CrowdStrike Falcon 1.0.0
App Vendor: CrowdStrike
App Category: Endpoint Detection & Response
Connector Version: 1.7.1
API version: 1.0.0
About App
The Crowdstrike Falcon app helps security teams to integrate with the Crowdstrike Falcon enterprise app, endpoint detection, and response (EDR), to unify next-generation antivirus, (EDR), and a 24/7 threat hunting service all delivered through a single lightweight agent.
The Crowdstrike Falcon app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Add Hosts In Static Group | The action adds hosts to a static host group. |
Adding IOA Exclusion | The action adds an IOA exclusion. |
Add Tags To Falcon Grouping | This action applies restrictions on the host using policy with tags. |
Assign Prevention Policies To A Group | The action assigns prevention policies to a group. |
Assign Sensor Policies To a Group | The action assigns sensor policies to a group. |
Adding Sensor Visibility Learning Exclusion | The action adds sensor visibility learning exclusion. |
Bulk Fetch Indicators | The action retrieves indicators. You can filter the results using an FQL query. |
Contain a Host | The action is used to contain a host. |
Create Host Group | This action creates a host group to determine which policies are applied to which hosts. |
Create Response Time File | The action creates a response time file. |
Delete Indicator ID | The action deletes an indicator ID. |
Delete Response Time File | The action deletes the response time file. |
Get Device Info By ID | The action searches for the device information through the device ID. |
Find Host With Device Query | The action searches for hosts with various device filters. |
Removing Falcon Grouping Tags | This action removes restrictions on the host using policy with tags. |
Lift Containment Of a Host | The action lifts the containment of a host. |
Removing Hosts In Static Group | The action moves a host out of a policy using the static identifier. |
Finding Host Groups | The action searches for host groups. |
Finding Host Group Members | The action searches for hosts belonging to a host group. |
Find Existing Sensor Policies | The action searches existing sensor policies. |
Find Existing Prevention Policies | The action finds existing prevention policies. |
Add Machine Learning Exclusion | This action adds machine learning exclusion. Exclusions are applied to hosts based on their group membership. Set up host groups before you create exclusions. |
Upload Indicator | The action uploads the indicators. |
Finding Indicator IDs | The action searches the indicator IDs. |
Update Indicators | The action updates the indicators. |
Fetch Incident IDs | The action searches for incidents. |
Modify Incidents | The action updates/modifies the incidents. |
Update Detection Status | The action updates the detection of the status involved in incidents using the endpoint used to modify incidents. |
Fetch Detection IDs | The action searches for detections in order to learn more about activity in your environment. |
Modify Detections | The action modifies the detections. |
Send Real Time Response to a batch of hosts | The action initiates a session with one or more hosts. |
Fetch Real Time Response Script | This action searches and filters existing scripts uploaded to the crowd strike platform. |
Fetch Real Time Policy Hosts | The action retrieves the real-time policy hosts. |
Fetch Real Time Policy Agent IDs | The action retrieves the real-time policy agent IDs. |
Retrieving ZTA By Host | The action retrieves ZTA by the host. |
Find Machine Learning Exclusion | The action searches for machine learning exclusions. |
Fetch Particular ML Exclusion Details | The action retrieves details of a particular ML exclusion. |
Modify ML Exclusion | The action modifies the machine learning exclusion. |
Delete ML Exclusion | The action deletes an ML exclusion. |
Find Sensor Visibility Exclusion | The action retrieves the list of all the sensor visibility exclusions. |
Fetch Particular Sensor Visibility Exclusion | The action retrieves a particular sensor visibility exclusion. |
Modify SV Exclusion | The action modifies the SV exclusion. |
Delete SV Exclusion | The action deletes SV exclusion. |
Find IOA Exclusion | The action searches for IOA exclusion. |
Fetch Particular IOA Exclusion | The action retrieves the particular IOA exclusion. |
List Reponse Time File | The action retrieves the list of all the response time files. |
Get Response Time Files | The action retrieves the response time files. |
Search Host for Observed Indicator | The action is used for searching the host for an observed indicator. |
Fetch Incident Detail | The action retrieves a particular incident's details. |
Fetch Detection Details | The action retrieves a particular detection's details. |
Retrieving Host with Device Scroll | The action retrieves the host with the device scroll. |
Retrieving Host NIC History | The action retrieves the host NIC history. |
Retrieving Last Logged User Info | The action retrieves the last logged-in user information. |
Get Vulnerability List | The action retrieves a list of vulnerabilities. |
Get Vulnerability Detail | This action retrieves the details of a vulnerability. |
Query Vulnerabilities | This action queries a list of vulnerabilities. |
Get Alert Details | This action retrieves the details of alerts. |
Get Aggregated Alerts | This action retrieves the aggregated alerts. |
List All Alerts | This action retrieves the alerts. |
Generic Action | This action initiates a generic API call to the CrowdStrike Falcon application. |
