandbox.*.windows_version_name | string | |
| action_result.data.*.sandbox.*.windows_version_service_pack | string | |
| action_result.data.*.sandbox.*.windows_version_version | string | |
| action_result.data.*.user_id | string | |
| action_result.data.*.user_name | string | |
| action_result.data.*.user_uuid | string | |
| action_result.data.*.verdict | string | |
| action_result.summary.total_reports | numeric | |
| action_result.summary.verdict | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
To download the report of the provided artifact id
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| artifact_id | required | Artifact id to be downloaded | string | crowdstrike artifact id |
| file_name | optional | Filename to use for the file added to vault | string | filename |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.artifact_id | string | crowdstrike artifact id |
| action_result.parameter.file_name | string | filename |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Upload a file to CrowdStrike and retrieve the analysis results
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| vault_id | required | Vault ID of file | string | vault id |
| environment | required | Sandbox environment to be used for analysis | string | crowdstrike environment |
| comment | optional | A descriptive comment to identify the file | string | |
| limit | optional | Maximum reports to be fetched | numeric | |
| offset | optional | Starting index of overall result set from which to return ids (Defaults to 0) | numeric | |
| command_line | optional | Command line script passed to the submitted file at runtime (Max length: 2048 characters) | string | |
| document_password | optional | Password of the document if password protected (Max length: 32 characters) | string | |
| submit_name | optional | Name of the malware sample that's used for file type detection and analysis | string | |
| user_tags | optional | Comma seperated list of user tags (Max length: 100 characters per tag) | string | |
| sort | optional | Property to sort by | string | |
| action_script | optional | Runtime script for sandbox analysis | string | |
| detail_report | optional | Get the detailed report | boolean | |
| enable_tor | optional | To route the sandbox network traffic via TOR | boolean | |
| is_confidential | optional | Defines visibility of the file in Falcon MalQuery (defaults to True) | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.action_script | string | |
| action_result.parameter.command_line | string | |
| action_result.parameter.comment | string | |
| action_result.parameter.detail_report | boolean | |
| action_result.parameter.document_password | string | |
| action_result.parameter.enable_tor | boolean | |
| action_result.parameter.environment | string | crowdstrike environment |
| action_result.parameter.is_confidential | boolean | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.offset | numeric | |
| action_result.parameter.sort | string | |
| action_result.parameter.submit_name | string | |
| action_result.parameter.user_tags | string | |
| action_result.parameter.vault_id | string | vault id |
| action_result.data.*.cid | string | |
| action_result.data.*.created_timestamp | string | date |
| action_result.data.*.id | string | crowdstrike resource id |
| action_result.data.*.ioc_report_broad_csv_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_json_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_maec_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_stix_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_csv_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_json_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_maec_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_stix_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.malquery.*.input | string | |
| action_result.data.*.malquery.*.resources.*.file_size | numeric | |
| action_result.data.*.malquery.*.resources.*.file_type | string | |
| action_result.data.*.malquery.*.resources.*.first_seen_timestamp | string | date |
| action_result.data.*.malquery.*.resources.*.label | string | |
| action_result.data.*.malquery.*.resources.*.md5 | string | md5 |
| action_result.data.*.malquery.*.resources.*.sha1 | string | sha1 |
| action_result.data.*.malquery.*.resources.*.sha256 | string | sha256 |
| action_result.data.*.malquery.*.type | string | |
| action_result.data.*.malquery.*.verdict | string | |
| action_result.data.*.origin | string | |
| action_result.data.*.sandbox.*.architecture | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.address | string | ip |
| action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid | numeric | |
| action_result.data.*.sandbox.*.contacted_hosts.*.country | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.port | numeric | |
| action_result.data.*.sandbox.*.contacted_hosts.*.protocol | string | |
