CrowdStrike Falcon 3.0.0

Add Host Group to Prevention Policies

This action assigns prevention policies to host groups.

Add Hosts to Static Host Group

This action adds hosts to a host group in CrowdStrike Falcon.

Adding IOA Exclusion

The action adds an IOA exclusion.

Add Tags To Falcon Grouping

This action appends one or more Falcon grouping tags for one or more hosts.

Assign Sensor Policies to Host Groups

This action assigns sensor policies to host groups.

Bulk Fetch Indicators

This action is used to fetch details about a large batch of indicators. Results can be filtered with FQL queries.

Contain a Host

This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.

Create Host Group

This action is used to create host groups by specifying details about the group to create.

Create Machine Learning Exclusions

This action creates machine learning exclusions.

Create Response Time File

The action creates a response time file.

Create Scan (Beta)

This action creates an On-Demand Scan (ODS) and starts or schedules it for the given request.

Create Sensor Visibility Learning Exclusions

This action creates sensor visibility exclusions.

Delete File from Real-Time Response Session

This action deletes a file from the specified RTR session.

Delete Indicator ID

This action deletes indicators by their IDs.

Delete ML Exclusion

The action deletes an ML exclusion.

Delete Response Time File

The action deletes the response time file.

Delete SV Exclusion

The action deletes SV exclusion.

Execute Active Responder Command in Real-Time

This action runs an active responder command on a specific host.

Extract File Content from Real-Time Response

This action extracts a file from the specified RTR session and SHA256 hash, writes the contents to a file, and returns the file path.

Fetch Detection Details

The action retrieves a particular detection's details.

Fetch Detection IDs

The action searches for detections that match the given query.

Fetch Incident Detail

The action retrieves a particular incident's details.

Fetch Particular IOA Exclusion

The action retrieves the particular IOA exclusion.

Fetch Particular ML Exclusion Details

The action retrieves details of a particular ml exclusion.

Fetch Particular Sensor Visibility Exclusion

The action retrieves a particular sensor visibility exclusion.

Fetch Real Time Response Script

This action searches and filters existing scripts uploaded to CrowdStrike Falcon.

Find Existing Prevention Policies

The action finds existing prevention policies.

Find Existing Sensor Policies

The action searches existing sensor policies.

Find Host Group Members

This action searches for members of a host group in your environment by providing an FQL filter and paging details. Returns a set of agent IDs that match the filter criteria.

Find Host Groups

This action searches for host groups in your environment by providing an FQL filter and paging details. Returns a set of host group IDs that match the filter criteria.

Find IOA Exclusion

The action searches for ioa exclusion.

Find Machine Learning Exclusion

The action searches for machine learning exclusions.

Find Sensor Visibility Exclusion

The action retrieves the list of all sensor visibility exclusion.

Generic Action

This generic action performs any additional use case required in CrowdStrike Falcon

Get Aggregated Alerts V2

This action is used to fetch aggregated alerts from crowdstrike

Get Alert Details V2

This action retrieves detailed information about an alert.

Get Device Info By ID

The action searches for the device information through the device id.

Get Host Details

This action retrieves detailed information for one or more host ids.

Get Host Details for Observed Indicator

This action retrieves the host details using the observed indicator.

Get Malicious Files by IDs (Beta)

This action retrieves malicious file entities using the specified malicious file IDs.

Get Real Time Response Scripts

This action retrieves real-time response scripts using their IDs.

Get Remediation Details

This action retrieves remediation details using remediation ids.

Get Response Time Files

The action retrieves the response time files.

Get Scan Hosts by IDs (Beta)

This action retrieves the metadata for host entities using the specified scan IDs.

Get Status of Host

This action retrieves the online status for one or more hosts by specifying each host's unique ID.

Get Vulnerability Details

This action retrieves details of a vulnerability using the vulnerability ID.

Get Vulnerability Entities Using FQL Filters

This action searches vulnerabilities using FQL filters. This returns a set of vulnerability entities that match the filter criteria

Get Vulnerability IDs Using FQL Filters

This action searches vulnerabilities using FQL filters. This returns a set of vulnerability IDs that match the filter criteria

Lift Host Containment

This action lifts containment on the host, which returns its network communications to normal.

List Alerts V2

This action is used to fetch all alert IDs from CrowdStrike Falcon.

List Files from Real-Time Response Session

This action retrieves a list of files from the specified RTR session.

List Hidden Host IDs

This action is used to get a list of hidden host IDs.

List Incident IDs

This action retrieves the IDs of incidents

List Real Time Response policy agent IDs

The action retrieves a list of agent IDs for hosts assigned to a real time response policy.

List Real Time Response policy hosts

The action retrieves a list of hosts assigned to a real-time response policy

List Response Time Files

The action retrieves the list of all the response time files.

Modify Detections

The action modifies detections.

Modify Incidents

This action modifies incidents in CrowdStrike Falcon.

Modify ML Exclusion

The action modifies the machine learning exclusion.

Modify SV Exclusion

The action modifies the sv exclusion.

Query Indicator

This action queries for various indicators

Query Malicious Files (Beta)

This action retrieves a list of malicious file IDs based on the Falcon Query Language (FQL) filters.

Real Time Execute Command Single Host

The action executes a command on a single host.