Get Host Details | This action retrieves detailed information about hosts. |
List Hidden Host IDs | This action retrieves a list of hidden host IDs. |
Get Status of a Host | This action retrieves the status of hosts. |
Real Time Read Command | The action executes the RTR read-only command across the hosts mapped to the given batch ID. |
Real Time Session Single Host | The action initiates a real-time session for a single host. |
Real Time Admin Command | The action executes the Real Time Response (RTR) admin command across the hosts mapped to the given batch ID. |
Real Time Execute Command Single Host | The action executes a command on a single host. |
Real Time Write Command | The action executes the Real Time Response (RTR) write-only command across the hosts mapped to the given batch ID. |
Real Time Script IDs | The action retrieves real-time response scripts through IDs. |
Update Alerts | This action updates the alerts. |
Query Indicator | The action queries the IOCs. |
Configuration Parameters
The following configuration parameters are required for the Crowdstrike Falcon connector app to communicate with the Crowdstrike Falcon enterprise application. The parameters can be configured by creating instances in the connector app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Input the base URL. Example: "https://api.crowdstrike.com" | Text | Required | Allowed values:
|
Client ID | Enter the client ID. | Text | Required | |
Client Secret Key | Enter the client secret key. | Password | Required | |
TLS verification | Optional preference to either verify or skip the TLS certificate verification. | Boolean | Optional | Default value: False |
Action: Find Host with Device Query
The action searches for hosts with various device filters.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra parameters | Enter the extra parameters to find the host. Example: Example: 'filter': 'hostname:‘ExampleHost', local_ip:'192.168.1.1'' | Key Value | Optional | Allowed keys: device_id, agent_load_flags, agent_version, bios_manufacturer, bios_version, cid, config_id_base, config_id_build, config_id_platform, cpu_signature, external_ip, first_seen, groups, hostname, instance_id, kernel_version, last_login_timestamp, last_seen, local_ip, local_ip.raw, mac_address, machine_domain, major_version, minor_version, modified_timestamp, os_version, ou, platform_id, platform_name, product_type_desc, reduced_functionality_mode, release_group, serial_number, site_name, status, system_manufacturer, system_product_name For more information about the allowed keys, see CrowdStrike Falcon API Documentation. |
Example Request
[
{
"extra_params":{
"applied": true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Get Device Info by ID
The action searches for the device information through the device ID.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID whose details you want to retrieve. Example: 9daac64e7e8f453488bfde9f573960b1 | Text | Required |
Example Request
[
{
"device_id": "9daac64e7e8f453488bfde9f573960b1"
}
]Action: Add Tags to Falcon Grouping
This action applies restrictions on the host using policy with tags. Use Falcon grouping tags to dynamically assign hosts to host groups based on custom keywords you define. There is a 256-character limit for each tag. You can add up to 50 tags per host. You can add tags for up to 5000 hosts at a time.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID List | Enter the list of IDs of the hosts to add tags Example: $LIST[9daac64e7e8f453488bfde9f573960b1] | List | Required | |
Tags List | Enter the list of tags to add to the host. Each tag must use the format FalconGroupingTags/{tagName}. Example: $LIST[FalconGroupingTags/Windows] | List | Required |
Example Request
[
{
"device_id_list":[
"9daac64e7e8f453488bfde9f573960b1"
],
"tags_list":[
"FalconGroupingTags/Windows"
]
}
]Action: Remove Falcon Grouping Tags
This action removes restrictions on the host using policy with tags.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID List | Enter the list of host IDs to remove the tags from. Example: $LIST[9daac64e7e8f453488bfde9f573960b1] | Any | Required | |
Tags List | Enter the list of tags to remove restrictions on the host. Each tag must use the format FalconGroupingTags/{tagName}. Example: $LIST[FalconGroupingTags/Windows] | Any | Required |
Example Request
[
{
"tags_list":[
"FalconGroupingTags/Windows"
],
"device_id_list":[
"9daac64e7e8f453488bfde9f573960b1"
]
}
]Action: Contain a Host
The action contains a host based on the specified host IDs. To prevent a potentially compromised host from communicating, network contain the host. After you've investigated and remediated, you can lift containment on that host to return its network communications to normal.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the list of host ID to contain the host. Example: [9daac64e7e8f453488bfde9f573960b1, 9daac6sdes453488bfde9f78sds ] | Any | Required | Send multiple IDs (5000 max) as a comma-separated list. |
Example Request
[
{
"host_id":[
"9daac64e7e8f453488bfde9f573960b"
]
}
]Action: Lift Containment Of a Host
The action lifts the containment of a host. To prevent a potentially compromised host from communicating, network contain the host. After you've investigated and remediated, you can lift containment on that host to return its network communications to normal.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the list of host IDs to lift the containment of host. Example: [9daac64e7e8f453488bfde9f573960b1] | Any | Required | Send multiple IDs (5000 max) as a comma-separated array. |
Example Request
[
{
"host_id":[