| action_result.data.*.sandbox.*.dns_requests.*.address | string | ip |
| action_result.data.*.sandbox.*.dns_requests.*.country | string | |
| action_result.data.*.sandbox.*.dns_requests.*.domain | string | domain url |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp | string | date |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_name | string | |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers | string | |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_organization | string | |
| action_result.data.*.sandbox.*.environment | numeric | |
| action_result.data.*.sandbox.*.environment_description | string | crowdstrike environment |
| action_result.data.*.sandbox.*.environment_id | numeric | |
| action_result.data.*.sandbox.*.error_message | string | |
| action_result.data.*.sandbox.*.error_origin | string | |
| action_result.data.*.sandbox.*.error_type | string | |
| action_result.data.*.sandbox.*.extracted_files.*.description | string | |
| action_result.data.*.sandbox.*.extracted_files.*.file_path | string | |
| action_result.data.*.sandbox.*.extracted_files.*.file_size | numeric | |
| action_result.data.*.sandbox.*.extracted_files.*.md5 | string | md5 |
| action_result.data.*.sandbox.*.extracted_files.*.name | string | |
| action_result.data.*.sandbox.*.extracted_files.*.runtime_process | string | |
| action_result.data.*.sandbox.*.extracted_files.*.sha1 | string | sha1 |
| action_result.data.*.sandbox.*.extracted_files.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.process | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.source | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.type | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.value | string | |
| action_result.data.*.sandbox.*.file_imports.*.module | string | |
| action_result.data.*.sandbox.*.file_size | numeric | |
| action_result.data.*.sandbox.*.file_type | string | |
| action_result.data.*.sandbox.*.http_requests.*.header | string | |
| action_result.data.*.sandbox.*.http_requests.*.host | string | hostname |
| action_result.data.*.sandbox.*.http_requests.*.host_ip | string | ip |
| action_result.data.*.sandbox.*.http_requests.*.host_port | numeric | port |
| action_result.data.*.sandbox.*.http_requests.*.method | string | |
| action_result.data.*.sandbox.*.http_requests.*.url | string | |
| action_result.data.*.sandbox.*.incidents.*.name | string | |
| action_result.data.*.sandbox.*.memory_strings_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.mitre_attacks.*.attack_id | string | |
| action_result.data.*.sandbox.*.mitre_attacks.*.tactic | string | |
| action_result.data.*.sandbox.*.mitre_attacks.*.technique | string | |
| action_result.data.*.sandbox.*.network_settings | string | |
| action_result.data.*.sandbox.*.pcap_report_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.processes.*.command_line | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.type | string | |
| action_result.data.*.sandbox.*.processes.*.handles.*.id | numeric | |
| action_result.data.*.sandbox.*.processes.*.handles.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.handles.*.type | string | |
| action_result.data.*.sandbox.*.processes.*.icon_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.processes.*.name | string | |
| action_result.data.*.sandbox.*.processes.*.normalized_path | string | |
| action_result.data.*.sandbox.*.processes.*.parent_uid | string | |
| action_result.data.*.sandbox.*.processes.*.pid | numeric | |
| action_result.data.*.sandbox.*.processes.*.process_flags.*.name | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.key | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.operation | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.status | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.status_human_readable | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.value | string | |
| action_result.data.*.sandbox.*.processes.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.processes.*.uid | string | |
| action_result.data.*.sandbox.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.signatures.*.attack_id | string | |
| action_result.data.*.sandbox.*.signatures.*.category | string | |
| action_result.data.*.sandbox.*.signatures.*.description | string | |
| action_result.data.*.sandbox.*.signatures.*.identifier | string | |
| action_result.data.*.sandbox.*.signatures.*.name | string | |
| action_result.data.*.sandbox.*.signatures.*.origin | string | |
| action_result.data.*.sandbox.*.signatures.*.relevance | numeric | |
| action_result.data.*.sandbox.*.signatures.*.threat_level | numeric | |
| action_result.data.*.sandbox.*.signatures.*.threat_level_human | string | |
| action_result.data.*.sandbox.*.signatures.*.type | numeric | |
| action_result.data.*.sandbox.*.submission_type | string | |
| action_result.data.*.sandbox.*.submit_name | string | |