Real Time Read Command

The action executes the RTR read-only command across the hosts mapped to the given batch ID.

Real Time Response Admin Command

The action executes the RTR admin command across the hosts mapped to the given batch ID.

Real Time Write Command

The action executes the RTR write-only command across the hosts mapped to the given batch ID.

Remove Hosts from Static Host Group

This action removes hosts from a host group in CrowdStrike Falcon.

Removing Falcon Grouping Tags

This action removes one or more Falcon grouping tags for one or more hosts.

Retrieve Zero Trust Assessment Data by Host

The action retrieves ZTA from the host.

Retrieving Host NIC History

This action can be used to retrieve the host NIC history.

Retrieving Host With Device Scroll

The action can be used to retrieve the host with the device scroll.

Retrieving Indicator ID Details

This action retrieves the details of the indicator by its ID.

Retrieving Last Logged User Info

This action retrieves details about recent login sessions for a set of devices.

Search Host for Observed Indicator

The action is used for searching a host for an observed indicator.

Search Hosts

The action searches for hosts in your environment by platform, hostname, IP, and other criteria.

Search Indicator IDs

This action retrieves the IDs of the indicators.

Send Real Time Response to a Batch of Hosts

The action initiates a session with one or more hosts.

Send Real Time Response to a Single Host

The action initiates a real-time session for a single host.

Update Alerts V3

This action is used to update alerts in CrowdStrike

Update Detection Status

This action updates the status of the detections in incidents.

Update Indicators

This action updates the indicators.

Upload Indicators

This action is used to upload indicators in CrowdStrike Falcon.

Base URL

Enter the base url to access crowdstrike falcon. for example, https://api.crowdstrike.com

Text

Required

Client ID

Enter the client id.

Text

Required

Client Secret Key

Enter the client secret key to authenticate with crowdstrike falcon.

Password

Required

Verify

Verify the ssl/tls certificate while authenticating with the server. it's recommended to enable this option. by default, the verification is not enabled.

Boolean

Optional

Timeout

Enter the timeout limit for requests. allowed range is 15-120 seconds. default is 15 seconds.

Integer

Optional

Name

Enter the name.

Example:

group_id

Text

Required

Allowed value:

group_id

Host Group ID

Enter the host group ID to which you want to assign the policy.

Example:

80156bb05a144660b89426884720105d

Text

Required

Policy ID

Enter the policy ID.

Example:

$LIST[b0ceca08642b4103a344f8251c492861]

List

Required

Host Group IDs

Enter the static host group ID to which you want to add the hosts.

Example:

$LIST[30c65154238e42318027c2deb0164aba]

List

Required

Name

Enter the name.

Example:

filter

Text

Required

Host IDs

Enter the host IDs to be added to the static host group.

Example:

(device_id:['e139xxxxxxxx5885', '8393xxxxxxxx9650','389axxxxxxxx5e80'])

Text

Required

Disable Hostname Check

Specify to disable hostname check on add-member.

Boolean

Optional

The default value is false.

Device IDs

Enter the list of device IDs.

Example:

$LIST[bf4fbxxxxxx4b8026]

List

Required

Tags List

Enter the list of tags to add.

Example:

$LIST["falcongroupingtags/tag1", "falcongroupingtags/tag2"]

List

Required

CL Regex

Enter the CL Regex.

Example:

choice\s+/m\s+crowdstrike_sample_detection

Text

Required

Comment

Enter the comment.

Text

Required

Description

Enter the description.

Text

Required

Detection JSON

Enter the detection JSON.

Text

Optional

Group

Enter the groups.

Example:

['2345jdsie3xxxx']

List

Optional

IFN Regex

Enter the IFN Regex.

Example:

.*\\windows\\system32\\choice\.exe

Text

Required

Name

Enter the name.

Example: test

Text

Required

Pattern ID

Enter the pattern ID.

Example:

10197

Text

Required

Pattern Name

Enter the pattern name.

Example:

sampletemplatedetection

Text

Required

Name

Enter the name.

Example:

group_id

Text

Required

Host Group ID

Enter the host group ID to which you want to assign the sensor policy.

Example:

80156bb05a144660b89426884720105d

Text

Required

Policy ID

Enter the policy ID.

Example:

$LIST[b0ceca08642b4103a344f8251c492861]

List

Required

Filter

Enter the filter query.

Example:

type: "domain"

Text

Optional

Sample filter options are type, value, action, severity, tags, and expires. The filter is case sensitive.

Additional Data

Enter any additional parameters to pass to the API.

Example:

{limit: 100}

Key Value

Optional

Allowed values:

sort, limit, offset, after, and from_parent

Host IDs

Enter the host agent ID(AID) of the host you want to contain. Get an agent ID from a detection, the Falcon console, or the streaming API in CrowdStrike Falcon.

Example:

$LIST[cdc40c8ad8314cf296016a507469b231]

List

Required

Resource

Enter the details to create a host.

Example:

$JSON[[{"name":"test group","description":"sample test","group_type":"static"}]]

List

Required

Excluded From

Enter if the hosts are excluded from blocking (detections and preventions) or extraction (uploads to CrowdStrike).

Example:

$LIST[extraction]

List

Required

Allowed values:

blocking and extraction

Comment

Enter a comment for the audit log.