"9daac64e7e8f453488bfde9f573960b1"
]
}
]Action: Add Hosts in Static Group
The action adds hosts to a static group. After creating a static host group, you must manually assign hosts to the group.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the list of host IDs to add to a static group. Example: $LIST[1929e90c4b8c458f94228452b5a3b0c2] | List | Required |
|
Name | Enter the name of the host. Example: "Test Group" | Text | Required |
|
Value | Enter the value. Example: "(device_id:['9daac64e7e8f453488bfde9f573960b1'])" | Text | Required |
|
Example Request
[
{
"name":"Test Group",
"value":"(device_id:['9daac64e7e8f453488bfde9f573960b1'])",
"host_ids":[
"1929e90c4b8c458f94228452b5a3b0c2"
]
}
]Action: Remove Hosts from Static Group
The action removes a host from the static group.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the list of host IDs to remove from the static group. Example: $LIST[1929e90c4b8c458f94228452b5a3b0c2] | List | Required |
|
Name | Enter the name. Example: "Test Group" | Text | Required |
|
Value | Enter the value. Example: "(device_id:['9daac64e7e8f453488bfde9f573960b1'])" | Text | Required |
|
Example Request
[
{
"name":"Test Group",
"value":"(device_id:['9daac64e7e8f453488bfde9f573960b1'])",
"host_ids":[
"1929e90c4b8c458f94228452b5a3b0c2"
]
}
]Action: Find Host Groups
The action searches for host groups.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra parameters | Enter the extra parameters to search for host groups. | Key Value | Optional | Allowed keys:
For more information on the allowed keys, see the official CrowdStrike Falcon API Documentation. |
Example Request
[
{
"extra_params":{
"applied": true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Find Host Group Members
The action searches for hosts belonging to a host group.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the host ID to search for the host. Example: "b9db7872c60249c39983381e4ea587da" | Text | Required |
|
Limit | Enter the limit. Example: 10 | Integer | Optional | Default value: 5 |
Example Request
[
{
"ids":"b9db7872c60249c39983381e4ea587da",
"limit":10
}
]Action: Assign Prevention Policies to a Group
The action assigns prevention policies to a group.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the name of the group to assign the prevention policies. Example: "administrators" | Text | Required |
|
Host ID | Enter the host ID. Example: "75448c0b32d54083b63df92af22ea75d" | Text | Required |
|
Policy ID list | Enter the list of policy IDs. Example: $LIST[ec312e081f36452d91025bdc9d05cb9c] | Any | Required |
|
Example Request
[
{
"name":"administrators",
"value":"75448c0b32d54083b63df92af22ea75d",
"host_ids":[
"ec312e081f36452d91025bdc9d05cb9c"
]
}
]Action: Assign Sensor Policies to a Group
The action assigns sensor policies to a group.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the name of the group ID to assign sensor policies. Example: "group_id" | Text | Required | |
Host ID | Enter the host ID. Example: "75448c0b32d54083b63df92af22ea75d" | Text | Required | |
Policy ID | Enter the list of policy IDs. Example: $LIST[d6ca8e4459f640808aa197e37fb4b316] | Any | Required |
Example Request
[
{
"name":"group_id",
"value":"75448c0b32d54083b63df92af22ea75d",
"host_ids":[
"d6ca8e4459f640808aa197e37fb4b316"
]
}
]Action: Find Existing Sensor Policies
The action searches existing sensor policies.
Input Parameters
There are no input parameters required with this action.
Action: Find Existing Prevention Policies
The action finds existing prevention policies.
Input Parameters
There are no input parameters associated with this action.
Action: Add Machine Learning Exclusion
This action adds machine learning exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Excluded from | Enter the excluded from parameter. Example: "Blocking" | Any | Required | |
Comment | Enter the comment. Example: "This is excluded from blocking" | Text | Required | |
Groups | Enter the groups. Example: $LIST[all] | Any | Required | |
Value | Enter the value. Example: "/f93" | Text | Required |
Example Request
[
{
"value":"/f93",
"groups":[
"all"
],
"comment":"This is excluded from blocking",
"excluded_from":[
"blocking"
]
}
]Action: Adding Sensor Visibility Learning Exclusion
The action adds sensor visibility learning exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Comment | Enter the comment. Example: "This is excluded from visibility learning" | Text | Required | |
Groups | Enter the groups. Example: $LIST[all] | Any | Required | |
Value | Enter the value. Example: "/f88" | Text | Required |
Example Request
[
{
"value":"/f88",
"groups":[
"all"
],
"comment":"This is excluded from visibility learning"
}
]Action: Adding IOA Exclusion
The action adds an IOA exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cl regex | Enter the cl regex. Example: "choice\s+/m\s+crowdstrike_sample_detection" | Text | Required | |
Comment | Enter a comment. Example: "Adding an IOA exclusion" | Text | Required | |
Description | Enter a description. Example: "IOA exclusion is added" | Text | Required | |
Detection json | Enter the detection json. Example: "0.121234566, 0.121234535, 0.1234543134" | Any | Optional | |
Group | Enter the groups. Example: $LIST[all] | Any | Optional | |
Ifn regex | Enter the ifn regex. Example: ".*\\windows\\system32\\choice\.exe" | Text | Required | |
Name | Enter the name. Example: "Filter" | Text | Required | |
Pattern id | Enter the pattern ID. Example: "10197" | Text | Required | |
Pattern name | Enter the pattern name. Example: "templatedetection" | Text | Required |
Example Request
[
{