| action_result.data.*.sandbox.*.suricata_alerts.*.category | string | |
| action_result.data.*.sandbox.*.suricata_alerts.*.description | string | |
| action_result.data.*.sandbox.*.suricata_alerts.*.destination_ip | string | ip |
| action_result.data.*.sandbox.*.suricata_alerts.*.destination_port | numeric | port |
| action_result.data.*.sandbox.*.suricata_alerts.*.protocol | string | |
| action_result.data.*.sandbox.*.suricata_alerts.*.sid | string | |
| action_result.data.*.sandbox.*.threat_score | numeric | |
| action_result.data.*.sandbox.*.verdict | string | |
| action_result.data.*.sandbox.*.version_info.*.id | string | |
| action_result.data.*.sandbox.*.version_info.*.value | string | |
| action_result.data.*.sandbox.*.windows_version_bitness | numeric | |
| action_result.data.*.sandbox.*.windows_version_edition | string | |
| action_result.data.*.sandbox.*.windows_version_name | string | |
| action_result.data.*.sandbox.*.windows_version_service_pack | string | |
| action_result.data.*.sandbox.*.windows_version_version | string | |
| action_result.data.*.threat_graph.indicators.*.global_prevalence | string | |
| action_result.data.*.threat_graph.indicators.*.type | string | |
| action_result.data.*.threat_graph.indicators.*.value | string | |
| action_result.data.*.user_id | string | |
| action_result.data.*.user_name | string | |
| action_result.data.*.user_tags | string | |
| action_result.data.*.user_uuid | string | |
| action_result.data.*.verdict | string | |
| action_result.summary.total_reports | numeric | |
| action_result.summary.verdict | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Upload an url to CrowdStrike and retrieve the analysis results
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to query | string | url |
| environment | required | Sandbox environment to be used for analysis | string | crowdstrike environment |
| limit | optional | Maximum reports to be fetched | numeric | |
| offset | optional | Starting index of overall result set from which to return ids (Defaults to 0) | numeric | |
| document_password | optional | Password of the document if password protected (Max length: 32 characters) | string | |
| command_line | optional | Command line script passed to the submitted file at runtime (Max length: 2048 characters) | string | |
| user_tags | optional | Comma seperated list of user tags (Max length: 100 characters per tag) | string | |
| sort | optional | Property to sort by | string | |
| action_script | optional | Runtime script for sandbox analysis | string | |
| detail_report | optional | Get the detailed report | boolean | |
| enable_tor | optional | To route the sandbox network traffic via TOR | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.action_script | string | |
| action_result.parameter.command_line | string | |
| action_result.parameter.detail_report | boolean | |
| action_result.parameter.document_password | string | |
| action_result.parameter.enable_tor | boolean | |
| action_result.parameter.environment | string | crowdstrike environment |
| action_result.parameter.limit | numeric | |
| action_result.parameter.offset | numeric | |
| action_result.parameter.sort | string | |
| action_result.parameter.url | string | url |
| action_result.parameter.user_tags | string | |
| action_result.data.*.cid | string | |
| action_result.data.*.created_timestamp | string | date |
| action_result.data.*.id | string | crowdstrike resource id |
| action_result.data.*.ioc_report_broad_csv_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_json_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_maec_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_broad_stix_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_csv_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_json_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_maec_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.ioc_report_strict_stix_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.malquery.*.input | string | |
| action_result.data.*.malquery.*.resources.*.family | string | |
| action_result.data.*.malquery.*.resources.*.file_size | numeric | |
| action_result.data.*.malquery.*.resources.*.file_type | string | |
| action_result.data.*.malquery.*.resources.*.first_seen_timestamp | string | date |
| action_result.data.*.malquery.*.resources.*.label | string | |
| action_result.data.*.malquery.*.resources.*.md5 | string | md5 |
| action_result.data.*.malquery.*.resources.*.sha1 | string | sha1 |
| action_result.data.*.malquery.*.resources.*.sha256 | string | sha256 |
| action_result.data.*.malquery.*.type | string | |
| action_result.data.*.malquery.*.verdict | string | |
| action_result.data.*.origin | string | |
| action_result.data.*.sandbox.*.architecture | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.address | string | ip |
| action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid | numeric | |