Text

Optional

Groups

Enter the host groups to which the exclusion applies. To apply exclusion to all groups, enter $LIST[all]

List

Required

Exclusion Pattern

Enter the exclusion pattern in glob syntax.

Example:

/foo

Text

Required

File Path

Enter the file path.

Example:

/tmp/intel.pdf

Text

Required

File Name

Enter the file name.

Example:

response file

Text

Required

Description

Enter the description.

Text

Required

Comments for Audit Log

Enter the audit log comment.

Text

Optional

Scan Body

Enter the full body payload in JSON format to configure the scan.

Key Value

Required

Allowed keys:

cloud_ml_level_detection, cloud_ml_level_prevention, body, cpu_priority, description, endpoint_notification, file_paths, host_groups, initiated_from, max_duration, max_file_size, pause_duration, quarantine, scan_exclusions, sensor_ml_level_detection, and sensor_ml_level_prevention

Comment

Enter a comment for the audit log.

Text

Required

Groups

Enter the host groups to which the exclusion applies. To apply exclusion to all groups, enter $LIST[all].

List

Required

Value

Enter the exclusion pattern in glob syntax. Example:

"/foo"

Text

Required

Session File ID

Enter the RTR session file ID to delete.

Example:

efa256a96af3b556cd3fc9d8b1cf587d72807d7805ced441e8149fc279db422b

Text

Required

Session ID

Enter the RTR session ID.

Example:

3af6dd83-1691-4bb9-b6e5-530b23c14b24

Text

Required

Indicator ID

Enter the list of indicator IDs.

Example:

$LIST[5130b3232266ec3d0712faaa503b0702dbfd5cced6aa725efd2bb19de1898655,16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d] or for a single indicator, it can be used this way as well: $LIST[16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d]

List

Required

Filter

The FQL expression to delete indicators in bulk.

Text

Optional

If both 'filter' and 'ids' are provided, then filter takes precedence and ignores IDs.

Comment

Enter a comment explaining why these indicators were deleted.

Text

Optional

From Parent

Choose true to return indicators for both the requesting customer and its MSSP parents

Boolean

Optional

ML Exclusion IDs

Enter the ML exclusion IDs.

Example:

$LIST[b0ceca08642b4103a344f8251c492861]

List

Required

Comment

Enter the comment.

Text

Optional

File ID

Enter the file ID.

Example:

xxxxxxc611ec85f082cab6337bcd_1cff909fxxxxxx

Text

Required

Comment

Enter the comment.

Text

Optional

Sv Exclusion IDs

Enter the SV exclusion IDs.

Example:

$LIST[b0ceca08642b4103a344f8251c492861]

List

Required

Base Command

Enter the active-responder command type you want to execute.

Example:

get or cp

Text

Required

Command String

Enter the full command string to execute.

Example:

get some_file.txt

Text

Required

Session ID

Enter the RTR session ID to run the command against the selected host.

Example:

3af6dd83-1691-4bb9-b6e5-530b23c14b24

Text

Required

Extra Fields

Enter any additional parameters to pass to the API.

Key Value

Required

Allowed values:

device_id, persist and id

Session ID

Enter the RTR session ID.

Example:

3af6dd83-1691-4bb9-b6e5-530b23c14b24

Text

Required

SHA256

Enter the SHA-256 hash of the extracted file.

Example:

efa256a96af3b556cd3fc9d8b1cf587d72807d7805ced441e8149fc279db422b

Text

Required

Filename

Enter the filename to use for both the 7z archive and the file inside it.

Text

Optional

Default value:

{sha256}.7z

Detection IDs

Enter the detection ID list.

Example:

["ldt:3752xxxxxxxx9964:8175xxxx2029"]

List

Required

Offset

The first detection to return, where 0 is the latest detection.

Example:

1

Integer

Optional

Use with the limit parameter to manage pagination of results.

Limit

The maximum number of detections to return in this response (default: 9999; max: 9999).

Integer

Optional

Use with the offset parameter to manage pagination of results.

Sort

Sort detections using these options.

Example:

max_confidence|asc

Text

Optional

allowed values: are first_behavior, last_behavior, max_severity, max_confidence, adversary_id, device.hostname.

Filter

Filter detections using a query in Falcon Query Language (FQL) an asterisk wildcard * includes all results.

Example:

status:'normal'

Text

Optional

Query

Search all detection metadata for the provided string.

Text

Optional

Incident IDs

Enter the incident ID list.

Example:

$LIST[inc:a8ecce2f41df4112ae07d4e0c86d0795:3afxxx]

List

Required

IOA Exclusion IDs

Enter the IOA exclusion IDs.

Example:

$LIST[b0ceca08642b4103a344f8251c492861]

List

Required

ML Exclusion IDs

Enter the ML exclusion IDs.

Example:

$LIST[b0ceca08642b4103a344f8251c492861]

List

Required

Sensor Visibility Exclusion IDs

Enter the SV Exclusion IDs.

Example:

$LIST[b0ceca08642b4103a344xxxx]

List

Required

Offset

Starting index of the overall result set from which to return IDs.

Integer

Optional

Limit

Number of ids to return.

Integer

Optional

Sort

Sort by spec.

Example:

name

Text

Optional

Search Filter

Enter optional filter criteria in the form of an FQL query.