"cl_regex":"choice\\s+/m\\s+crowdstrike_sample_detection",
"comment":"Adding an IOA exclusion.",
"description":"IOA exclusion is added",
"detection_json":"0.121234566, 0.121234535, 0.1234543134",
"groups":[
"all"
],
"ifn_regex":".*\\windows\\system32\\choice\\.exe",
"name":"Filter",
"pattern_id":10197,
"pattern_name":"templatedetection"
}
]Action: Upload Indicator
The action uploads the indicators in CrowdStrike Falcon.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC Type | Enter the IOC type of the indicator to be uploaded. Example: "ipv4" | Text | Required | Allowed values:
|
IOC Value | Enter the IOC value. Example: "152.19.95.83" | Text | Required | |
Action | Enter the action to be performed on the indicator Example: "allow" | Text | Required | Allowed values:
Allow, prevent_no_ui, and prevent actions are only applicable to hashes. Severity is mandatory if action is prevent or detect. |
Severity | Enter the severity level to apply to the indicator. Example: "critical" | Text | Optional | Allowed values:
Severity is mandatory if actions are prevent or detect. |
Mobile Action | Enter the mobile action to be performed on the indicators. | Text | Optional | Allowed values:
Severity is mandatory if mobile actions are prevent or detect. |
Platforms | Enter the platforms that the indicator applies to. Example: "Linux" | Any | Required | Allowed values:
If the platforms are Android and iOS, then Mobile Action is mandatory. |
Comment | Enter any comment associated with the indicators Example: "The platform is a Linux environment" | Text | Optional | |
Applied Globally | Specify if the values apply globally. Example: True | Boolean | Optional | Default value: True |
Extra Parameters | Enter the extra parameters | Key Value | Optional |
Example Request
[
{
"ioc_type":"ipv4",
"value":"152.19.95.83",
"action":"allow",
"severity":"critical",
"platforms":"Linux",
"comment":"The platform is a Linux environment",
"applied_globally": true
}
]Action: Finding Indicator IDs
The action searches the indicator IDs.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra parameters | Enter the extra parameters to search the indicator IDs. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"extra_params":{
"applied": true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Update Indicators
The action updates the indicators.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC ID | Enter the IOC ID to update the indicator. Example: "9f8c43311b1801ca4159fc07d319610582c2003ccde8934d5412b1781e841e9e" | Text | Required | |
Extra Parameters | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Comment | Enter the comment. | Text | Optional |
Example Request
[
{
"ioc_id": "0a9adce59ae04d1987745cd2bd83a32d",
"extra_params": {
"type": "domain",
"value": "sampleorg.com",
"source": "external",
"severity ": "high",
"description": "Description about the indicator",
"platforms": [
"windows"
],
"tags": [
"incident"
],
"host_groups": [],
"applied_globally": true,
"expiration": "2022-10-08T18:30:00.771476842Z"
}
}
]Action: Fetch Incident IDs
The action searches for incidents.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra parameters | Enter the extra parameters to search for the incidents. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"extra_params":{
"applied": true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Modify Incidents
The action updates or modifies the incidents.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the name of the incident to update or modify. Example: "update_description" | Text | Required | |
Value | Enter the value. Example: "crowdstrike" | Text | Required | |
Incident IDs | Enter the list of incident IDs. Example: $LIST[inc:a8ecce2f41df4112ae07d4e0c86d0795:3afc01fe15ca488f8c85b0d32ef26387] | Any | Required |
Example Request
[
{
"name": "update_description",
"value": "crowdstrike",
"incident_ids": [
"inc:a8ecce2f41df4112ae07d4e0c86d0795:3afc01fe15ca488f8c85b0d32ef26387"
]
}
]Action: Update Detection Status
The action updates the detection of the status involved in incidents using the endpoint used to modify incidents.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Update Detects | Enter the status of the update detects. Example: True | Boolean | Optional | By default the value is false. |
Overwrite Detects | Enter the overwrite detects. Example: True | Boolean | Optional | By default the value is false. |
Name | Enter the name. Example: "update_description" | Text | Required | |
Value | Enter the value. Example: "CrowdStrike sample" | Text | Required | |
Incident IDs | Enter the list of incident IDs. Example: $LIST[inc:a8ecce2f41df4112ae07d4e0c86d0795:3afc01fe15ca488f8c85b0d32ef26387] | Any | Required |
Example Request
[
{
"name":"update_description",
"value":"crowdstrike sample",
"incident_ids":[
"inc:a8ecce2f41df4112ae07d4e0c86d0795:3afc01fe15ca488f8c85b0d32ef26387"
]
}
]Action: Fetch Detection IDs
The action searches for detections in order to learn more about activity in your environment.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra parameters | Enter the extra parameters to fetch the detection ID. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"extra_params":{
"applied":true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Modify Detections
The action modifies the detections.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detect IDs | Enter the detect IDs. Example: $LIST[ldt:a8ecce2f41df4112ae07d4e0c86d0795:1183548] | Any | Required | |
Status | Enter the status. Example: "true_positive" | Text | Required | Allowed values:
|
Example Request
[
{
"status": "true_positive",
"detect_ids": [
"ldt:a8ecce2f41df4112ae07d4e0c86d0795:1183548"
]
}
]Action: Send Real Time Response to a batch of hosts
The action initiates a session with one or more hosts.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host IDs | Enter the list of host IDs to initiate a session. Example: $LIST[9daac64e7e8f453488bfde9f573960b1] | Any | Required | |
Existing batch ID | Enter the existing batch ID. Example: "batch1100" | Text | Optional | |
Queue offline | Enter the status of the queue offline. Example: True | Boolean | Optional | Default value: True |
Example Request
[
{
"host_ids": [
"9daac64e7e8f453488bfde9f573960b1"
]
}
]Action: Real Time Read Command
The action executes the RTR read-only command across the hosts mapped to the given batch ID.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base command | Enter the base command to execute the RTR read-only command. Example: "1s" | Text | Required | |
Batch ID | Enter the batch ID. Example: "85859d91-dcd1-4355-aaf3-714f0eb88907" | Text | Required | |
Command | Enter the command. Example: "cd" | Text | Required | |
Optional hosts | Enter the optional hosts. | Text | Optional | |
Persist_all | Specify if you want to persist all. Example: True | Boolean | Optional | Default value: True |
Example Request
[
{
"base_command": "1s",
"batch_id": "85859d91-dcd1-4355-aaf3-714f0eb88907",
"command_string": "cd",
"persist_all": true
}
]Action: Real Time Write Command
The action executes the RTR write-only command across the hosts mapped to the given batch ID.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base command | Enter the base command to execute the Real Time Response (RTR) write only command. Example: "1s" | Text | Required | |
Batch ID | Enter the batch ID. Example: "85859d91-dcd1-4355-aaf3-714f0eb88907" | Text | Required | |
Command | Enter the command. Example: "cd" | Text | Required | |
Optional hosts | Enter the optional hosts. | Text | Optional | |
Persist all | Specify if you want to persist all. | Boolean | Optional | Default value: True |
Example Request
[
{
"batch_id": "85859d91-dcd1-4355-aaf3-714f0eb88907",
"base_command": "1s",
"command_string": "cd"
}
]Action: Real Time Admin Command
The action executes the RTR admin command across the hosts mapped to the given batch ID.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base Command | Enter the base command to execute the Real Time Response (RTR) admin command. Example: "1s" | Text | Required | |
Batch ID | Enter the batch ID. Example: "85859d91-dcd1-4355-aaf3-714f0eb88907" | Text | Required | |
Command | Enter the command. Example: "cd" | Text | Required | |
Optional Hosts | Enter the optional hosts. | Text | Optional | |
Persist All | Specify if you want to persist all. Example: True | Boolean | Optional | Default value: True |
Example Request
[
{
"base_command":"1s",
"batch_id":"85859d91-dcd1-4355-aaf3-714f0eb88907",
"command_string":"cd",
"persist_all": true
}
]Action: Real Time Session Single Host
The action initiates a real-time session for a single host.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID to initiate a real-time session. Example: "9daac64e7e8f453488bfde9f573960b1" | Text | Required | |
Origin | Enter the origin. Example: "1s" | Text | Required | |
Queue offline | Enter the queue offline. Example: True | Text | Optional | Default value: True |
Example Request
[
{
"device_id": "9daac64e7e8f453488bfde9f573960b1",
"orgin": "1s",
"queue_offline": true
}
]Action: Real Time Execute Command Single Host
The action executes a command on a single host.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base command | Enter the base command. Example: "1s" | Text | Required | |
Device ID | Enter the device ID. Example: "9daac64e7e8f453488bfde9f573960b1" | Text | Required | |
Command | Enter the command. Example: "1s" | Text | Required | |
Session ID | Enter the session ID. Example: "8bb2f6a8-fb43-42c0-b63e-860015d7f47f" | Text | Required | |
Ids | Enter the IDs. | Text | Optional | |
Persist all | Specify if you want to persist all. | Boolean | Optional | Default value: True |
Example Request
[
{
"device_id": "9daac64e7e8f453488bfde9f573960b1",
"session_id": "8bb2f6a8-fb43-42c0-b63e-860015d7f47f",
"base_command": "ls",
"command_string": "ls"
}
]Action: Fetch Real Time Response Script
This action searches and filters existing scripts uploaded to the crowd strike platform.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra parameters | Enter the extra input parameters. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"extra_params":{
"applied":"true",
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Real Time Script IDs
The action retrieves real-time response scripts through IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Script ID | Enter the script ID to retrieve real-time response scripts. Example: "SCRIPT902" | Text | Required |
Example Request
[
{
"script_id": "script902"
}
]Action: Create Response Time File
The action creates a response time file.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File path | Enter the file path to create a response time file. Example: "/tmp/4e4ae40f-d76a-4666-bb00-c4713d486b64/intel.pdf" | Text | Required | |
File name | Enter the file name. Example: "Sample File" | Text | Required | |
Description | Enter the description. Example: "Create a response file" | Text | Required |
Example Request
[
{
"file_path":"/tmp/4e4ae40f-d76a-4666-bb00-c4713d486b64/intel.pdf",
"file_name":"Sample file",
"description":"create a response file"
}
]Action: Delete Response Time File
The action deletes the response time file using the filter ID list.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File ID list | Enter the file ID to delete the response time file. Example: $LIST[611ec85f082cab6337bcd] | Any | Required |
Example Request
[
{
"file_id":[
"611ec85f082cab6337bcd"
]
}
]Action: Fetch Real Time Policy Hosts
The action retrieves the policy hosts in real time.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra parameters | Enter extra parameter to retrieve the policy host. | Key Value | Optional | Allowed Parameters:
|
Example Request
[
{
"extra_params":{
"applied": true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Fetch Real Time Policy Agent IDs
The action retrieves the real-time policy agent IDs.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra parameters | Enter the extra parameters to retrieve the policy agent ID | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"extra_params":{
"applied":true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Retrieving ZTA By Host
The action retrieves ZTA by the host.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent IDs | Enter the agent IDs to retrieve ZTA by host. Example: "9daac64e7e8f453488bfde9f573960b1" | Text | Required |
Example Request
[
{
"agent_ids": "9daac64e7e8f453488bfde9f573960b1"
}
]Action: Find Machine Learning Exclusion
The action searches for machine learning exclusions.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter the additional parameters to search for the machine learning exclusions. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"extra_params":{
"applied": true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Fetch Particular ML Exclusion Details
The action retrieves details of a particular ML exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ML exclusion IDs | Enter the ML exclusion IDs. Example: "b0ceca08642b4103a344f8251c492861" | Any | Required |
Example Request
[
{
"ml_exclusions_ids": "b0ceca08642b4103a344f8251c492861"
}
]Action: Modify ML Exclusion
The action modifies the machine learning exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Value | Enter the value. Example: "/f88" | Text | Required | |
Comment | Enter the comment. Example: "The value to modify ML exclusion" | Text | Required | |
Groups | Enter the groups. | Any | Required | |
ML exclusion ID | Enter the ml exclusion IDs. Example: "c56c24ffe30910cf4c2548adc99ac1d4" | Any | Required |
Example Request
[
{
"value": "/f88",
"groups": [
"all"
],
"comment": "The value to modify ML exclusion",
"ml_exclusions_ids": "c56c24ffe30910cf4c2548adc99ac1d4"
}
]Action: Delete ML Exclusion
The action deletes an ml exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Comment | Enter the comment. Example: "Deleting ML execution" | Text | Required | |
ML exclusion IDs | Enter the ML exclusion IDs. Example: "c56c24ffe30910cf4c2548adc99ac1d4" | Any | Required |
Example Request
[
{
"comment": "The value to modify ML exclusion",
"ml_exclusions_ids": "c56c24ffe30910cf4c2548adc99ac1d4"
}
]Action: Find Sensor Visibility Exclusion
The action retrieves the list of all the sensor visibility exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters to retrieve the list of all sensor visibility exclusion. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"extra_params":{
"applied":true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Fetch Particular Sensor Visibility Exclusion
The action retrieves a particular sensor visibility exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Sv exclusion IDs | Enter the SV exclusion IDs to retrieve sensor visibility exclusion. Example: "9f94f3725933aeb83c8454566fc09da0" | Any | Required |
Example Request
[
{
"sv_exclusions_ids": "9f94f3725933aeb83c8454566fc09da0"
}
]Action: Modify SV Exclusion
The action modifies the sv exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Value | Enter the value. Example: "/f88" | Text | Required | |
Comment | Enter the comment. Example: "Modify the SV exclusion" | Text | Required | |
Groups | Enter the groups. Example: $LIST[all] | Any | Required | |
SV exclusion IDs | Enter the SV exclusion IDs. Example: "9f94f3725933aeb83c8454566fc09da0" | Any | Required |
Example Request
[
{
"value": "/f88",
"groups": [
"all"
],
"comment": "Modify the SV exclusion",
"sv_exclusions_ids": "9f94f3725933aeb83c8454566fc09da0"
}
]Action: Delete SV Exclusion
The action deletes SV exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Comment | Enter the comment. Example: "Delete the SV exclusion" | Text | Required | |
SV exclusion IDs | Enter the SV exclusion IDs. Example: "b0ceca08642b4103a344f8251c492861" | Any | Required |
Example Request
[
{
"comment": "Delete the SV exclusion",
"sv_exclusions_ids": "b0ceca08642b4103a344f8251c492861"
}
]Action: Find IOA Exclusion
The action searches for IOA exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter the additional parameters. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"extra_params":{
"applied": true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Fetch Particular IOA Exclusion
The action retrieves the particular IOA exclusion.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOA exclusion IDs | Enter the IOA exclusion IDs. Example: "b0ceca08642b4103a344f8251c492861" | Any | Required |
Example Request
[
{
"ioa_exclusions_ids": "b0ceca08642b4103a344f8251c492861"
}
]Action: List Reponse Time File
The action retrieves the list of all the response time files.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter the extra parameters to retrieve the list of response time files. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"extra_params":{
"applied": true,
"applied_date":"2022-02-23T15:36:37.093Z",
"assigned_date":"2022-02-23T15:36:37.093Z",
"policy_id":"d6ca8e4459f640808aa197e37fb4b316"
}
}
]Action: Get Response Time Files
The action retrieves the response time files.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File ID | Enter the file ID to retrieve the response time files. Example: "89a5407758c111ec85a93eedc3eeee3e_1cff909fe6854929b68fc85c975b256c" | Text | Required |
Example Request
[
{
"file_id": "89a5407758c111ec85a93eedc3eeee3e_1cff909fe6854929b68fc85c975b256c"
}
]Action: Query Indicator
The action query the IOCs.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Offset | Enter the starting row number to return from the index. Example: 1 | Integer | Optional | Default value: 0 |
Limit | Enter the limit of the number of rows to return in the response. Example: 50 | Integer | Optional | Default value: 20 |
Sort | Enter the sorting order. Example: "published_date|asc" | Text | Optional | Allowed values are:
|
Filter | Enter the filter. Example: "Deleted" | Text | Optional | You can use the FQL filter to specify. |
Search | Enter the generic substring search. | Text | Optional | |
Include deleted | Enter the include deleted. Example: True | Boolean | Optional | Allowed values:
|
Include relations | Enter the include relations. Example: False | Boolean | Optional | Allowed values:
|
Example Request
[
{
"offset": 1,
"limit": 50,
"sort": "published_date|asc",
"filters": "deleted",
"include_deleted": true,
"include_relations": false
}
]Action: Search Host for Observed Indicator
The action is used for searching host for observed indicator.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC type | Enter the IOC type. Example: "md5" | Text | Required | Allowed values:
|
IOC value | Enter the IOC value. Example: "1e6b1c887c59a315edb7eb9a315fc84c" | Text | Required | |
Extra parameters | Enter the extra parameters. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"ioc_type": "md5",
"ioc_value": "1e6b1c887c59a315edb7eb9a315fc84c"
}
]Action: Fetch Incident Detail
The action retrieves a particular incident's details.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the maximum number of hosts to be displayed. Example: $LIST[inc:a8ecce2f41df4112ae07d4e0c86d0795:3afc01fe15ca488f8c85b0d32ef26387] | Integer | Optional |
Example Request
[
{
"ids":[
"inc:a8ecce2f41df4112ae07d4e0c86d0795:3afc01fe15ca488f8c85b0d32ef26387"
]
}
]Action: Fetch Detection Details
The action retrieves a particular detection's details.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detection IDs | Enter the detection ID list to retrieve the detection details. Example: $LIST[ldt:a8ecce2f41df4112ae07d4e0c86d0795:1183548] | List | Required |
Example Request
[
{
"ids":[
"ldt:a8ecce2f41df4112ae07d4e0c86d0795:1183548"
]
}
]Action: Retrieving Host with Device Scroll
The action retrieves host with device scroll.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the maximum number of results to be displayed. Example: 20 | Integer | Optional | Default value: 100 |
Offset | Enter the offset. Example: "0" | Text | Optional | Default value: 0 |
Example Request
[
{
"limit": 20,
"offset": "0"
}
]Action: Retrieving Host NIC History
The action retrieves host NIC history.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Customer ID | Enter the Customer ID. Example: "56789ABCDEFGHIJKLMNOPQRSTUV-WX" | Text | Required | |
Agent IDs | Enter the Agent IDs. Example: $LIST[abcuu32534z, efcuu37634z] | List | Required |
Example Request
[
{
"customer_id": "56789ABCDEFGHIJKLMNOPQRSTUV-WX",
"agent_ids": ['abcuu32534z', 'efcuu37634z']
}
]Action: Retrieving Last Logged User Info
The action retrieves last logged in user information
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Customer ID | Enter the Customer ID. Example: "56789ABCDEFGHIJKLMNOPQRSTUV-WX" | Text | Required | |
Agent IDs | Enter the Agent IDs. Example: $LIST[abcuu32534z, efcuu37634z] | List | Required |
Example Request
[
{
"customer_id": "56789ABCDEFGHIJKLMNOPQRSTUV-WX",
"agent_ids": ['abcuu32534z', 'efcuu37634z']
}
]Action: Get Vulnerability List
The action retrieves a list of vulnerabilities. Search for vulnerabilities in your environment by providing the filter and optional paging details. A list of vulnerability IDs that match the filter criteria is returned.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Limit | Enter the number of vulnerabilities to retrieve. Example: 50 | Integer | Optional | |
Filter | Enter a filter to retrieve a list of vulnerabilities. Example: "created_timestamp:>'2019-11-25T22:36:12Z" | Text | Required | Allowed filters:
|
Example Request
[
{
"filter": "created_timestamp:>'2019-11-25T22:36:12Z'"
}
]Action: Get Vulnerability Details
This action retrieves the details of a vulnerability. The vulnerability entity contains various general attributes as well as host, CVE, remediation, and evaluation logic objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Vulnerability IDs | Enter a list of vulnerability IDs. Example: $LIST[3e32646d80e94c875f9db78axx533d3a3ff7, 51484b9433cb89xxa9e4755cce7a7a] | List | Required |
Example Request
[
{
"vulnerability_ids": [
"3e32646d80e94c875f9db78axx533d3a3ff7",
"51484b9433cb89xxa9e4755cce7a7a"
]
}
]Action: Query Vulnerabilities
This action queries a list of vulnerabilities.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Sort | Enter a value to sort the result. Example: "desc" | Text | Optional | Allowed values:
|
Facet | Enter facet to limit the response. Example: $LIST[cve] | List | Optional | Allowed values:
|
Limit | Enter the number of vulnerabilities to retrieve. Example: 50 | Integer | Optional | |
Filter | Enter a filter to query a list of vulnerabilities. Example: "created_timestamp:>'2019-11-25T22:36:12Z" | Text | Required | Allowed filters:
|
Example Request
[
{
"filter": "created_timestamp:>'2019-11-25T22:36:12Z'"
}
]Action: Get Alert Details
This action retrieves the details of alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Alert IDs | Enter a list of alert IDs to retrieve details. Example: $LIST[28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-1171930xxxxxxxx9544, 28a1xxxxxxxx3914:ind:a618xxxxxxxx4d67:1328xxxxxxxx1933-118-1865xxxxxxxx9884 ] | List | Required |
Example Request
[
{
"alert_ids":[
"28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-1171930xxxxxxxx9544",
"28a1xxxxxxxx3914:ind:a618xxxxxxxx4d67:1328xxxxxxxx1933-118-1865xxxxxxxx9884"
]
}
]Update Alerts
This action updates the alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Alert IDs | Enter a list of alert IDs to update. Example: "28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-1171930xxxxxxxx9544" | List | Required | |
Action | Enter the action to perform on the alerts. Example: "add_tag" | Text | Required | Allowed keys:
|
Action Value | Enter the value for the Action parameter. Example: "malicious" | Text | Required | Allowed values for update_status parameter:
|
Example Request
[
{
"alert_ids":[
"28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-1171930xxxxxxxx9544",
"28a1xxxxxxxx3914:ind:a618xxxxxxxx4d67:1328xxxxxxxx1933-118-1865xxxxxxxx9884"
],
"action":"add_tag",
"action_value":"malicious"
}
]Action: Get Aggregated Alerts
This action retrieves a list of aggregated alerts. Get aggregate counts of alerts grouped by various parameters provided in the request's body.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Name | Enter a name for the aggregate query. This parameter is used to identify the results returned to you. Example: "Sample Aggregate Search" | Text | Required | |
Aggregate Type | Enter the type of aggregation to perform. Example: "terms" | Text | Required | Allowed values:
|
Aggregate Field | Enter the aggregate field to retrieve the alerts. Example:
| Text | Required |
Example Request
[
{
"name":"sample aggregated search",
"aggregate_type":"terms",
"aggregate_field":"severity"
}
]Action: List All Alerts
This action retrieves the alerts from the Crowdstrike Falcon application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Filter | Enter a filter query to filter alerts. Example: "product:'idp'" | Text | Optional | |
Limit | Enter the maximum number of alerts to retrieve. Example: 50 | Integer | Optional | Default value: 100 |
Offset | Enter the offset value for pagination. Example: 1 | Integer | Optional | Default value: 0 |
Example Request
[
{
"filter":"product:'idp'",
"limit":50,
"offset":1
}
]Action: Get Host Details
This action retrieves detailed information about hosts. You can use this action to get the following host information:
Software information, such as platform, OS version, kernel version, and OS build ID (OS build ID available for Windows and macOS only)
Network information, such as its IP address and MAC address
Sensor information, such as its version
Status information, such as its last connection time to the CrowdStrike cloud or its network containment status
Configuration information, such as the active prevention policies in effect on this host
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host IDs | Enter the list of host IDs to fetch details. $LIST[5b62xxd1a451c8c1a8828ce28265d65b,5c4a1e9fxx24464a9776c61af] | List | Required | Maximum number of allowed host IDs: 5000 |
Example Request
[
{
"host_ids":["5b62xxd1a451c8c1a8828ce28265d65b","5c4a1e9fxx24464a9776c61af]"]
}
]Action: Create Host Group
This action creates a host group to determine the policies that are applied to hosts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Resource | Enter the details to create a host group. Example: $JSON[[{"name":"host group","description":"host group details","group_type":"dynamic"}]] | List | Required |
Example Request
[
{
"resource": [
{
"name": "Host Group",
"group_type": "dynamic",
"description": "Host Group Details"
}
]
}
]Action: Bulk Fetch Indicators
The action retrieves indicators. You can filter the results using an FQL query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter | Enter the query to filter results. The filter is case-sensitive. Example: value:10 | Text | Optional | Allowed filters:
|
Example Request
[
{
"filters": "value:10"
}
]Action: Get Status of a Host
This action retrieves the status of hosts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IDs | Enter the host IDs to get status. Example: $LIST[5b62f6d1xx51c8c1a8828ce28265d65b,5c4a1e9ffc2446xxa9776c61af] | List | Required |
Example Request
[
{
"ids":["5b62f6d1xx51c8c1a8828ce28265d65b","5c4a1e9ffc2446xxa9776c61af]
}
]Action: Generic Action
This action initiates a generic API call to the CrowdStrike application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Method | Enter the HTTP method. Example: "GET" | Text | Required | |
Endpoint | Enter the API endpoint to access. Example: "/devices/entities/devices/v1" | Text | Required | |
Payload JSON | Enter the payload in JSON format. Example: {"data": [{"reason": "test"}]} | Text | Optional | |
Query Params | Enter the query parameters in JSON format. Example: {"limit": "10"} | Key Value | Optional |
Example Request
[
{
"method":"GET",
"endpoint":"/devices/entities/devices/v1",
"payload_json":{
"data":[
{
"reason":"security_testing"
}
]
},
"query_params":{
"limit":"10"
}
}
]