| action_result.data.*.sandbox.*.contacted_hosts.*.country | string | |
| action_result.data.*.sandbox.*.contacted_hosts.*.port | numeric | |
| action_result.data.*.sandbox.*.contacted_hosts.*.protocol | string | |
| action_result.data.*.sandbox.*.dns_requests.*.address | string | ip |
| action_result.data.*.sandbox.*.dns_requests.*.country | string | |
| action_result.data.*.sandbox.*.dns_requests.*.domain | string | domain url |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp | string | date |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_name | string | |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers | string | |
| action_result.data.*.sandbox.*.dns_requests.*.registrar_organization | string | |
| action_result.data.*.sandbox.*.environment | numeric | |
| action_result.data.*.sandbox.*.environment_description | string | crowdstrike environment |
| action_result.data.*.sandbox.*.environment_id | numeric | |
| action_result.data.*.sandbox.*.error_message | string | |
| action_result.data.*.sandbox.*.error_origin | string | |
| action_result.data.*.sandbox.*.error_type | string | |
| action_result.data.*.sandbox.*.extracted_files.*.description | string | |
| action_result.data.*.sandbox.*.extracted_files.*.file_path | string | |
| action_result.data.*.sandbox.*.extracted_files.*.file_size | numeric | |
| action_result.data.*.sandbox.*.extracted_files.*.md5 | string | md5 |
| action_result.data.*.sandbox.*.extracted_files.*.name | string | |
| action_result.data.*.sandbox.*.extracted_files.*.runtime_process | string | |
| action_result.data.*.sandbox.*.extracted_files.*.sha1 | string | sha1 |
| action_result.data.*.sandbox.*.extracted_files.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.process | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.source | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.type | string | |
| action_result.data.*.sandbox.*.extracted_interesting_strings.*.value | string | |
| action_result.data.*.sandbox.*.file_size | numeric | |
| action_result.data.*.sandbox.*.file_type | string | |
| action_result.data.*.sandbox.*.http_requests.*.header | string | |
| action_result.data.*.sandbox.*.http_requests.*.host | string | hostname |
| action_result.data.*.sandbox.*.http_requests.*.host_ip | string | ip |
| action_result.data.*.sandbox.*.http_requests.*.host_port | numeric | |
| action_result.data.*.sandbox.*.http_requests.*.method | string | |
| action_result.data.*.sandbox.*.http_requests.*.url | string | url |
| action_result.data.*.sandbox.*.incidents.*.name | string | |
| action_result.data.*.sandbox.*.memory_strings_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.mitre_attacks.*.attack_id | string | |
| action_result.data.*.sandbox.*.mitre_attacks.*.tactic | string | |
| action_result.data.*.sandbox.*.mitre_attacks.*.technique | string | |
| action_result.data.*.sandbox.*.network_settings | string | |
| action_result.data.*.sandbox.*.pcap_report_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.processes.*.command_line | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.file_accesses.*.type | string | |
| action_result.data.*.sandbox.*.processes.*.handles.*.id | numeric | |
| action_result.data.*.sandbox.*.processes.*.handles.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.handles.*.type | string | |
| action_result.data.*.sandbox.*.processes.*.icon_artifact_id | string | crowdstrike artifact id |
| action_result.data.*.sandbox.*.processes.*.name | string | |
| action_result.data.*.sandbox.*.processes.*.normalized_path | string | |
| action_result.data.*.sandbox.*.processes.*.pid | numeric | |
| action_result.data.*.sandbox.*.processes.*.process_flags.*.name | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.key | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.operation | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.path | string | |
| action_result.data.*.sandbox.*.processes.*.registry.*.value | string | |
| action_result.data.*.sandbox.*.processes.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.processes.*.uid | string | |
| action_result.data.*.sandbox.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.signatures.*.attack_id | string | |
| action_result.data.*.sandbox.*.signatures.*.category | string | |
| action_result.data.*.sandbox.*.signatures.*.description | string | |
| action_result.data.*.sandbox.*.signatures.*.identifier | string | |
| action_result.data.*.sandbox.*.signatures.*.name | string | |
| action_result.data.*.sandbox.*.signatures.*.origin | string | |
| action_result.data.*.sandbox.*.signatures.*.relevance | numeric | |
| action_result.data.*.sandbox.*.signatures.*.threat_level | numeric | |
| action_result.data.*.sandbox.*.signatures.*.threat_level_human | string | |
| action_result.data.*.sandbox.*.signatures.*.type | numeric | |
| action_result.data.*.sandbox.*.submission_type | string | |