Example:

platform:'windows'

Text

Optional

Limit

Enter the maximum number of prevention policies to be retrieved.

Integer

Optional

The maximum records to return is 1-5000.

The default value is 100.

Search Filter

The filter expression that should be used to limit the results.

Example:

platform_name: 'windows'

Text

Optional

Offset

Enter the offset value to start retrieving policies from.

Integer

Optional

Default value:

1

Sort

Enter to sort the result.

Example:

created_by.asc

Text

Optional

allowed values:

created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, and precedence.desc

Limit

Enter the maximum number of sensor policies to be retrieved.

Integer

Optional

The maximum records to return is 1-5000.

The default value is 100.

Search Filter

The filter expression that should be used to limit the results.

Example:

platform_name: 'windows'

Text

Optional

Offset

Enter the offset value to start retrieving records from.

Example:

1

Integer

Optional

Sort

Enter to sort the result.

Example:

modified_by.asc

Text

Optional

Allowed values:

created_by.asc, created_by.desc, modified_by.asc, modified_by.desc

Host Group ID

Enter the host group ID to retrieve the hosts.

Example:

006exxxxxxxxa3e7

Text

Optional

Limit

Enter the maximum number of hosts to be retrieved.

Integer

Optional

A maximum of 5000 records can be fetched. Hosts are sorted alphabetically by host name.

Default value:

100

Filter

Enter the filter expression that should be used to limit the results.

Example:

modified_timestamp:>'2025-03-10t08:26:57.840304696z'

Text

Optional

Offset

Enter the offset value to start retrieving records from.

Example:

1

Integer

Optional

Sort

Enter to sort the result.

Example:

status.desc

Text

Optional

Search Filter

The filter expression that should be used to limit the results.

Example:

created_timestamp:>'2024-11-25t22:36:12z'

Text

Optional

Offset

Enter the offset value to start retrieving records from.

Example:

1

Integer

Optional

Limit

Enter the maximum number of records to return.

Integer

Optional

A maximum of 5000 records can be fetched.

Default value:

100

Sort

Enter to sort the result.

Example:

created_by.asc

Text

Optional

Allowed values:

created_by.asc, created_by.desc

Additional Prameters

Enter additional parameters.

Key Value

Optional

Filter

The filter expression that should be used to limit the results.

Example:

applied_globally:'true'

Text

Optional

Offset

Enter the offset value to start retrieving records from.

Example:

0

Integer

Optional

Limit

Enter the maximum number of records to return.

Integer

Optional

A maximum of 5000 records can be fetched.

Default value:

100

Sort

Enter a value to sort the result.

Example:

applied_globally.desc

Text

Optional

Limit

Enter the maximum number of hosts to be retrieved.

Hosts are sorted alphabetically by host name.

Integer

Optional

Default value:

100

Filter

The filter expression that should be used to limit the results.

Example:

applied_globally:'true'

Text

Optional

Offset

Enter the offset value to start retrieving records from.

Example:

3

Integer

Optional

Sort

Enter to sort the result.

Example:

value.asc

Text

Optional

Name

Enter a name for the aggregate query, as chosen by the user. This is used to identify the results returned to you.

Text

Required

Aggregate Type

Enter the type of aggregation to perform.

Text

Required

Valid values:

date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Aggregate Field

Enter the field on which to compute the aggregation. This can be any field returned in a query response, such as severity or tactic_id.

Text

Required

Alert IDs

Enter the alert ID to retrieve,

Example:

$LIST[28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544].

List

Required

Include Hidden Alerts

Choose true to allow previously hidden alerts to be retrieved.

Boolean

Optional

Default value:

true

Device ID

Enter the device ID to retrieve details for.

Example:

8cfcb75a73aa48ac7b4f544b04a905b3

Text

Required

Host IDs

Enter the list of host IDs to fetch details.

Example:

$LIST[5b62f6d1a451c8c1a8828ce28265d65b,5c4a1e9ffc24464a9776c61af]

List

Required

Max allowed value:

5000

IOC Type

Enter the IOC type.

Text

Required

Allowed values:

sha256, md5, domain, ipv4, and ipv6

IOC Value

Enter the IOC value.

Example:

8bbdead7357af7bf0efe397f9fd7e0ec578755eb8bdbaa65ae4f28ef00087ad5

Text

Required

Extra Parameters

Enter the extra parameters to pass to the API.

Key Value

Optional

Malicious File IDs

Enter the list of malicious file IDs to retrieve specific file entity details.

List

Required

Script ID

Enter the list of script IDs.

Example:

$LIST[fc4974cd1f9011ec8b82ba35da7e613b_9236b0e5b28946de8fc2d278cecba38d]

List

Required

Remediation IDs

Enter one or more remediation IDs.

Example:

$LIST['5ddb0407bef249c19c7a975f17979a1f_eecd9a8f319940dfb0255e5d436822d9']

List

Required

File IDs

Enter the list of file IDs.

Example:

$LIST[1246eaf04dc611ec85f082cab6337bcd_1cxxxxx]

List

Required

Scan IDs

Enter the scan IDs to retrieve the associated scan host metadata from CrowdStrike Falcon.

List

Required

IDs

Enter the IDs of the host to get the status.

Example:

$LIST[5b62f6d1a451c8c1a8828ce28265d65b,5c4a1e9ffc24464a9776c61af]

List

Required

Vulnerability IDs

Enter the vulnerability IDs (maximum 400).

Example:

$LIST[3e32646d80e94c875f9db78ae533d3a3_ff751484b9433cb899a9e4755cce7a7a]

List

Required

Sort

Specify the sorting order.

Example:

closed_timestamp.asc

Text

Optional

Common sort options include, updated_timestamp|asc, closed_timestamp|asc

Facet

Enter a facet to limit the response.

Example:

$LIST[cve]

List

Optional

Accepted parameters are host_info, remediation, evaluation_logic, cve.

Limit

Enter the maximum number of vulnerability records to be returned.

example:

1000

Integer

Optional

Default value:

100

Maximum allowed value:

5000

Filter

Enter the Falcon Query Language (FQL) filter to limit the results.

Example:

created_timestamp:>'2024-03-12t03:27'

Text

Required

Supported filters:

created_timestamp, closed_timestamp, and aid

Pagination Token

Enter the continuation token from the response to fetch the next set of results.

Note: This token is valid for only 120 seconds after the initial request.

Text

Optional

Limit

Enter the maximum number of vulnerability records to be returned. example, 200

Integer

Optional

Default value:

100

Max value:

400

Filter

Enter the Falcon Query Language (FQL) filter to limit the results.

Example:

created_timestamp:>'2024-03-12t03:27'

Text

Required

Supported filters:

aid, apps.remediation.ids, closed_timestamp, created_timestamp, cve.exploit_status, cve.exprt_rating, cve.id, cve.is_cisa_kev, cve.remediation_level, cve.severity, cve.types, host_info.asset.criticality, host_info.managed_by, host_info.groups, host_info.internet_exposure, host_info.platform_name, host_info.product_type_desc, host_info.tags, host_info.third_party_asset_ids, last_seen_within, status, suppression_info.is_suppressed, suppression_info.reason, updated_timestamp, vulnerability_id,

Sort

Specify the sorting order.

Example:

created_timestamp.asc

Text

Optional

Allowed values:

created_timestamp|asc/desc, closed_timestamp|asc/desc, updated_timestamp|asc/desc

Pagination Token

Enter the continuation token from the response to fetch the next set of results.

Note: This token is valid for only 120 seconds after the initial request.

Text

Optional

Host IDs

Enter the host Agent ID (AID) of the host you want to lift the containment.

Example:

$LIST[cdc40c8ad8314cf296016a507469b231]

List

Required

Get an agent ID from a detection, the Falcon console, or the streaming API in CrowdStrike Falcon.

Filter

Enter a filter query to filter alerts by.

Example:

platform:'public_cloud'

Text

Optional

Limit

Enter the maximum number of alerts to return.

Integer

Optional

Default value is 100

Offset

Enter the number of alerts to skip.

Integer

Optional

Default value is 0

Extra Parameters

Enter any additional parameters to pass to the API.

Example:

{include_hidden : true}

Key Value

Optional

Allowed values:

include_hidden, filter and q

Session ID

Enter the RTR session ID.

Example:

3af6dd83-1691-4bb9-b6e5-530b23c14b24

Text

Required

Limit

Enter the maximum number of records to return.

Integer

Optional

A maximum of 5000 records can be retrieved.

The default value is 100.

Offset

Enter the offset to start retrieving records from.

Example:

1

Integer

Optional

Filter

Enter the query to filter the results.

Example:

platform_id:3

Text

Optional

Sort

Specify the sorting order.

Example:

deployment_type.asc

Text

Optional

Sort values:

status.desc, hostname.asc and more.

Limit

Enter the maximum number of incident IDs to be retrieved.

Integer

Optional

A maximum of 500 records can be retrieved

Default value:

100

Filter

Enter the filter expression that should be used to limit the results.

Example:

modified_timestamp:>'2024-11-25t22:36:12z'

Text

Optional

Offset

Enter the starting index of the overall result set from which to return IDs.

Example:

1

Integer

Optional

Sort

Enter to sort the result.

Example:

assigned_to.asc

Text

Optional

Allowed values:

assigned_to.asc, assigned_to.desc

ID

Enter the ID of the response policy to retrieve its members.

Example:

06621b2f2f1544678acbe9f7c6789f1a

Text

Optional

Offset

Enter the starting index of overall result set from which to return IDs.

Example:

1

Integer

Optional

Limit

Enter the maximum number of records to return.

Integer

Optional

Maximum 5000 records can be fetched.

Default value:

100

Sort

Enter the sort to filter down the search results.

Example:

status.asc

Text

Optional

Filter

Enter the filter expression that should be used to limit the results.

Example:

platform:'linux'

Text

Optional

ID

Enter the ID of the response policy to retrieve its members.

Example:

06621b2f2f1544678acbe9f7c6789f1a

Text

Optional

Offset

Enter the starting index of overall result set from which to return IDs.

Integer

Optional

Limit

Enter the maximum number of records to return.

Integer

Optional

Maximum 5000 records can be fetched.

Default value:

100

Sort

Enter to sort the result.

Example:

status.asc

Text

Optional

Filter

Enter the filter expression that should be used to limit the results.

Example:

platform:'linux'

Text

Optional

Detection IDs

Enter the IDs of the detections that you want to modify.

Example:

$LIST[ldt:3752xxxxxxxx9964:8175xxxx2029]

List

Required

Status

Enter the status associated with the detections.

Text

Required

Allowed values:

new, in_progress, true_positive, false_positive, and ignored.

Assigned User

Enter the unique ID of the user to whom you want to assign the detections.

Example:

1234567891234567891

Text

Optional

Comment

Enter a comment describing the reason for updating the detection.

Text

Optional

Name

Enter the specific detail of the incident that you want to update.

Example:

if you want to update the name of the incident, enter update_name.

Text

Required

Allowed values:

add_tag, delete_tag, unassign, update_name, update_assigned_to_v2, update_description, and update_status.

Value

Enter the updated value for the specified name.

Example:

if name is add_tag, you can enter the tags you want to add to the incident.

Text

Required

Incident IDs

Enter the IDs of incidents that you want to update.

Example:

$LIST[inc:a8ecce2f41df4112ae07d4e0c86d0795:3afxxx]

List

Required

Update Detects

If true, update assigned-to-uuid and or status of detections associated with the incidents.

Boolean

Optional

Default value:

false

Overwrite Detects

If set to true and update-detects is also true, the assigned-to-uuid or status values for all detections associated with the incident will be overwritten.

If set to false, only detections that have default values for assigned-to-uuid or status will be updated.

Boolean

Optional

The default value is false. This parameter is ignored if update-detects is missing or set to false.

Data

Enter the data that needs to update in key-value format.

Example:

{'excluded_from':['blocking','extraction']}

Key Value

Required

Ml Exclusion ID

Enter the ML exclusion IDs.

Example:

'b0ceca08642b4103a344f8251c492861'

Text

Required

Data

Enter the data you want to update.

Example:

{'value':'sv_name'}

Key Value

Required

SV Exclusion ID

Enter the SV Exclusion ID.

Example:

b0ceca08642b4103a344f8251c492861

Text

Required

Offset

Enter the starting row number to return from the index.

Integer

Optional

Default value:

0

Limit

Enter the number of rows to return.

Integer

Optional

Default value:

100

Sort

Enter the sorting order.

Example:

published_date|asc.

Text

Optional

Filter

Enter the filter.

Example:

_marker, actors, deleted

Text

Optional

Search

Enter the generic substring search.

Text

Optional

Include Deleted

Specify if deleted indicators should be included.

Boolean

Optional

Default value:

false

Include Relations

Specify if relations should be included.

Boolean

Optional

Default value:

false

FQL Filter

Enter the FQL syntax-formatted string to filter malicious files based on specific attributes.

Text

Optional

Allowed filters:

id, cid, host_id, scan_id, host_scan_id, filepath, filename, hash, pattern_id, severity, quarantined, and last_updated

Offset

Enter the starting index of the overall result set from which to return IDs.

Integer

Optional

Default value:

0

Limit

Enter the maximum number of malicious file resources to return in a single request.

Integer

Optional

Default value:

500

Sort

Enter the property and direction used to sort the results. allowed format is property|direction. allowed values include id|asc, id|desc, scan_id|asc, and more.

Text

Optional

Allowed format:

property|direction.

Allowed values:

include id|asc, id|desc, scan_id|asc, and more.

Default value:

last_updated|desc

Base Command

Enter the base command.

Example:

ls

Text

Required

Device ID

Enter the device ID.

Example:

9daac64e7e8xxxxx

Text

Required

Command String

Enter the command. for.

Example:

cd sample.txt

Text

Required

Session ID

Enter the session ID.

Example:

3ee4c4-2e74-4967-884f-17xxx

Text

Required

IDs

Enter the IDs.

Example:

234sdfkuixxxxx

Integer

Optional

Default value:

0

Persist All

Specify if you want to persist all.

Boolean

Optional

Default value:

true

Base Command

Enter the base command.

Example:

ls

Text

Required

Batch ID

Enter the batch ID.

Example:

ea263243-ff2f-4aee-a606-xxxx

Text

Required

Command String

Enter the command.

Example:

cd sample.txt

Text

Required

Optional Hosts

Enter the optional hosts.

Example:

$LIST[cdc40c8ad8314cf296016a507460c563

List

Optional

persist_all

Specify if you want to persist all.

Boolean

Optional

Default value:

true

Request Timeout

Enter the number of seconds to wait for the request.

Integer

Optional

The default value is 30 seconds.

The maximum value is 5 minutes.

Timeout Duration

Enter the timeout duration in the request in duration syntax.

Text

Optional

Default: 30s.

Valid units:

ns, us, ms, s, m, h.

The maximum value is 5 minutes.

Host Timeout Duration

Enter the timeout duration that defines how long a host has to complete processing. The default value is slightly less than the overall request timeout and cannot exceed it.

Text

Optional

The maximum value is < 5 minutes. For example, 10 seconds.

Valid units:

ns, us, ms, s, m, h

Base Command

Enter the base command.

Example:

ls

Text

Required

Batch ID

Enter the batch ID.

Example:

ea263243-ff2f-4aee-a606-xxxx

Text

Required

Command String

Enter the command.

Example:

cd sample.txt

Text

Required

Optional Hosts

Enter the optional hosts.

Example:

$LIST[cdc40c8ad8314cf296016a507460c563]

List

Optional

Persist all

Specify if you want to persist all. default: true

Boolean

Optional

Timeout

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with CrowdStrike Falcon.

Integer

Optional

Default value:

30 seconds

Maximum value: 5 minutes

Timeout duration

Timeout duration for how long to wait for the request in duration syntax.

Example:

10s

Text

Optional

Allowed units:

ns, us, ms, s, m, h.

Maximum value:

5 minutes

Host Timeout Duration

Enter the timeout duration for how long the host has to complete processing. The value must be less than the overall request timeout.

Example:

10s

Text

Optional

The maximum allowed value is 5 minutes.

Supported units:

ns, us, ms, s, m, h.

Base Command

Enter the base command.

Example:

ls

Text

Required

Batch ID

Enter the batch ID.

Example:

ea263243-ff2f-4aee-a606-xxx

Text

Required

Command String

Enter the command.

Example:

cd sample.txt

Text

Required

Optional Hosts

Enter the optional hosts.

Example:

$LIST[cdc40c8ad8314cf296016a507460c563

List

Optional

Persist All

Specify if you want to persist all.

Boolean

Optional

Default value:

true

Timeout

Timeout for how long to wait for the request in seconds.

Integer

Optional

Default timeout:

30 seconds

Maximum timeout:

5 minutes

Timeout Duration

Enter the duration to wait for the request to complete.

Text

Optional

Default: 30s

Maximum: 5 minutes

Supported units:

ns, us, ms, s, m, h

Host Timeout Duration

Enter the timeout duration for the host to complete processing. The value must be less than the overall request timeout.

Example:

10s

Text

Optional

Maximum: 5 minutes.

Supported units: ns, us, ms, s, m, h.

Host Group IDs

Enter the static host group ID from which you want to remove the hosts.

Example:

$LIST[30c65154238e42318027c2deb0164aba]

List

Required

Name

Enter the name.

Example:

filter

Text

Required

Host IDs

Enter the host IDs to be removed from the static host group.

Example:

(device_id:['e139xxxxxxxx5885', '8393xxxxxxxx9650','389axxxxxxxx5e80'])

Text

Required

Disable Hostname Check

Specify whether to disable hostname verification when adding a member.

Boolean

Optional

Default value:

false

Device IDs

Enter the list of device IDs.

Example:

$LIST[bf4fbxxxxxx4b8026]

List

Required

Tags List

Enter the list of tags to remove.

Example:

$LIST[falcongroupingtags/tag1]

List

Required

Agent IDs

Enter one or more agent IDs.

Example:

$LIST[8b83xxxxxxxx2098072c0496f8a0000]

List

Required

Customer ID

Enter the customer ID.

Example:

5c4a1e9ffc24464a9776c61af1d569b1

Text

Optional

Device IDs

Enter the device IDs.

Example:

$LIST[abcuu32534z]

List

Required

Limit

Enter the limit.

Integer

Optional

Default value:

100

Offset

Enter the offset.

Example:

fgluy2x1zgvfy29udgv4df91dwlkdnf1zxj5vghlbkzldgnoahzfcug0ttnnufjsdvdxwlnsau13yw1raaaaaajcsqswrurvx2nrm0ptvy00vfvvaeg1telpzxzqsezyvxgtbljws0rysxpmsgzubjz3aaaaaajknekwyv9uaddenkrsdenmogpsckuzakppuq==

Text

Optional

Filter

Enter to filter down the search results.

Example:

modified_timestamp:>'2024-01-25t22:36:12z'

Text

Optional

Sort

Enter the sort to filter down the search results.

Example:

status.desc or hostname.asc

Text

Optional

Indicator IDs

Enter the list of indicator IDs.

Example:

$LIST[5130b3232266ec3d0712faaa503b0702dbfd5cced6aa725efd2bb19de1898655,16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d]

or for single indicator, use: $LIST[16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d]

List

Required

Customer ID

Enter the customer ID.

Example:

456789abcdefghijklmnopqrstuv-wx

Text

Optional

Device IDs

Enter the list of device IDs to retrieve details for.

Example:

$LIST[abcuu32534z]

List

Required

IOC Type

Enter the IOC type.

Text

Required

Allowed values:

sha256, md5, domain, ipv4, ipv6

IOC value

Enter the IOC value.

Text

Required

Extra Parameters

Enter the extra parameters.

Key Value

Optional

Filter

Specify the filter expression to limit the response.

Example:

modified_timestamp:>'2024-10-25t22:36:12z'

Text

Optional

Offset

Enter the offset value to start retrieving records from.

Example:

0

Integer

Optional

Limit

Enter the maximum number of records to return. A maximum of 5000 records can be fetched.

Integer

Optional

Default value:

100

Sort

Enter the property to sort by.

Example:

status.desc

Text

Optional

Filter

Enter a filter to narrow the search result. for example, type:'domain',value:'sampledomain.com'

Text

Optional

Supported filters:

type, value, action, mobile_action, severity, platforms, tags, expiration, expired, applied_globally, host_groups, created_on, created_by, modified_on, modified_by, and source

Limit

Enter the maximum number of incident IDs to be retrieved.

Integer

Optional

Default value:

100

Offset

Enter the starting index of overall result set from which to return IDs.

Example:

1

Integer

Optional

Sort

Enter to sort the result.

Example:

severity_number

Text

Optional

Allowed values:

action, applied_globally and more.

After

Enter the after token from the previous response to continue retrieving results from that point.

Example:

wyjkzxrly3qilci2mjnjmgqyytnknwe5zwezowfjztnkztbkmzdkndq2ywrmzwzizdiwzjnkzdk1mtg2nguwnde1mtiymzdhnzfhil0=

Text

Optional

From Parent

Choose true to return indicators for both the requesting customer and its MSSP parents

Boolean

Optional

Host IDs

Enter the IDs of hosts you want to start a session with.

Example:

$LIST[9daac64e7e8f453488bfde9f573960b1]

List

Required

Existing Batch ID

Enter the ID of the batch of hosts.

Example:

5ba74666-fa78-4738-afe8-a54a14dbd413

Text

Optional

Queue Offline

Specify if the session must be queued offline.

Boolean

Optional

By default, it is queued.

Timeout

Enter the request timeout in seconds.

Integer

Optional

Default:

30 seconds

Maximum:

5 minutes

Timeout Duration

Enter the request timeout in duration format.

Text

Optional

Default:

30

Maximum:

5 minutes

Supported units:

ns, us, ms, s, m, h

Host Timeout Duration

Specify the host processing timeout. It must be less than the overall request timeout.

Example:

10s

Text

Optional

Maximum:

5 minutes.

Supported units:

ns, us, ms, s, m, h

Device ID

Enter the device ID.

Example:

9daac64e7e8f453xxxx

Text

Required

Origin

Enter the origin.

Example:

ls

Text

Required

Queue Offline

Enter the queue offline.

Boolean

Optional

Default:

true

Timeout

Enter the request timeout in seconds.

Integer

Optional

Default:

30 seconds

Maximum:

5 minutes

Timeout Duration

Specify the duration to wait for the request to complete.

Example:

10s

Text

Optional

Supported units:

ns, us, ms, s, m, h.

Maximum value:

5 minutes.

Alert IDs

Enter a list of alerts to update.

Example:

$LIST[28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544]

List

Required

Action

Enter the action to perform on the alerts.

Example:

add_tag

Text

Required

Valid values:

add_tag, append_comment and more

Action Value

Enter the value to use for the action.

Example:

if you are adding a tag to an alert, the value could be 'falcon_tag1'

Text

Required

Include Hidden Alerts

Choose true to allows previously hidden alerts to be retrieved.

Boolean

Optional

Default value:

true

Update Detects

Specify if you want to update the associated detects.

Boolean

Optional

Default value:

false

Overwrite Detects

Specify if you want to overwrite the associated detects.

Boolean

Optional

Default value:

false

Name

Enter update_status as the action parameter to update the detect status.

Text

Required

Value

Enter the updated detection value to apply to each incident listed in incident_ids.

Text

Required

Incident IDs

Enter the incident IDs to update the detections.

Example:

$LIST[inc:62e9c3d557a5479258d9ac63a2efb118:131b5xxxx]

List

Required

IOC ID

Enter the ID of the indicator you want to update.

Example:

9f8c43311b1801ca4159fc07d319610582c2003ccde8934d5412b1781e841e9e

Text

Required

Additional Data

Enter any additional data for updating the indicator.

Example:

{'source':'testsource','action':'detect'}

Key Value

Optional

Comment

Enter a comment about the update.

Text

Optional

IOC Type

Enter the IOC type.

Text

Required

Allowed values:

ipv4,ipv6,sha256,domain,md5 and all_subdomains

IOC Value

Enter the IOC value.

Text

Required

Action

Enter the action to be performed on the indicators.

Text

Required

Allowed values:

no_action, allow, prevent_no_ui, prevent, and detect

allow, prevent_no_ui, and prevent actions are only applicable to hashes.

Severity is mandatory if action is prevent or detect.

Severity

Enter the severity level to apply to the indicator. severity is mandatory if actions are prevent or detect.

Text

Optional

Allowed values:

informational, low, medium, high, and critical.

Mobile Action

Enter the mobile action to be performed on the indicators.

Text

Optional

Allowed values:

no_action, allow, prevent_no_ui, prevent, and detect.

Severity is mandatory if mobile actions are prevent or detect.

Platforms

Enter the platforms that the indicator applies to.

List

Required

Possible values are mac, windows, linux, android, and ios.

If the platforms are Android and IOS, then mobile action is mandatory.

Comment

Enter a comment about the uploading indicator.

Text

Optional

Applied Globally

Specify if the values applies globally.

Boolean

Optional

Default:

true

Additional Data

Enter any additional data while uploading the indicator

Key Value

Optional

Method

Enter the HTTP method for the action.

Text

Required

Supported values:

GET, POST, PUT, PATCH, and DELETE

Endpoint

Enter the CrowdStrike endpoint.

Example:

/devices/entities/devices/v1

Text

Required

JSON Payload

Enter the payload in JSON format.

Example:

$JSON[{"data": [{"reason": "test"}]}]

Any

Optional

Query Params

Enter the query parameters in JSON format.

Example:

{"limit": "10"}

Key Value

Optional

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

v3.0.0

Introduced Create Scan, Get Malicious Files by IDs, Get Scan Hosts by IDs, and Query Malicious Files actions.