| action_result.data.*.sandbox.*.submit_name | string | |
| action_result.data.*.sandbox.*.submit_url | string | url |
| action_result.data.*.sandbox.*.threat_score | numeric | |
| action_result.data.*.sandbox.*.verdict | string | |
| action_result.data.*.sandbox.*.windows_version_bitness | numeric | |
| action_result.data.*.sandbox.*.windows_version_edition | string | |
| action_result.data.*.sandbox.*.windows_version_name | string | |
| action_result.data.*.sandbox.*.windows_version_version | string | |
| action_result.data.*.user_id | string | |
| action_result.data.*.user_name | string | |
| action_result.data.*.user_tags | string | |
| action_result.data.*.user_uuid | string | |
| action_result.data.*.verdict | string | |
| action_result.summary.total_reports | numeric | |
| action_result.summary.verdict | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
To check detonation status of the provided resource id
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| resource_id | required | Id of the resource | string | crowdstrike resource id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.resource_id | string | crowdstrike resource id |
| action_result.data | string | |
| action_result.data.*.cid | string | |
| action_result.data.*.created_timestamp | string | date |
| action_result.data.*.id | string | crowdstrike resource id |
| action_result.data.*.origin | string | |
| action_result.data.*.sandbox.*.action_script | string | |
| action_result.data.*.sandbox.*.command_line | string | |
| action_result.data.*.sandbox.*.enable_tor | boolean | |
| action_result.data.*.sandbox.*.environment_id | numeric | |
| action_result.data.*.sandbox.*.network_settings | string | |
| action_result.data.*.sandbox.*.sha256 | string | sha256 |
| action_result.data.*.sandbox.*.submit_name | string | |
| action_result.data.*.sandbox.*.url | string | url |
| action_result.data.*.state | string | |
| action_result.data.*.user_id | string | |
| action_result.data.*.user_name | string | |
| action_result.data.*.user_uuid | string | |
| action_result.summary.state | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
Type: investigate
Read only: True
More info can be found at here.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| offset | optional | The offset to page from, for the next result set | string | |
| limit | optional | The maximum records to return. [1-5000] | numeric | |
| sort | optional | The property to sort by (e.g. status.desc or hostname.asc) | string | |
| filter | optional | The offset to page from, for the next result set | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.data.*.resources | string | crowdstrike device id |
| action_result.data.*.errors.*.code | string | |
| action_result.data.*.errors.*.id | string | |
| action_result.data.*.errors.*.message | string | |
| action_result.data.*.meta.pagination.total | numeric | |
| action_result.data.*.meta.pagination.offset | string | |
| action_result.data.*.meta.pagination.limit | string | |
| action_result.data.*.meta.pagination.expires_at | numeric | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.sort | string | |
| action_result.parameter.offset | string |
Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| agent_id | required | Agent ID to get zero trust assessment data about. Comma-separated list allowed | string | crowdstrike device id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.agent_id | string | crowdstrike device id |
| action_result.data.*.aid | string | crowdstrike device id |
| action_result.data.*.cid | string | crowdstrike customer id |
| action_result.data.*.assessment.os | numeric | |
| action_result.data.*.assessment.overall | numeric | |
| action_result.data.*.assessment.version | string | |
| action_result.data.*.assessment.sensor_config | numeric | |
| action_result.data.*.modified_time | string | |
| action_result.data.*.event_platform | string | |
| action_result.data.*.assessment_items.os_signals.*.criteria | string | |
| action_result.data.*.assessment_items.os_signals.*.signal_id | string | |
| action_result.data.*.assessment_items.os_signals.*.group_name | string | |
| action_result.data.*.assessment_items.os_signals.*.signal_name | string | |
| action_result.data.*.assessment_items.os_signals.*.meets_criteria | string | |
| action_result.data.*.assessment_items.sensor_signals.*.criteria | string | |
| action_result.data.*.assessment_items.sensor_signals.*.signal_id | string | |
| action_result.data.*.assessment_items.sensor_signals.*.group_name | string | |
| action_result.data.*.assessment_items.sensor_signals.*.signal_name | string | |
| action_result.data.*.assessment_items.sensor_signals.*.meets_criteria | string | |
| action_result.data.*.product_type_desc | string | |
| action_result.data.*.sensor_file_status | string | |
| action_result.data.*.system_serial_number | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |